Letsencrypt setup

[bugabinga]

Hi, I could use some help in integrating Letsencrypt with ejabberd. When we get this done, I'd be happy to expand the Readme with this topic.

Here is how far I have come:

Basic setup with docker compose

I decided to to use docker-compose and put all the files into a folder ejabberd-compose:

root@labor:~/ejabberd-compose# tree
.
├── cron
│   └── renew_ssl.sh
├── docker-compose.yml
└── ssl
    ├── host.pem -> /root/ejabberd-compose/ssl/labor.bugabinga.net.pem
    └── labor.bugabinga.net.pem

root@labor:~/ejabberd-compose# cat docker-compose.yml

version: "3"
services:

  ejabberd-data:
    image: rroemhild/ejabberd-data

  ejabberd:
    image: rroemhild/ejabberd
    hostname: labor.bugabinga.net
    volumes:
      - ejabberd-data
    volumes:
      - ./ssl:/opt/ejabberd/ssl:ro
    ports:
      - 5222:5222
      - 5269:5269
      - 5280:5280
      - 4560:4560
      - 5443:5443
    environment:
      - ERLANG_NODE=ejabberd
      - XMPP_DOMAIN=labor.bugabinga.net
      - EJABBERD_ADMINS=admin@labor.bugabinga.net
      - EJABBERD_USERS=admin@labor.bugabinga.net oliver@labor.bugabinga.net maxs@labor.bugabinga.net
      - EJABBERD_SSLCERT_HOST=/opt/ejabberd/ssl/host.pem
      - EJABBERD_SSLCERT_LABOR_BUGABINGA_NET=/opt/ejabberd/ssl/labor.bugabinga.net.pem
      - TZ=Europe/Berlin

The idea was to provide ejabberd with the SSL certs ready for consumption, so that the volume can stay read-only.

Basic letsencrypt setup

Initial setup for domain labor.bugabinga.net

root@labor:~/ejabberd-compose# letsencrypt certonly --standalone

Crontab script for renewal:

root@labor:~/ejabberd-compose# cat cron/renew_ssl.sh

#!/usr/bin/env sh

/usr/bin/letsencrypt renew >> /var/log/letsencrypt_renew_labor_bugabinga_net.log
cat /etc/letsencrypt/live/labor.bugabinga.net/fullchain.pem /etc/letsencrypt/live/labor.bugabinga.net/privkey.pem > /root/ejabberd-compose/ssl/labor.bugabinga.net.pem
ln -f -s /root/ejabberd-compose/ssl/labor.bugabinga.net.pem /root/ejabberd-compose/ssl/host.pem

The goal of this script is to renew the letsencrypt cert and concatenate the private key and the certificate into one .pem file as stated in the Readme.

Running the container

Here I get stuck:

root@labor:~/ejabberd-compose# docker-compose up
Starting ejabberdcompose_ejabberd_1
Starting ejabberdcompose_ejabberd-data_1
Attaching to ejabberdcompose_ejabberd-data_1, ejabberdcompose_ejabberd_1
ejabberdcompose_ejabberd-data_1 exited with code 0
ejabberd_1       | Writing EJABBERD_SSLCERT_HOST to /opt/ejabberd/ssl/host.pem
ejabberd_1       | /opt/ejabberd/scripts/pre/01_write_certifiates_from_env.sh: line 17: /opt/ejabberd/ssl/host.pem: Permission denied
ejabberdcompose_ejabberd_1 exited with code 1

Why does it try to overwrite the exisiting host.pem? Is it malformed?

[jee-r]

Hi

root@labor:~/ejabberd-compose# tree
.
├── cron
│   └── renew_ssl.sh
├── docker-compose.yml
└── ssl
    ├── host.pem -> /root/ejabberd-compose/ssl/labor.bugabinga.net.pem
    └── labor.bugabinga.net.pem

Your 'host.pem ' is a symlink only available on the host not inside the container

I hope this help

[rroemhild]

FYI. Google Summer of Code with ejabberd projects, one of them is support for “let’s encrypt” ACME protocol.

[jacksgt]

I think you'll need at least ejabberd 17.12 or even 18.01 for 'native' Let's Encrypt support:

processone/ejabberd#1959

https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L684

[Hamid-Najafi]

ejabberd docker image runs with non root user (with ejabberd user)
so you have to chown (or chmod to others) your cert files.