The autumn sun is glaring down on the grass outside the window. The sky so blue it hurts my eyes. Why am I doing this during lunch break?
Installing an XMPP server because Pluspora is down.
The life of a lazy Debian admin. Search online for “xmpp server for debian”. Find wiki page. I have three options: ejabberd, jabberd2, or prosody. I use “apt install” for each of them and see how many packages they want to install as dependencies. Then I pick the one with the shortest list. Hello, prosody! We meet again. Let’s try this.
As root…
apt install prosody
I deleted the localhost symlink in “/etc/prosody/conf.d” and created my own “/etc/prosody/conf.available/campaignwiki.org.cfg.lua” and symlinked it there.
emacs /etc/prosody/conf.available/campaignwiki.org.cfg.lua cd /etc/prosody/conf.d ln -s ../conf.available/campaignwiki.org.cfg.lua .
The content of the file is simple:
VirtualHost "campaignwiki.org"
ssl = {
key = "/etc/prosody/certs/campaignwiki.org.privkey.pem";
certificate = "/etc/prosody/certs/campaignwiki.org.fullchain.pem";
}
To get the certs:
cd /etc/prosody/certs cp /var/lib/dehydrated/certs/campaignwiki.org/fullchain.pem . cp /var/lib/dehydrated/certs/campaignwiki.org/privkey.pem . chown prosody.prosody *.pem
Feel free to remove the localhost symbolic links:
rm /etc/prosody/certs/localhost*
Reload and check:
systemctl reload prosody prosodyctl check
This is what we want to see:
Checking config...
Done.
Checking DNS for host campaignwiki.org...
Checking certificates...
Checking certificate for campaignwiki.org
Certificate: /etc/prosody/certs/campaignwiki.org.fullchain.pem
Certificate expires within one month.
All checks passed, congratulations!
Now, how do we get these files updated once dehydrated runs?
Remember the “hook.sh” file.
emacs /var/lib/dehydrated/hook.sh
It should already exist. Add the missing lines in the if/fi clause where we check whether campaignwiki.org was updated:
#!/bin/bash
if [ ${1} == "deploy_cert" ]; then
echo " + Hook: Reloading Apache for ${2}..."
service apache2 reload
if [ ${2} == "alexschroeder.ch" ]; then
echo " + Hook: Regenerating monit's .pem file..."
# 3 is privkey, 4 is cert, 5 is fullchain, 6 is chain, 7 is timestamp
cat ${5} ${3} > /etc/ssl/localcerts/alexschroeder.ch.all.pem
service monit reload
fi
if [ ${2} == "campaignwiki.org" ]; then
echo " + Hook: Importing certs for prosody..."
cp ${3} /etc/prosody/certs/campaignwiki.org.privkey.pem
cp ${5} /etc/prosody/certs/campaignwiki.org.fullchain.pem
chown prosody.prosody /etc/prosody/certs/*.pem
systemctl reload prosody
fi
echo " + Hook: Granting permissions to the ssl-cert group..."
chmod g+r ${3} ${4} ${5} ${6}
else
echo " + Hook: Nothing to do..."
fi
#Administration #Prosody #XMPP #Dehydrated
(Please contact me if you want to remove your comment.)
⁂
This went better than last time. This time I didn’t bother with chatrooms, and I paid attention to any TLS/certificate problems. The permissions are key!
– Alex 2021-09-23 12:11 UTC
---
I’m using the Let’s Encrypt certs, these get changed every now and then, and already ChatSecure is complaining about the change. Yikes.
– Alex 2021-09-26 07:56 UTC
---
See 2022-11-15 Move from Dehydrated to Apache.
2022-11-15 Move from Dehydrated to Apache
– Alex 2022-11-15 16:41 UTC