XMPP Service Operators - 2023-02-12

  1. YHL

    Hello, I am trying to get my own server up and running but have encountered an issue with certificates in #Prosody. I am a newbie, so I’m not sure anyone wants to take the time to help, but can’t hurt to ask.

  2. smooth_op

    YHL: what sort of issue?

  3. YHL

    Let me get a screenshot

  4. YHL

    Here are the errors: certmanager: SSL/TLS: Failed to load '/etc/letsencrypt/live/my.site/privkey.pem': Check that the file exists and the pe> my.site:tls: Error creating context for c2s: error loading private key ((null)) certmanager: SSL/TLS: Failed to load '/etc/letsencrypt/live/my.site/privkey.pem': Previous error (see logs), or other s> my.site:tls: Error creating contexts for s2sout: error loading private key (system lib) certmanager: SSL/TLS: Failed to load '/etc/letsencrypt/live/my.site/privkey.pem': Previous error (see logs), or other s> my.site:tls: Error creating contexts for s2sin: error loading private key (system lib)

  5. YHL

    FYI, I have this command and replay: prosodyctl --root cert import /etc/letsencrypt/live/my.site No certificate for host localhost found : Imported certificate and key for hosts my.site

  6. smooth_op

    YHL: try the prosodyctl without "/my.site"

  7. smooth_op

    based on https://prosody.im/doc/letsencrypt#certbot

  8. Menel

    YHL: there is a prosody room for prosody question xmpp:prosody@conference.prosody.im?join Seeing your first posted error, I assume you declare the certificate path in the config somewhere. You should delete that line. You already successfully imported your certs with the importer command.

  9. Menel

    > Imported certificate and key for hosts my.site With that, there is no need for anything in your prosody config. It will just work. So no `ssl =` line. No `certificate=` line or anything.

  10. smooth_op

    ah right, prosody config shouldn't be trying to look in /etc/letsencrypt

  11. smooth_op

    because only root has access to /etc/letsencrypt and prosody runs as an unprivileged user

  12. smooth_op

    the prosodyctl import command will use root access to copy the certs from /etc/letsencrypt into /etc/prosody/certs, where it will be accessible to the prosody daemon

  13. Menel

    Sadly many people copy some random prosody config from some random website, over the sensible defaults of the shipped config. Often with very outdated config options...

  14. smooth_op

    sure, that's a possibility

  15. smooth_op

    i can also imagine initially pointing the prosody config to /etc/letsencrypt since that's where the certs are, observing permissions issue, then discovering prosodyctl cert import, but forgetting that cert path had been updated

  16. smooth_op

    in any event, hope this has fixed the issue for you YHL!

  17. Menel

    I had it like that for a long time too... Add all services to a "cert" group and have the certs and the path to the certs readable by the cert group... Works too of course.

  18. Menel

    YHL: if you have any more problems or questions, don't hesitate to ask in the Prosody room xmpp://prosody@conference.prosody.im?join There should be someone around to help with the setup. Even better in the European morning...

  19. Link Mauve

    YHL, no double shash in XMPP URIs, you meant xmpp:prosody@conference.prosody.im?join fyi. :)

  20. Licaon_Kter

    Works in Conversations. Not in specs?

  21. Link Mauve

    Licaon_Kter, the double slash can be interpreted as “please authenticate as user prosody on server conference.prosody.im”, which makes exactly no sense.

  22. Link Mauve

    If a client interprets that otherwise, it should probably get fixed.

  23. Licaon_Kter

    Link Mauve: link to spec?

  24. Licaon_Kter

    I never heard of that before, interesting

  25. MattJ

    Licaon_Kter [08:35]: > Link Mauve: link to spec? I advise against entering this rabbit hole if you value your weekend 🙂

  26. Link Mauve

    Licaon_Kter, RFC 3986 paragraph 3.

  27. Link Mauve

    Licaon_Kter, RFC 3986 section 3.

  28. Licaon_Kter

    Thanks MattJ: not that I would dig more :s

  29. Licaon_Kter

    Thanks MattJ: not that I would dig more :)

  30. Menel

    Heh, must've been mussle memory. But now that I think of it, It should be ok that it works. Because, no, a client not interpret it as > register user prosody on server conference.prosody.im”, Because it is xmpp:// not https:// So why would a client think that?

  31. Menel

    Heh, must've been mussle memory. But now that I think of it, It should be ok that it works. Because, no, a client should not interpret it as > register user prosody on server conference.prosody.im”, Because it is xmpp:// not https:// So why would a client think that?

  32. MattJ

    It means the same thing, just a different protocol

  33. Licaon_Kter

    Menel: see RFC 3986 section 3

  34. Licaon_Kter

    If it's https or ftp or xmpp they have to behave the same "generic URI whatever"

  35. Menel

    Ok, I must admit, I don't get what > Authority Means in this content, I see it as something to do with // But I'm after a night shift, so maybe I can understand it in thr evening

  36. drsn

    Are there any public xmpp server out there that provide post http service (e. g. sending xmpp messages via curl)? I want to know this because I want to provide 2fa for nextcloud authentication via xmpp. That would be the easiest way to implement.

  37. MattJ

    Hmm, there was a service but it seems to be offline

  38. MattJ tries to remember who was building that

  39. jonas’

    grep for the url in your jdev logs

  40. jonas’

    the person announced it there I think

  41. nuegia.net

    > Are there any public xmpp server out there that provide post http service (e. g. sending xmpp messages via curl)? > I want to know this because I want to provide 2fa for nextcloud authentication via xmpp. That would be the easiest way to implement. look at slix sdk and bosh