I just installed and setup the docker
ejabberd/ecs image on an ubuntu 20.04 aws instance.
I have ports, domain name and users setup and working.
On the host (ubuntu) I generated Let's Encrypt certificates with certbot, copied them on the docker container:
certfiles: - /home/ejabberd/conf/fullchain.pem - /home/ejabberd/conf/privkey.pem ca_file: "/home/ejabberd/conf/fullchain.pem"
I want to require my users to use only a secure connection.
I read on the documentation that I'd better use STARTTLS instead of TLS.
The problem is that ejabberd seems to use my certificates only when setting up TLS.
When I set the config like this:
listen: - port: 5222 ip: "::" module: ejabberd_c2s max_stanza_size: 262144 shaper: c2s_shaper access: c2s tls: true ... - port: 5280 ip: "::" module: ejabberd_http tls: true request_handlers: "/admin": ejabberd_web_admin
and reload the config
bin/ejabbedctl reload_config, then I can access
https://example.com:5280/admin/ using ssl.
And when I test the certificate using
openssl from another machine, it seems to work because I get the following:
openssl s_client -connect example.com:5222 CONNECTED(00000005) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = example.com verify return:1 --- Certificate chain 0 s:CN = example.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- ...
But when I use, as I should from what I understand,
listen: - port: 5222 ip: "::" module: ejabberd_c2s max_stanza_size: 262144 shaper: c2s_shaper access: c2s starttls: true starttls_required: true
Then ejabberd does not seem to use a secure connection on port
openssl s_client -connect example.com:5222 CONNECTED(00000005) 140324192997824:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 315 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
Any idea what I could do to fix this?