Installing TLS certificate in ejabberd for STARTTLS negotiation
I read that ejabberd recommends using STARTTLS negotiation for secure connection between communicating entities. When I install ejabberd it comes with a TLS certificate by default.
Then why would I buy a certificate for installation? what is the purpose of buying a new certificate from the Certificate Authority since we have a default certificate?
When I deploy ejabberd to a machine, how will the default certificate for my domain be used? How will the default certificate be verified by the client?
source to share
You can use ejabberd with SSL / STARTTLS with provided TLS certificate. However, this certificate is only a self-signed certificate. It means that:
- You will still be able to encrypt traffic between the client and server.
- You won't be able to verify that the server is the domain it is pretending to be. In order to know that a certificate can be trusted, the client must somehow contact the trusted authority.
In the second case, this means that if an intermediate network device (that is, a Wifi access point) tries to impersonate your server, it can present the user with a self-signed certificate, pretending to be your domain.
Thus, you can use a self-signed certificate to encrypt traffic, but to protect your users from man-in-the-middle attacks, you need to find a way to let the client now trust the certificate.
This can be done either by purchasing a certificate from a trusted authority (which will certify your certificate domain), or by providing the client with support for a list of well-defined certificates. This is called certificate pinning, but it requires you to create a list of valid certificates on your client, which may not be possible.
It might be fine in your case, so buying a certificate is optional. However, do not use the default ejabberd self-signed certificate, even if you plan to use the self-signed certificate. The certificate provided by ejabberd will not match your own domain. You should at least create your own signed certificate corresponding to your actual XMPP domain: How do I create a self-signed certificate with openssl?
source to share
The client verifies that a certificate is issued for the Jabber ID (JID) domain name, the component located behind the "@". (There are other options, but they are incompatible with the policies enforced by browser vendors against CAs and are therefore not practical.)
If you don't already have a business relationship with a certification authority (CA), I recommend everyone to use Let encrypt and stay away from self-signed certificates.
Some instructions to automate this and the glorious Let's Encrypt servers can be found here and the related wiki pages.
Summary (if you are using Ubuntu 16.04 LTS, want to run it on example.org domain and use the ejabberd-only certificate):
Create /usr/local/sbin/auto-renew-letsencrypt
with the following content:
#! / bin / bash # Renew all Let Encrypt certificates which are due for renewal t = `mktemp` # Try to be quiet unless an error is returned letsencrypt renew> $ t || cat $ t # Hooks are not yet supported by `letsencrypt` shipping with Ubuntu 16.04 LTE # Crudely emulate --renew-hook; breaks if diagnostic messages change if grep -q "The following certs have been renewed" $ t; then cat / etc / letsencrypt / live / example.org / {privkey,fullchain }.pem> /etc/ejabberd/ejabberd.pem service ejabberd reload fi rm $ t
Run the following commands to create and activate a certificate and auto renewal
apt install letsencrypt letsencrypt certonly --standalone --domain example.org cat / etc / letsencrypt / live / example.org / [Privkey,fullchain ].pem> /etc/ejabberd/ejabberd.pem chown ejabberd: ejabberd /etc/ejabberd/ejabberd.pem chmod 640 /etc/ejabberd/ejabberd.pem chmod 755 / usr / local / sbin / auto-renew-letsencrypt echo $ (($ RANDOM% 60)) $ ((RANDOM% 6)) "* * * root / usr / local / sbin / auto-renew-letsencrypt"> /etc/cron.d/auto-renew-letsencrypt
source to share