Configuring XMPP services (revision 1)

Introduction

This procedure describes how Alexis Huxley set up a XMPP server.

Procedure

1. Set some environment variables used in the rest of this procedure:

   HOSTNAME=<fqhn-of-server-as-seen-from-internet>

2. Run:

   apt-get install prosody
   systemctl stop prosody.service

3. Edit /etc/prosody/prosody.cfg.lua and add the following lines:

   interfaces = { "*" }               -- don't attempt to listen on IPv6 interfaces; this line not present by default
   ...
   allow_registration = true;         -- allow users to create their own accounts
   

4. Create a new virtual host as follows:

   cd /etc/prosody/conf.avail
   sed -e "s/example.com/$HOSTNAME/g" -e '/enabled = false/d'  example.com.cfg.lua > $HOSTNAME.cfg.lua
   cd /etc/prosody/conf.d
   ln -s ../conf.avail/$HOSTNAME.cfg.lua
   rm -f localhost.cfg.lua

5. If the service is new, then generate a self-signed certificate by running:

   openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
       -keyout /etc/prosody/certs/$HOSTNAME.key -out /etc/prosody/certs/$HOSTNAME.crt

   otherwise copy over the certificates and user account information from the old server by running:

   OLD_SERVER=<name-of-old-server>
   scp $OLD_SERVER:/etc/prosody/certs/$HOSTNAME.* /etc/prosody/certs/
   rsync -a $OLD_SERVER:/var/lib/prosody/ /var/lib/prosody/

6. Fix permissions as follows:

   cd /etc/prosody/certs
   chown root:root *.crt
   chmod 644 *.crt
   chown root:ssl-cert *.key
   chmod 640 *.key
   cd /var/lib/prosody
   chown -R prosody:prosody *
   find . -type d -exec chmod 750 {} \;
   find . -type f -exec chmod 640 {} \

7. If migrating to a new server then copy over account information, which is stored in /var/lib/prosody.
8. Restart the service by running:

   service prosody restart

9. Make whatever changes you need to in your DNS and firewall to allow access to the server on port 5222 (for client to server connections) and 5269 (for server to server connections).

Regenerating a certificate

The certificates expire after a year. Regenerate as follows.

1. Set some variables used in the rest of this procedure:

   HOSTNAME=<hostname-for-xmpp-service>          #  e.g. HOSTNAME=jabber.pasta.freemyip.com

2. Run:

   openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
       -keyout /etc/prosody/certs/$HOSTNAME.key -out /etc/prosody/certs/$HOSTNAME.crt
   service prosody restart

3. Clients must then reconnect.

Using certbot for certificate management

1. If there is a front-end webserver then get it to forward requests for <xmpp-server-public-name>:80 to <xmpp-server-private-name>:80. Note that access on port 443 is not required.
2. On the XMPP server run:

   certbot certonly
   echo -e '#!/bin/sh\n/usr/bin/prosodyctl --root cert import /etc/letsencrypt/live' > /etc/letsencrypt/renewal-hooks/deploy/prosody
   chmod 755 /etc/letsencrypt/renewal-hooks/deploy/prosody

   and follow the prompts, allowing certbot to spin up a webserver when it needs to.

3. Run:

   /etc/letsencrypt/renewal-hooks/deploy/prosody

   and verify that no spurious hostnames (e.g. localhost, conference.*) are displayed. If they are then correct the prosody configuration.

4. To test:
   1. Run:

      certbot --force-renewal renew

   2. Exit and rerun pidgin.
   3. In pidgin go to Tools–>Certificates and select the appropriate certificate and click ‘Get Info’.
   4. Verify the ‘Activation date’ matches the time at which the above certbot command was run.

See also

1. Computing
2. Download Prosody