certfiles - No matching certificate found matching "x" (Using Letsencrypt certs /etc/letsencrypt/live/domain.tld)

[mitchellurgero]

What version of ejabberd are you using?

Using version 17.11

What operating system (version) are you using?

ubuntu 16.04

How did you install ejabberd (source, package, distribution)?

deb package

What did not work as expected? Are there error messages in the log? What was the unexpected behavior? What was the expected result?

2017-12-05 11:06:08.702 [warning] <0.349.0>@ejabberd_pkix:handle_call:210 No certificate found matching 'urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
2017-12-05 11:06:08.907 [warning] <0.349.0>@ejabberd_pkix:handle_call:210 No certificate found matching 'muc.urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
2017-12-05 11:06:09.127 [warning] <0.349.0>@ejabberd_pkix:handle_call:210 No certificate found matching 'upload.urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
2017-12-05 11:06:09.214 [warning] <0.349.0>@ejabberd_pkix:handle_call:210 No certificate found matching 'pubsub.urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
2017-12-05 11:06:09.258 [warning] <0.349.0>@ejabberd_pkix:handle_call:210 No certificate found matching 'irc.urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)

I am using the following config to get the certs from the folders, but it does not find the certificates for the domains, this configuration is right above the "listen" options :

[...]
certfiles:
    - "/etc/letsencrypt/live/urge.ro/*.pem"
    - "/etc/letsencrypt/live/pubsub.urge.ro/*.pem"
    - "/etc/letsencrypt/live/muc.urge.ro/*.pem"
[...]

I checked permissions and ejabberd is reading the files, I confirmed that the domains in each pem is correct by re-downloading them from letsencrypt and using each in apache (and remove them from apache when done testing).

Any help or guidance would be nice...

[zinid]

Can you please share your certificate somewhere (without private key obviously)?

[zinid]

It can also be an indentation issue, by the way.

[mitchellurgero]

-----BEGIN CERTIFICATE-----
MIIE8TCCA9mgAwIBAgISAwpfUjXr0qXn5GNDveUrj7BGMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEyMDQwMzI0NTFaFw0x
ODAzMDQwMzI0NTFaMBIxEDAOBgNVBAMTB3VyZ2Uucm8wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDJA80lvQxFbjv3omEo3ovAstAHFLMyxte/hxkexzke
uX7yvftsBn9vDhcHUeauGSXb+YQskcRnwtrv0r9YTu4N91SGbpEeROdFsv2qotD6
ENzUEvZYlQ8D9q0X63USBojg9Fk/9BadBPQKFaMlqDo4Pkl6LZFfP69DyaoiIu2h
sSorZdJ4JwLACN7bjETQ/UiisVCkCy/mXc5ie2mgspJbRtJcwIqr77De1vcX5sT+
LwLDdcg+bu6s637pNtDWtpPFqOjR7GvZ1F0NENVOZH2LCyYFBVXy2sn/UsuQrhpz
Cym0UTfbl75yrB78f+RbgqiYM/c6llALyw52ZlFzmOT/AgMBAAGjggIHMIICAzAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFFh7/RHU6CTgfRW2noTHWBTCx5sYMB8GA1Ud
IwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggr
BgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggr
BgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wEgYD
VR0RBAswCYIHdXJnZS5ybzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYB
BAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQu
b3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkg
YmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFj
Y29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0
dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUA
A4IBAQCLonh44eQG+FXry6j988pPDfmfScNp+kQ1C1e+q8H0URPNHkQjvQWFhkY8
Etogs5QmA198EYtR3tTKpSBA/Kqy5jmQ7+L0LnTBAiRs1WPCMVcBmXdMgh9ftbra
1jvi/OvMJMFWy4wuvJAClr2DV8GyAfYRk/ZZbJ173S1tfLYtEh/HyZTLlXAVnnSy
5XzUpvLaknJEU/Euqf3Y7g/1IrDof1OC2pkpexSJ21KpTgdgoMJD4xG4wtrYgR3r
IcvkLaypabLCoXpPE7ZYg8IFTcgjE6ufqyu1N8znJR4QuD1FfQHlNy3+ptxuw8NN
wCi+hZ728hmEXfv+P4pVnZq5A+9W
-----END CERTIFICATE-----

Just verified it is using the right host name. (This is just one of three but none of them are being read)

[mitchellurgero]

I double checked indentation and it is fine. No other errors in logs either... I am confused as to why this isn't working :/

Any other ideas?

[zinid]

Do you have remsh working, i.e. does ejabberdctl live or ejabberdctl debug work? If it does, run the following commands in the shell:

> ejabberd_config:get_option(certfiles).
> ets:tab2list(ejabberd_pkix).

(don't forget trailing dots, press Ctrl+C twice to exit).

[mitchellurgero]

ejabberd_config:get_option(certfiles).
["/etc/letsencrypt/live/muc.urge.ro/*.pem",
 "/etc/letsencrypt/live/pubsub.urge.ro/*.pem",
 "/etc/letsencrypt/live/urge.ro/*.pem"]

(ejabberd@localhost)2> ets:tab2list(ejabberd_pkix).
[{<<"urge.ro">>,
  <<"/opt/ejabberd-17.11/database/ejabberd@localhost/certs/ce005f15bd9e65da6fd643a9792d60d8a5539396">>}]

Is what was returned from both commands.

/opt/ejabberd-17.11/database/ejabberd@localhost/certs/ce005f15bd9e65da6fd643a9792d60d8a5539396 has both urge.ro, letsencrypt, and a private key.

[zinid]

It definitely doesn't see certificates except for that for urge.ro. Try to remove everything add only a certificate for urge.ro, will it work?

[mitchellurgero]

I edited my last comment fyi - I will check that now.

[mitchellurgero]

with just the folder for urge.ro (not muc. pubsub.) it loads urge.ro but will not load pubsub or muc because the certs were not found.

[zinid]

Yes, now add another path. If it still doesn't see, remove urge.ro and leave 'non-working' path only. Well, you get the idea I hope :)

[mitchellurgero]

My apologizes I had a rouge certfile line in my config, however removing the line did not resolve any issues.

I also tried as you suggested and loaded each certfiles file one at a time and all three fail now...

[zinid]

This is odd, what happens when you concatenate all certfiles into a single one and provide it in the config?

[mitchellurgero]

ejabberd_config:get_option(certfiles). now also returns "[]"

(I checked the yaml indentation with a validator and it returned good.) (Also can you confirm the http_upload config?) Here is my full config:

##
###             ejabberd configuration file
###         Archipel Sample default condiguration

###     =========
###     DEBUGGING

# Increase this if you want sone insane erlang debug
loglevel: 3

###     ================
###     SERVED HOSTNAMES

# Change it for you FQDN
hosts:
    - "urge.ro"
###     ===============
###     LISTENING PORTS

### CERT FILES

certfiles:
    - "/etc/letsencrypt/live/urge.ro/*.pem"
    - "/etc/letsencrypt/live/pubsub.urge.ro/*.pem"
    - "/etc/letsencrypt/live/muc.urge.ro/*.pem"

listen:
    -
      #it's a good idea to put xmlrpc behing a reverse proxy
      #because you can't use tls directly, make it listen to localhost
      ip : "127.0.0.1"
      # and read the Security section on the wiki
      port: 4560
      module: ejabberd_xmlrpc
      access_commands:
            xmlrpcaccess:
                all : []

## ejabberd c2s
    -
      port: 5222
      module: ejabberd_c2s
      ##
      ## If you installed a SSL
      ## certificate, specify the full path to the
      ## file and uncomment this line:
      ##
      #certfile: "/etc/ejabberd/ejabberd1.pem"
      starttls: true
      starttls_required: true
      max_stanza_size: 65536000
      shaper: c2s_shaper
      access: c2s

## ejabbed s2s
    -
      port: 5269
      module: ejabberd_s2s_in
      max_stanza_size: 65536000
## ejabberd http/s and websocket/s
    -
      port: 5443
      module: ejabberd_http
      request_handlers:
        #"/xmpp": ejabberd_http_ws
        "upload": mod_http_upload
      # if you want to use starttls with websock
      # the URI will be wss://
      # please be sure that the certificate belong
      # to a trusted AC in your browser
      #certfile: "/etc/ejabberd/ejabberd1.pem"
      tls: true
      web_admin: false
      #http_bind: true

###     ===
###     S2S
s2s_access: all
s2s_use_starttls: required
#s2s_certfile: "/etc/ejabberd/ejabberd1.pem"

## domain_certfile: Specify a different certificate for each served hostname.
##
## host_config:
##   "example.org":
##     domain_certfile: "/path/to/example_org.pem"
##   "example.com":
##     domain_certfile: "/path/to/example_com.pem"

###     ==============
###     AUTHENTICATION

auth_method: internal

###     ===============
###     TRAFFIC SHAPERS

shaper:
  # in B/s
  normal: 1000
  fast: 50000000

###     ====================
###     ACCESS CONTROL LISTS

acl:
    admin:
        user:
            - "admin": "urge.ro"
    local:
        user_regexp: ""

###     ============
###     ACCESS RULES

access:
    max_user_sessions:
        all: 5
    local:
        local: allow
    c2s:
        blocked: deny
        all: allow
    c2s_shaper:
        admin: none
        all: fast
    s2s_shaper:
        all: fast
    s2s_access:
        all: allow
    announce:
        admin: allow
    configure:
        admin: allow
    muc_admin:
        admin: allow
    muc_create:
        local: allow
    muc:
        all: allow
    pubsub_createnode:
        all: allow
    register:
        all: none
    xmlrpcaccess:
        admin : allow
    soft_upload_quota:
        all: 1000
    hard_upload_quota:
        all: 1100
### Frequency of account registration
registration_timeout: 600

###     ================
###     DEFAULT LANGUAGE

language: "en"

###     =======
###     MODULES

modules:
    mod_adhoc: []
    mod_announce:
        access: announce
    mod_http_upload:
        thumbnail: false
##        docroot: "/var/ejabberd/upload"
        put_url: "https://@HOST@:5443/upload"
        access: local
        max_size: 10000000
        custom_headers:
            "Access-Control-Allow-Origin": "*"
            "Access-Control-Allow-Methods": "GET, POST, PUT, OPTIONS, DELETE"
            "Access-Control-Allow-Headers": "Content-Type, Origin, X-Requested-With"
    mod_http_upload_quota:
        max_days: 2
    mod_caps: []
    mod_configure: []
    mod_disco: []
    mod_http_bind:
        max_inactivity: 400 # timeout valie for BOSH usefull for a large number of VM
    mod_irc: []
    mod_last: []
    mod_muc:
        access: muc
        access_create: muc_create
        access_persistent: muc_create
        access_admin: muc_admin
        host: "muc.@HOST@"
    mod_mam: []
    mod_offline: []
    mod_privacy: []
    mod_private: []
    mod_stream_mgmt: []
    #mod_push: []
    mod_push: []
    mod_pubsub:
        access_createnode: local
        ignore_pep_from_offline: false
        last_item_cache: false
        max_items_node: 1000
        plugins:
            - "flat"
            - "hometree"
            - "pep"
            - "push"
        pep_mapping:
            "urn:xmpp:microblog:0": "mb"
        hosts:
            - "pubsub.@HOST@"
    mod_ping:
        send_pings: true
        ping_interval: 60
        ping_ack_timeout: 30
        timeout_action: kill
    mod_register:
        access: register
    mod_roster: []
    mod_shared_roster: []
    mod_time: []
    mod_vcard: []
    mod_version: []
    mod_admin_extra: []
    mod_fail2ban:
#        c2s_auth_ban_lifetime: 1300
         c2s_max_auth_failures: 10
    mod_client_state:
         queue_presence: true
         queue_chat_states: true

[zinid]

Could you please remove private keys from the concatenated file (leaving chains untouched) and share it? I will try to reproduce locally.

[mitchellurgero]

This happens with any letsencrypt certificate (tried on another host completely separate from urge.ro) and have same issue.

I do not feel comfortable sharing that. But letsencrypt free cert is easy to get (I got it using letsencrypt certonly command in ubuntu 16.04)

[zinid]

Like I don't know what Let's Encrypt is.

[zinid]

Do you have any errors in the log? Search for error.log file.

[zinid]

For the record, almost everyone now runs ejabberd with let's encrypt certificates, having virtually the same certfiles option and everything works. Please double check if ejabberd user has an access to the paths.

[mitchellurgero]

1. Fair enough
2. There is nothing in any ejabberd log file other than what I put in the OP.
3. I checked and everyone has at least read access to the files AND folders in question. but what permissions should be set on said files?

[zinid]

Read access for the certfiles, and read-execute for the directories. Anyway, if the access is ok, I can only try to load your certificates locally. Not sure why you don't want to share it: you will send them during TLS handshake for every connection anyway. You can also send them to me directly by email: ekhramtsov@process-one.net

[mitchellurgero]

the cert was posted above, that came directly out of the cert.pem file.

[zinid]

But this is a working cert, you told so :smiley:

[mitchellurgero]

Yes, it works in apache lol

[mitchellurgero]

It does not work in ejabberd however.

[zinid]

with just the folder for urge.ro (not muc. pubsub.) it loads urge.ro

^^ that's what you said above. Also, from your log:

No certificate found matching 'urge.ro': ...

So ejabberd sees it or not? I'm lost

[mitchellurgero]

Sorry, I should have amended that comment. there was a rouge "certfile" line containing the fullchain in the config. Removing that line and now the "certfiles" section no longer works..?

I am sorry if this is confusing

[zinid]

Show the exact output of those two remsh commands

[mitchellurgero]

OK:

(ejabberd@localhost)1> ejabberd_config:get_option(certfiles).
["/etc/letsencrypt/live/muc.urge.ro/*",
 "/etc/letsencrypt/live/pubsub.urge.ro/*",
 "/etc/letsencrypt/live/urge.ro/*"]

AND

(ejabberd@localhost)2> ets:tab2list(ejabberd_pkix).
[]

[zinid]

Could you please set the following in the config:

certfiles:
  - "/etc/letsencrypt/live/muc.urge.ro/foo.pem"
  - "/etc/letsencrypt/live/pubsub.urge.ro/bar.pem"
  - "/etc/letsencrypt/live/urge.ro/baz.pem"

Do you see ejabberd logging errors in this case?

[mitchellurgero]

Same errors as in OP.

[zinid]

You should see something like:

22:09:33.137 [error] failed to read certificate from /etc/letsencrypt/live/urge.ro/foo.pem: no PEM encoded certificates found

[mitchellurgero]

root@xmpp:/opt/ejabberd-17.11# ./bin/ejabberdctl live
--------------------------------------------------------------------

IMPORTANT: ejabberd is going to start in LIVE (interactive) mode.
All log messages will be shown in the command shell.
You can interact with the ejabberd node if you know how to use it.
Please be extremely cautious with your actions,
and exit immediately if you are not completely sure.

To exit this LIVE mode and stop ejabberd, press:
  q().  and press the Enter key

--------------------------------------------------------------------
To bypass permanently this warning, add to ejabberdctl.cfg the line:
  EJABBERD_BYPASS_WARNINGS=true
Press return to continue

Erlang/OTP 19 [erts-8.3.2] [source] [64-bit] [smp:2:2] [async-threads:10] [hipe] [kernel-poll:true]

Eshell V8.3.2  (abort with ^G)
(ejabberd@localhost)1> 13:12:52.925 [notice] Changed loghwm of /opt/ejabberd-17.11/logs/error.log to 100
13:12:52.925 [notice] Changed loghwm of /opt/ejabberd-17.11/logs/ejabberd.log to 100
13:12:52.927 [info] Application lager started on node ejabberd@localhost
13:12:52.945 [info] Application crypto started on node ejabberd@localhost
13:12:52.957 [info] Application sasl started on node ejabberd@localhost
13:12:52.978 [info] Application asn1 started on node ejabberd@localhost
13:12:52.978 [info] Application public_key started on node ejabberd@localhost
13:12:53.008 [info] Application ssl started on node ejabberd@localhost
13:12:53.018 [info] Application p1_utils started on node ejabberd@localhost
13:12:53.039 [info] Application fast_yaml started on node ejabberd@localhost
13:12:53.065 [info] Application fast_tls started on node ejabberd@localhost
13:12:53.095 [info] Application fast_xml started on node ejabberd@localhost
13:12:53.106 [info] Application stringprep started on node ejabberd@localhost
13:12:53.117 [info] Application xmpp started on node ejabberd@localhost
13:12:53.143 [info] Application cache_tab started on node ejabberd@localhost
13:12:53.185 [info] Application elixir started on node ejabberd@localhost
13:12:53.223 [info] Loading configuration from /opt/ejabberd-17.11/conf/ejabberd.yml
13:12:53.331 [warning] Module mod_http_bind is deprecated, use mod_bosh instead
13:12:55.495 [info] Application mnesia started on node ejabberd@localhost
13:12:55.565 [info] FQDN used to check DIGEST-MD5 SASL authentication: xmpp.urgero.org
13:12:55.635 [info] Application fs started on node ejabberd@localhost
13:12:55.725 [warning] No certificate found matching 'urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
13:12:55.810 [info] Application inets started on node ejabberd@localhost
13:12:55.895 [warning] No certificate found matching 'muc.urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
13:12:56.098 [warning] No certificate found matching 'upload.urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
13:12:56.187 [warning] No certificate found matching 'pubsub.urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
13:12:56.248 [info] Application iconv started on node ejabberd@localhost
13:12:56.250 [warning] No certificate found matching 'irc.urge.ro': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
13:12:56.347 [info] Waiting for Mnesia synchronization to complete
13:12:56.347 [info] ejabberd 17.11 is started in the node ejabberd@localhost in 3.92s
13:12:56.353 [info] Application ejabberd started on node ejabberd@localhost
13:12:56.353 [info] Start accepting TCP connections at 0.0.0.0:5269 for ejabberd_s2s_in
13:12:56.353 [info] Start accepting TCP connections at 0.0.0.0:5443 for ejabberd_http
13:12:56.353 [info] Start accepting TCP connections at 0.0.0.0:5222 for ejabberd_c2s
13:12:56.353 [info] Start accepting TCP connections at 127.0.0.1:4560 for ejabberd_xmlrpc

That line does not exist.

[mitchellurgero]

I've been ignoring irc. and upload. because I dont see those options in ejabberd.yml to disable.

[zinid]

Show the directory content:

$ ls -la /etc/letsencrypt/live/urge.ro/

[mitchellurgero]

cert.pem chain.pem fullchain.pem privkey.pem

[zinid]

Damn, ls -la

[mitchellurgero]

Oh you want the full Output of ls:

drw-rw-r-- 2 root root 4096 Dec  3 22:24 .
drw-rw-r-- 5 root root 4096 Dec  5 10:51 ..
lrwxrwxrwx 1 root root   31 Dec  3 22:24 cert.pem -> ../../archive/urge.ro/cert1.pem
lrwxrwxrwx 1 root root   32 Dec  3 22:24 chain.pem -> ../../archive/urge.ro/chain1.pem
lrwxrwxrwx 1 root root   36 Dec  3 22:24 fullchain.pem -> ../../archive/urge.ro/fullchain1.pem
lrwxrwxrwx 1 root root   34 Dec  3 22:24 privkey.pem -> ../../archive/urge.ro/privkey1.pem

[zinid]

$ ls -la /etc/letsencrypt/archive/urge.ro/

[mitchellurgero]

Sure:

drwxr-xr-x 2 root root 4096 Dec  3 22:24 .
drwx------ 5 root root 4096 Dec  5 10:51 ..
-rw-r--r-- 1 root root 1773 Dec  3 22:24 cert1.pem
-rw-r--r-- 1 root root 1647 Dec  3 22:24 chain1.pem
-rw-r--r-- 1 root root 3420 Dec  3 22:24 fullchain1.pem
-rw-r--r-- 1 root root 1704 Dec  3 22:24 privkey1.pem

[zinid]

drwx------ 5 root root 4096 Dec  5 10:51 ..

[zinid]

And directories are not executable inside 'live', wtf?

[mitchellurgero]

IDK why that is I am fixing the perms right now for archive

[mitchellurgero]

Better?

drw-rw-r-- 2 root root 4096 Dec  3 22:24 .
drw-rw-r-- 5 root root 4096 Dec  5 10:51 ..
-rw-rw-r-- 1 root root 1773 Dec  3 22:24 cert1.pem
-rw-rw-r-- 1 root root 1647 Dec  3 22:24 chain1.pem
-rw-rw-r-- 1 root root 3420 Dec  3 22:24 fullchain1.pem
-rw-rw-r-- 1 root root 1704 Dec  3 22:24 privkey1.pem

[zinid]

No

[mitchellurgero]

? drw rw r is not correct???

I did chmod 664 * -R in the live and archive dir's...

[zinid]

Read access for the certfiles, and read-execute for the directories. And directories are not executable inside 'live'

Should I repeat the third time? :)

[zinid]

Just set chmod +x on all directories.

[mitchellurgero]

OH ok

drwxr-xr-x   5 root root 4096 Dec  5 10:51 live

I'm sorry I am a goddamn dunce sometimes, is that correct?

[zinid]

Yes, if you have it in both archive and live directories. Now try to run ejabberd, do you still see the errors?

[mitchellurgero]

OMG it worked...? why did the folders need execute permissions...?