Open dkliss opened 1 year ago
Debian 11 right? How did you get the cert, eg. certbot? try to set the proper intermediary:
certbot renew --preferred-chain "ISRG Root X1"
Debian 11 right? How did you get the cert, eg. certbot? try to set the proper intermediary:
certbot renew --preferred-chain "ISRG Root X1"
Yes I got it from certbot. I will try that command.
Also double check the perm of the file, eg. sudo -u ejabberd stat /opt/ejabberd/conf/server.pem
(or whatever is your user name for ejabberd processes)
Hello, I have a similar issue in a dockerized setup where I pass the certificate using a docker volume.
Since the certificate is used for different services (ejabberd, nginx, etc.) I generate it outside of docker with a systemd service in this way:
/usr/bin/bash -c '/usr/local/bin/certbot-renew.sh example.tld && cat /etc/letsencrypt/live/example.tld/fullchain.pem /etc/letsencrypt/live/example.tld/privkey.pem > /media/data/docker/ejabberd/volumes/ejabberd/ejabberd.pem && docker exec ejabberd /home/ejabberd/bin/ejabberdctl reload-config'
Then I mount it in the ejabberd docker container with this docker-compose snippet:
ejabberd:
container_name: ejabberd
image: ejabberd/ecs:23.01
volumes:
- ./volumes/ejabberd/ejabberd.pem:/home/ejabberd/conf/ejabberd.pem
My current ejabberd acme and certificate configuration is this one:
acme:
auto: false
certfiles:
- "/home/ejabberd/conf/ejabberd.pem
This is the output of stat
:
docker-compose exec -T -u ejabberd ejabberd stat /home/ejabberd/conf/ejabberd.pem
File: /home/ejabberd/conf/ejabberd.pem
Size: 7409 Blocks: 16 IO Block: 4096 regular file
Device: 803h/2051d Inode: 30412150 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 9000/ejabberd)
Access: 2023-02-11 03:00:16.200004626 +0000
Modify: 2023-02-11 03:00:14.870004626 +0000
Change: 2023-02-11 03:00:14.870004626 +0000
I'm using R3
and ISRG Root X1
for the chain of trust and I also don't have any issue other than that warning log.
@cippaciong the full path is accessible to that ejabberd group? Each folder? /home/ejabberd/conf
? /home/ejabberd
?
Same issue on Fedora 38 with the official ejabberd rpm repositories version 23.04 and externally created letsencrypt certificates (I generate DNS-01 wildcard certificates via certbot).
I have ca_file: /opt/ejabberd/conf/cacert.pem
in my config and also tried ca_file: /etc/ssl/cert.pem
I also confirmed that my certbot used the ISRG Root X1
chain for the certs.
Any idea?
@poVoq why do you need to specify ca
? Try without it
Same warning without specifying it, but the default ejabberd.yaml comes with ca_file: /opt/ejabberd/conf/cacert.pem
as a default setting.
@cippaciong the full path is accessible to that ejabberd group? Each folder?
/home/ejabberd/conf
?/home/ejabberd
?
@licaon-kter sorry for the very late reply, I didn't have time to check until now.
Some files/folders are owned by root
, but it looks like the ejabberd
user is able to access the full path and the file itself.
~ $ whoami
ejabberd
~ $ pwd
/home/ejabberd
~ $ ls -lh
total 24K
drwxr-xr-x 1 root root 4.0K Jan 17 14:57 bin
drwxr-xr-x 2 root root 4.0K Feb 11 20:51 conf
drwxr-sr-x 3 ejabberd ejabberd 4.0K Apr 18 22:48 database
drwxr-xr-x 46 root root 4.0K Jan 17 14:57 lib
drwxr-sr-x 2 ejabberd ejabberd 4.0K Feb 11 20:51 logs
drwxr-sr-x 2 ejabberd ejabberd 4.0K Jan 17 14:57 upload
~ $ ls -lh conf/
total 272K
-rw------- 1 ejabberd ejabberd 216.7K Jan 9 23:15 cacert.pem
-rw-r--r-- 1 ejabberd ejabberd 424 Jan 17 14:53 dhparams.pem
-rw-r----- 1 root ejabberd 7.2K May 2 02:00 ejabberd.pem
-rw------- 1 ejabberd ejabberd 19.1K Feb 11 20:22 ejabberd.yml
-rw-r--r-- 1 ejabberd ejabberd 5.5K Jan 17 14:53 ejabberdctl.cfg
-rw-r--r-- 1 ejabberd ejabberd 114 Jan 17 14:53 inetrc
-rw-r--r-- 1 ejabberd ejabberd 5.2K Jan 17 14:53 server.pem
~ $ cat conf/ejabberd.pem | head -n 1
-----BEGIN CERTIFICATE-----
Seems related: https://blog.windfluechter.net/2021/09/29/letsencrypt-ca-chain-issues-with-ejabberd/
Edit: I get s2s errors from jabber.ru on my server that seem to be related to this, otherwise everything seems to be working despite this.
What's the status of this problem? Were you able to solve it somehow, or it's still kicking?
Hi,
I have a LetsEncrypt Certificate and I still keep on getting below warning for a while now. Is this an issue? The TLS works fine despite this issue.
2023-02-10 13:55:38.499616+00:00 [warning] Invalid certificate in /opt/ejabberd/conf/server.pem: at line 91: certificate is signed by unknown CA
Before creating a ticket, please consider if this should fit the discussion forum better: https://github.com/processone/ejabberd/discussions
Environment
erl +V
Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml
Errors from error.log/crash.log
No errors
Bug description
Please, give us a precise description (what does not work, what is expected, etc.)