search

rroemhild / docker-ejabberd

Dockerfile for Ejabberd server
MIT License
268 stars 160 forks source link

Failed to secure c2s connection: TLS failed: no_certfile during client connect #152

Open BrianJVarley opened 6 years ago

BrianJVarley commented 6 years ago

hi @rroemhild

Issue:

Connecting to ejabberd server container from XMPP client throws a TLS cert error, causing the connection to close.

ejb-con-err

Error

18:04:15.437 [error] (tcp | <0.640.0>) Failed to secure c2s connection: TLS failed : no_certfile

Debugging

Checking the logs for the ejabberd container there are no installation err logs entries relating to a no_certfile entry.

I've tried multiple connection from the PIDGIN client onto the server but get the same no_certfile TLS error.

Docker args

docker run -d \
    --name "ejabberd" \
    -p 5222:5222 \
    -p 5269:5269 \
    -p 5280:5280 \
    -h 'dockertesting-Virtual-Machine' \
    -e "XMPP_DOMAIN=dockertesting-Virtual-Machine" \
    -e "ERLANG_NODE=ejabberd" \
    -e "EJABBERD_ADMINS=admin@dockertesting-Virtual-Machine admin2@dockertesting-Virtual-Machine" \
    -e "EJABBERD_USERS=admin@dockertesting-Virtual-Machine:password1234 dockertesting-Virtual-Machine@example.de" \
    -e "TZ=Europe/Berlin" \
    rroemhild/ejabberd

Question

Is this an extra configuration required on the ejabberd server to accept the TLS connection or missing some detail during setup?

rroemhild commented 6 years ago

Hi @BrianJVarley, it seems that the automatic certificate generation breaks by using hostnames with a dash. Try dockertestingvm as a hostname and it should work.

BrianJVarley commented 6 years ago

Hi @rroemhild editing my host and hostname file to dockertestingvm instead of dockertestin-Virtual-Machine fixed the issue. I'm now getting a valid self signed certificate for the ejabberd instance and connections are accepted.

Should the automatic certificate generation module be able to handle hostname with - symbols? According to this reference Linux uses the RFC952 spec for hostname definitions which defines a valid host as:

A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). Note that periods are only allowed when they serve to delimit components of "domain style names". [...] No blank or space characters are permitted as part of a name. No distinction is made between upper and lower case. The first character must be an alpha character. The last character must not be a minus sign or period.

In any case removing the dash from the hostname works but may be an enhancement to think about.

https://askubuntu.com/a/123489

rroemhild commented 6 years ago

I'll let this open until I find the time to fix this issue or maybe someone else has the time.