[15:50:07]
<tbart> Hi! Can anybody point me to what needs to be done to get the SSL setup for sending files (with Conversations, so I guess HTTP upload) and OMEMO working correctly?
I have a setup now that works, but it does not seem right.
I have a main domain chat.example.org (with a letsenrypt certificate)
Another one for uploads upload.chat.example.org (with another letsencrypt cert)
However I cannot assign the certificate for upload.chat.example.org for a virtualhost defined for it (metronome does not start, no errors in the logs, I think this is a bug).
Only if I set ssl ={ .. } in the global config space and use the upload cert, it works. This however seems a little strange.
Is this only supposed to work with one wildcard cert for all domains, i.e. the main on port 5222 and the upload domain on 5280 ?
Relevant parts of my current config:
ssl = {
key = "/etc/metronome/certs/upload.chat.example.org_privkey.pem";
certificate = "/etc/metronome/certs/upload.chat.example.org_fullchain.pem";
}
http_ports = { }
https_ports = { 5280 }
VirtualHost "chat.example.org"
ssl = {
key = "/etc/metronome/certs/chat.example.org_privkey.pem";
certificate = "/etc/metronome/certs/chat.example.org_fullchain.pem";
}
enabled = true
Component "upload.chat.example.org" "http_upload"
http_file_quota = 120*1024*1024 -- File quota per user
http_file_expire_after = 86400 -- Time to expire files
http_file_size_limit = 10000000
ssl = {
key = "/etc/metronome/certs/upload.chat.example.org_privkey.pem"; -- DOES NOT GET USED!
certificate = "/etc/metronome/certs/upload.chat.example.org_fullchain.pem";
}
If I define
VirtualHost "upload.chat.example.org"
ssl = {
key = "/etc/metronome/certs/upload.chat.example.org_privkey.pem";
certificate = "/etc/metronome/certs/upload.chat.example.org_fullchain.pem";
}
enabled = true
Metronome won't start.
Thanks a lot in advance!
(PS: I would have looked into the message log that's linked in the MUC message, https://muc.metronome.im/logs/grimoire/ but that's a 404)
[15:56:11]
<tbart> Hm.. that also leads to a 404.
Here is my question: https://gist.github.com/tbart/8aa354ccb5803e3de4ab173bbf058023
[15:58:40]
<Maranda> Yes apparently auto pastebin broke
[16:03:22]
<Maranda> Component section ssl directive is only used for s2s
[16:04:23]
<Maranda> Metronome's mod_http doesn't do SNI so only the relevant global ssl directive matters
[16:04:50]
<Maranda> As of why Metronome fails to start
[16:04:58]
<Maranda> Check error log
[16:05:18]
<Maranda> And/or console output
[16:19:41]
<tbart> So is it OK/correct to define the ssl cert for the upload globally? No SNI normally means wildcard certificates or a reverse proxy before the service. What's the recommended way of doing it?
Re: the missing error: I'll see whether there's something on the console. The debug, error and normal log is empty in this case.
I'll raise a bug if I have the necessary details.
[16:24:34]
<Maranda> tbart: yes it is
[16:37:39]
<Maranda> > <tbart> So is it OK/correct to define the ssl cert for the upload globally? No SNI normally means wildcard certificates or a reverse proxy before the service. What's the recommended way of doing it?
> Re: the missing error: I'll see whether there's something on the console. The debug, error and normal log is empty in this case.
> I'll raise a bug if I have the necessary details.
👍
[17:38:15]
<ember> >So is it OK/correct to define the ssl cert for the upload globally? No SNI normally means wildcard certificates or a reverse proxy before the service. What's the recommended way of doing it?
acme.sh and getting certs for the domain and subdomains works pretty good
[20:39:24]
<tbart> certbot easily fetches the 3 letsencrypt certs for me (added a deployment hook to make metronome happy permission wise), that's not the problem.
but where so you use/define the different certs?
[20:39:55]
<tbart> it seems i haven't quite understood yet what the "ssl" definition in the global scope is for, apart from http uploads. it's somehow irritating to have a "component" definition for the http part where i can define ssl as well but it does not get picked up (probably my bad, shouldn't be defined here, but should probably choke on it during startup and tell me the syntax is wrong)
maybe it's just me, but this took me several nights to understand (or better: find out by wild guessing) 😉
[20:40:22]
<tbart> i would have expected the global scope's ssl definition to be the one for the base domain (the actual XMPP server on :5222) - or for everything that does not have an explicit override for it - and each subdomain to have its own Virtualhost and ssl definition. just like in apache.
please don't get me wrong, this is not a rant. i'm sure the config error is on my side, and i want to help improve the application by sending meaningful issues (as I alread did some time ago) or at least commenting my installation so it doesn't trip me up the next time i have to edit it 🙂. and if everything works as it should, i'd be willing to write a wiki article outlining the basic steps for a self-hosted group messenger for friends and family.
[21:06:25]
<Maranda> > <tbart> i would have expected the global scope's ssl definition to be the one for the base domain (the actual XMPP server on :5222) - or for everything that does not have an explicit override for it - and each subdomain to have its own Virtualhost and ssl definition. just like in apache.
> please don't get me wrong, this is not a rant. i'm sure the config error is on my side, and i want to help improve the application by sending meaningful issues (as I alread did some time ago) or at least commenting my installation so it doesn't trip me up the next time i have to edit it 🙂. and if everything works as it should, i'd be willing to write a wiki article outlining the basic steps for a self-hosted group messenger for friends and family.
Global scope works for all virtualhosts / components but Metronome doesn't do SNI for http components and mod_http is a shared global module so only way to set a cert for direct TLS is doing it globally and on the port/socket