Prosody ssl Problems

Do you have an SSL configuration block under the global host? There's a bug in Prosody that prevents TLS/SSL from being offered unless it's configured for the global host. The bug is set to be fixed in the next version.

@dbb:

Do you have an SSL configuration block under the global host? There's a bug in Prosody that prevents TLS/SSL from being offered unless it's configured for the global host. The bug is set to be fixed in the next version.

Yes I do. I am using the same cert for both the host and global accounts. I have also tried just using the global cert alone.

Ian.

Do you mind posting your full configuration file?

Also, if you want more immediate assistance you can hop on the Prosody XMPP conference at prosody@conference.prosody.im.

Full config appended below. It's really just a lightly edited version of the default.

Ian.

-- Global settings go in this section
-- (ie. those that apply to all hosts)
Host "*"

        -- This is a (by default, empty) list of accounts that are admins 
        -- for the server. Note that you must create the accounts separately
        -- (see http://prosody.im/doc/creating_accounts for info)
        -- Example: admins = { "user1@example.com", "user2@example.net" }
        admins = {"someone@jabber.manor-farm.org" }

        -- This is the list of modules Prosody will load on startup.
        -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
        modules_enabled = {
                        -- Generally required
                                "roster"; -- Allow users to have a roster. Recommended ;)
                                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                                "tls"; -- Add support for secure TLS on c2s/s2s connections
                                "dialback"; -- s2s dialback support
                                "disco"; -- Service discovery

                        -- Not essential, but recommended
                                "private"; -- Private XML storage (for room bookmarks, etc.)
                                "vcard"; -- Allow users to set vCards

                        -- Nice to have
                                "legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
                                "version"; -- Replies to server version requests
                                "uptime"; -- Report how long server has been running
                                "time"; -- Let others know the time here on this server
                                "ping"; -- Replies to XMPP pings with pongs
                                "pep"; -- Enables users to publish their mood, activity, playing music and more
                             "register"; -- Allow users to register on this server using a client and change passwords

                        -- Required for daemonizing, and logging
                                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

                        -- Other specific functionality
                                --"console"; -- telnet to port 5582 (needs console_enabled = true)
                                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                                --"httpserver"; -- Serve static files from a directory over HTTP
                          };

        -- These modules are auto-loaded, should you
        -- for (for some mad reason) want to disable
        -- them then uncomment them below
        modules_disabled = {
                        -- "presence";
                        -- "message";
                        -- "iq";
        };

        -- Disable account creation by default, for security
        -- For more information see http://prosody.im/doc/creating_accounts
        allow_registration = false;
      -- These are the SSL/TLS-related settings. If you don't want
        -- to use SSL/TLS, you may comment or remove this
         ssl = { 
                key = "/etc/apache2/ssl/jabber.manor-farm.org.key";
                certificate = "/etc/apache2/ssl/jabber.manor-farm.org.crt";
                }

        -- Hint: If you create a new log file or rename them, don't forget to update the
        --       logrotate config at /etc/logrotate.d/prosody
        log = {
                -- Log all error messages to prosody.err
                { levels = { min = "error" }, to = "file", filename = "/var/log/prosody/prosody.err" };
                -- Log everything of level "info" and higher (that is, all except "debug" messages)
                -- to prosody.log
                { levels = { min =  "info" }, to = "file", filename = "/var/log/prosody/prosody.log" };
        }

        pidfile = "/var/run/prosody/prosody.pid"

-- This allows clients to connect to localhost.
-- Obviously this domain cannot normally be accessed from other servers.
Host "localhost"

-- Section for example.com
-- (replace example.com with your domain name)
Host "jabber.manor-farm.org"
        -- Remove the following line to activate this host!
        -- enabled = false -- This will disable the host, preserving the config, but denying connections

        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
    --       logrotate config at /etc/logrotate.d/prosody
        log = {
                -- Log all error messages to prosody.err
                { levels = { min = "error" }, to = "file", filename = "/var/log/prosody/prosody.err" };
                -- Log everything of level "info" and higher (that is, all except "debug" messages)
                -- to prosody.log
                { levels = { min =  "info" }, to = "file", filename = "/var/log/prosody/prosody.log" };
        }

        pidfile = "/var/run/prosody/prosody.pid"

-- This allows clients to connect to localhost.
-- Obviously this domain cannot normally be accessed from other servers.
Host "localhost"

-- Section for example.com
-- (replace example.com with your domain name)
Host "jabber.manor-farm.org"
        -- Remove the following line to activate this host!
        -- enabled = false -- This will disable the host, preserving the config, but denying connections

        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        -- ssl = { 
        --      key = "/etc/apache2/ssl/jabber.manor-farm.org.key";
        --      certificate = "/etc/apache2/ssl/jabber.manor-farm.org.crt";
        --      }

-- Set up a MUC (multi-user chat) room server on conference.example.com:

Talking about this in the conference, a few things you may want to do:

1) You have a "localhost" and "jabber.manor-farm.org" duplicated in the configuration, although that shouldn't affect anything

2) Double check the permissions on the key, the cert, and all directories leading up to them.

3) Enable debug logging to get some more verbose information on what's going on

THanks. I have disabled ,localhost and the certs are in /etc/prosody/certs. The directory and the certs are owned by prosody.prosody. I have enabled debug logging, but nothing is appearing in the logs:

ian@wilkesley:~$ sudo tail /var/log/prosody/prosody.log
Jan 31 09:43:09 general    info    Hello and welcome to Prosody version 0.6.1
Jan 31 09:43:09 connlisteners    debug   Registered connection listener httpclient
Jan 31 09:43:09 datamanager    debug   Setting data path to: /var/lib/prosody
Jan 31 09:43:09 hostmanager    debug   Activated host: jabber.manor-farm.org
Jan 31 09:43:09 mod_posix    info    Successfully daemonized to PID 17016
Jan 31 09:43:09 connlisteners    debug   Registered connection listener xmppclient
Jan 31 09:43:09 socket    warn    server.lua, port 5222: address already in use
Jan 31 09:43:09 connlisteners    debug   Registered connection listener xmppserver
Jan 31 09:43:09 socket    warn    server.lua, port 5269: address already in use
Jan 31 09:43:09 connlisteners    debug   Registered connection listener xmppcomponent

Not ssl connections work fine, but I get the :

You require encryption, but it is not available on this server.

I have tried both ports 5222 and 5223. I am using the same certs for both ports.

Ian.

````
Jan 31 09:43:09 socket warn server.lua, port 5222: address already in use
Jan 31 09:43:09 socket warn server.lua, port 5269: address already in use

These warnings indicate that some other process is already listening on the XMPP ports. Do you have multiple instances of Prosody running, or another XMPP server? That's going to mess things up.

Run:

netstat -tulp

as root to see what processes are listening on what ports.

Run:

ps ax | grep prosody
````

to see how many instances of Prosody you have running.

Thanks for the help. There were two instances of Prosody running. Everything now works fine with Pidgin. However, with Empathy I am getting the following errors:

Feb 03 10:45:56 c2s814e568    info    Client connected
Feb 03 10:45:56 c2s814e568    debug   Client sent opening <stream:stream>to jabber.manor-farm.org
Feb 03 10:45:56 c2s814e568    debug   Sent reply <stream:stream>to client
Feb 03 10:45:56 c2s814e568    debug   Received[c2s_unauthed]: <iq id="524646788860" type="get">Feb 03 10:45:56 modulemanager  debug   Stanza of type iq from c2s_unauthed has xmlns: jabber:iq:register
Feb 03 10:45:56 modulemanager    debug   Passing stanza to mod_register
Feb 03 10:45:56 socket    debug   server.lua: client 217.146.125.41:42482 read error: closed
Feb 03 10:45:56 c2s814e568    info    Client disconnected: closed
Feb 03 10:45:56 c2s814e568    info    Destroying session for (unknown) ((unknown)@jabber.manor-farm.org)
Feb 03 10:45:56 socket    debug   server.lua: closed client handler and removed socket from list</iq></stream:stream></stream:stream> 

Ian.