ejabberd STARTTLS setup on port 5222

Question

I just installed and setup the docker ejabberd/ecs image on an ubuntu 20.04 aws instance.

I have ports, domain name and users setup and working.

On the host (ubuntu) I generated Let's Encrypt certificates with certbot, copied them on the docker container:

certfiles:               
  - /home/ejabberd/conf/fullchain.pem
  - /home/ejabberd/conf/privkey.pem  

ca_file: "/home/ejabberd/conf/fullchain.pem"

I want to require my users to use only a secure connection.

I read on the documentation that I'd better use STARTTLS instead of TLS.

The problem is that ejabberd seems to use my certificates only when setting up TLS.

When I set the config like this:

listen:
  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    tls: true
...
  -                                                                      
    port: 5280                                                           
    ip: "::"                                                             
    module: ejabberd_http                                                
    tls: true                                             
    request_handlers:                                     
      "/admin": ejabberd_web_admin 

and reload the config bin/ejabbedctl reload_config, then I can access https://example.com:5280/admin/ using ssl.

And when I test the certificate using openssl from another machine, it seems to work because I get the following:

openssl s_client -connect example.com:5222
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
 0 s:CN = example.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...

But when I use, as I should from what I understand, starttls and starttls_required:

listen:
  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls: true
    starttls_required: true

Then ejabberd does not seem to use a secure connection on port 5222:

openssl s_client -connect example.com:5222
CONNECTED(00000005)
140324192997824:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Any idea what I could do to fix this?

Answer 1

To make the connection secure, you need to specify tls: true in the listener. For example in the config below both ports 5222 and 5223 have the same settings, but 5223 also includes tls: true. Thanks to that your openssl test will detect secure connection on port 5223 but not on 5222.

  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls_required: true
  -
    port: 5223
    ip: "::"
    tls: true
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls_required: true

As a side note, if still in trouble please try changing ca_file to ca_file: "/home/ejabberd/conf/cacert.pem" assuming cacert.pem is the file created by the ejabberd installer and not your LE.