Setting up BOSH SSL
2,030 views
Skip to first unread message
Mirco Hansen
Oct 26, 2017, 4:59:39 PM10/26/17
to Prosody IM Users
Hello,
I have some issues getting BOSH work with SSL. I have two virtual hosts and I want to run the BOSH SSL on port 5281 and 5282 (a dedicated port for each host because if I remeber correctly I read somewhere in the doc that SNI might not always work properly).
Here is my config:
http_ports = { 5280 }
http_interfaces = { "*" }
https_ports = { 5281, 5282 }
https_interfaces = { "*" }
bosh_ports = {
{
port = 5280;
path = "http-bind";
},
{
port = 5281;
path = "http-bind";
ssl = {
key = "/etc/ssl/jabber.kosebamse.com/key.pem";
certificate = "/etc/ssl/proxy.kosebamse.com/fullchain.pem";
}
},
{
port = 5282;
path = "http-bind";
ssl = {
key = "/etc/ssl/diaspora.town/key.pem";
certificate = "/etc/ssl/diaspora.town/fullchain.pem";
}
}
}
The debug.log says:
Oct 26 20:13:35 portmanager debug Added listening service http to [*]:5280
Oct 26 20:13:35 portmanager info Activated service 'http' on [*]:5280
Oct 26 20:13:35 portmanager debug No active service for https, activating...
Oct 26 20:13:35 certmanager debug Searching /etc/prosody/certs for a key and certificate for https...
Oct 26 20:13:35 certmanager debug No certificate/key found for https
Oct 26 20:13:35 portmanager error Error binding encrypted port for https: No key present in SSL/TLS configuration for https port 5281
Oct 26 20:13:35 certmanager debug Searching /etc/prosody/certs for a key and certificate for https...
Oct 26 20:13:35 certmanager debug No certificate/key found for https
Oct 26 20:13:35 portmanager error Error binding encrypted port for https: No key present in SSL/TLS configuration for https port 5282
Oct 26 20:13:35 portmanager info Activated service 'https' on no ports
I use the same certificates for S2S and C2S and they work fine there. I also read on the certificate page in the documentation that services use a single certificate. How do I create that? I also tried to import them into Prosody or to copy the certs to /etc/prosody/certs and give them the right names given in the docs but this didn't work either.
Thank you in advance.
Regards
Mirco
I have some issues getting BOSH work with SSL. I have two virtual hosts and I want to run the BOSH SSL on port 5281 and 5282 (a dedicated port for each host because if I remeber correctly I read somewhere in the doc that SNI might not always work properly).
Here is my config:
http_ports = { 5280 }
http_interfaces = { "*" }
https_ports = { 5281, 5282 }
https_interfaces = { "*" }
bosh_ports = {
{
port = 5280;
path = "http-bind";
},
{
port = 5281;
path = "http-bind";
ssl = {
key = "/etc/ssl/jabber.kosebamse.com/key.pem";
certificate = "/etc/ssl/proxy.kosebamse.com/fullchain.pem";
}
},
{
port = 5282;
path = "http-bind";
ssl = {
key = "/etc/ssl/diaspora.town/key.pem";
certificate = "/etc/ssl/diaspora.town/fullchain.pem";
}
}
}
The debug.log says:
Oct 26 20:13:35 portmanager debug Added listening service http to [*]:5280
Oct 26 20:13:35 portmanager info Activated service 'http' on [*]:5280
Oct 26 20:13:35 portmanager debug No active service for https, activating...
Oct 26 20:13:35 certmanager debug Searching /etc/prosody/certs for a key and certificate for https...
Oct 26 20:13:35 certmanager debug No certificate/key found for https
Oct 26 20:13:35 portmanager error Error binding encrypted port for https: No key present in SSL/TLS configuration for https port 5281
Oct 26 20:13:35 certmanager debug Searching /etc/prosody/certs for a key and certificate for https...
Oct 26 20:13:35 certmanager debug No certificate/key found for https
Oct 26 20:13:35 portmanager error Error binding encrypted port for https: No key present in SSL/TLS configuration for https port 5282
Oct 26 20:13:35 portmanager info Activated service 'https' on no ports
I use the same certificates for S2S and C2S and they work fine there. I also read on the certificate page in the documentation that services use a single certificate. How do I create that? I also tried to import them into Prosody or to copy the certs to /etc/prosody/certs and give them the right names given in the docs but this didn't work either.
Thank you in advance.
Regards
Mirco
Matthew Wild
Oct 26, 2017, 5:35:48 PM10/26/17
to Prosody IM Users Group
Hi Mirco,
On 26 October 2017 at 19:26, Mirco Hansen <koseb...@gmail.com> wrote:
> Hello,
>
> I have some issues getting BOSH work with SSL. I have two virtual hosts and
> I want to run the BOSH SSL on port 5281 and 5282 (a dedicated port for each
> host because if I remeber correctly I read somewhere in the doc that SNI
> might not always work properly).
From the log snippets you posted, it looks like you are using 0.10.
The 'bosh_ports' option has been deprecated for some time. Remove it,
and set certificates like this:
https_ssl = {
[5281] = {
key = "/path/to/domain1.key";
certificate = "/path/to/domain1.crt";
};
[5282] = {
key = "/path/to/domain2.key";
certificate = "/path/to/domain2.crt";
};
}
Don't forget that if you are using a reverse proxy in front of Prosody
(Apache, nginx, etc.) which you will typically need to do for web
clients, then these servers will already provide SNI and you may not
need to serve multiple certificates from Prosody itself.
Regards,
Matthew
On 26 October 2017 at 19:26, Mirco Hansen <koseb...@gmail.com> wrote:
> Hello,
>
> I have some issues getting BOSH work with SSL. I have two virtual hosts and
> I want to run the BOSH SSL on port 5281 and 5282 (a dedicated port for each
> host because if I remeber correctly I read somewhere in the doc that SNI
> might not always work properly).
The 'bosh_ports' option has been deprecated for some time. Remove it,
and set certificates like this:
https_ssl = {
[5281] = {
key = "/path/to/domain1.key";
certificate = "/path/to/domain1.crt";
};
[5282] = {
key = "/path/to/domain2.key";
certificate = "/path/to/domain2.crt";
};
}
Don't forget that if you are using a reverse proxy in front of Prosody
(Apache, nginx, etc.) which you will typically need to do for web
clients, then these servers will already provide SNI and you may not
need to serve multiple certificates from Prosody itself.
Regards,
Matthew
Mirco Hansen
Oct 28, 2017, 2:18:35 AM10/28/17
to Prosody IM Users
Hello Mike,
Am Donnerstag, 26. Oktober 2017 23:35:48 UTC+2 schrieb Matthew Wild:
Am Donnerstag, 26. Oktober 2017 23:35:48 UTC+2 schrieb Matthew Wild:
Hi Mirco,
From the log snippets you posted, it looks like you are using 0.10.
The 'bosh_ports' option has been deprecated for some time. Remove it,
and set certificates like this:
https_ssl = {
[5281] = {
key = "/path/to/domain1.key";
certificate = "/path/to/domain1.crt";
};
[5282] = {
key = "/path/to/domain2.key";
certificate = "/path/to/domain2.crt";
};
}
Thanks a lot this worked! Correct, I am using Prosody 0.10 - forgot to mention that.
Regards
Mirco
Reply all
Reply to author
Forward
0 new messages