Problems with setting up prosody with IPv6 and certbot

Problems with setting up prosody with IPv6 and certbot

[nee]

Hello, I've been trying to setup the prosody xmpp service a few weeks
ago, but a some things are not working out of the box.


1. Server-to-server connection failed: connection-timeout

After adding a few people on other servers I keep getting messages like
this when I login with a client:

Error from <retracted username>@jabber.network: Server-to-server
connection
           failed: connection-timeout

This happens for multiple foreign servers, but not all.
For example server-to-server connections to iro-iro.xyz work fine.
I tried to upgraded prosody to 0.10, but it didn't change anything.

Workaround: unknown
Proper fix: unknown

2. Some users can't log into my server with the profanity client.
The user couldn't log into my server from the 'profanity' client, but
could do so with 'pidgin', profanity worked fine for other servers like
jabber.network. I myself have no problems login in with profanity, we
both used the same profanity version from guix. I suspect that a buggy
ipv6 setup could be the culprit here (see below), but I have to recheck
that.

Workaround: unknown
Proper fix: unknown

3. Using letsencrypt certificates
Problem:
Prosody can not read the certificates generated by the certbot service.
The reason is, Prosody directly starts up as non-root user, unlike other
services like for example murmur that start up as root, read
certificates and then call setuid afterwards. So it has no rights to
read from /etc/letsencrypt/...
I know that there is a prosody script to fetch certs, but I wanted to
use one I already generated for a website.

Workaround:
chgrp prosody -R /etc/letsencrypt/
chmod 2750 -R /etc/letsencrypt/

Proper fix:
I don't know, but it should be easier than this. The documentation
mentions should explain how to use certificates generated by certbot.

4. Ipv6 is not enabled by default on GuixSD
Problem:
With the default configuration `ifconfig`
and `ip addr` did not show an ipv6 address for my server.
This resulted in `prosodyctl check` printing:

________________________________________________________________________
Checking DNS for host tomato.hidamari.blue...
    tomato.hidamari.blue AAAA record points to unknown address
2a03:4000:1d:1cb::
    Host tomato.hidamari.blue does not seem to resolve to this server (IPv6)
    Only some targets for tomato.hidamari.blue appear to resolve to this
server.
________________________________________________________________________

Workaround:
ip -6 addr add <my ipv6 address here> dev eth0

Proper fix:
I don't know. Something has to be changed about system/base.scm? I don't
know what exactly it is.

5. Running `prosodyctl check`
Problem:
Now after I applied the ipv6 workaround `prosodyctl check` still has
some problems. The complete output is:

________________________________________________________________________
**************************
Prosody was unable to find lua-bitops
This package can be obtained in the following ways:

	Source:           http://bitop.luajit.org/
	Debian/Ubuntu:    sudo apt-get install lua-bitop
	luarocks:         luarocks install luabitop

WebSocket support will not be available
More help can be found on our website, at http://prosody.im/doc/depends
**************************

Checking config...
Done.

Checking DNS for host tomato.hidamari.blue...
    Host tomato.hidamari.blue has AAAA records, but your version of
LuaSocket does not support IPv6.
      Please see http://prosody.im/doc/ipv6 for more information.

Checking certificates...
Checking certificate for tomato.hidamari.blue
  Certificate: /etc/letsencrypt/live/tomato.hidamari.blue/fullchain.pem
    Certificate expires within one month.

All checks passed, congratulations!
________________________________________________________________________

Proper fix:
Build prosody with luasocket 3.0rc1 which introduced ipv6 support and is
recommended on http://prosody.im/doc/ipv6
Currently we only have luasocket 2.0.2 packaged.

lua-bitops is probably also something that should be packaged, but I
just saw a patch for it on guix-patches.

I also think that `prosodyctl check` should be run in the activation
phase of prosody like the nginx configuration check during nginx activation.

I packaged luasocket 3.0-ac3201d in my package path. 3.0-ac3201d is the
version which is used by Debian and Arch, it fixed some build system
bugs that are in the 3.0rc1 version that hasn't been updated since 2013.
I haven't packaged the tests, since it needs a LUA_DEBUG env variable
during compilation now. It probably must be solved like in the crawl
package.
https://hidamari.blue/git/packages/html/xmpp.scm.html

This brought the output of `prosodyctl check` down to this, but did not
solve the server-to-sever connection errors:
________________________________________________________________________
**************************
Prosody was unable to find lua-bitops
This package can be obtained in the following ways:

    Source:           http://bitop.luajit.org/
    Debian/Ubuntu:    sudo apt-get install lua-bitop
    luarocks:         luarocks install luabitop

WebSocket support will not be available
More help can be found on our website, at http://prosody.im/doc/depends
**************************

Checking config...
Done.

Checking DNS for host tomato.hidamari.blue...

Checking certificates...
Checking certificate for tomato.hidamari.blue
  Certificate: /etc/letsencrypt/live/tomato.hidamari.blue/fullchain.pem
    Certificate expires within one month.

All checks passed, congratulations!
________________________________________________________________________

Re: Problems with setting up prosody with IPv6 and certbot

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 409 bytes --]

On Sun, Nov 26, 2017 at 04:26:08PM +0100, nee wrote:
> Hello, I've been trying to setup the prosody xmpp service a few weeks
> ago, but a some things are not working out of the box.

This is a great write-up!

Can I ask you to send each problem to <bug-guix@gnu.org> separately? It
seems like the problems are unrelated to each other, and we are less
likely to lose track of things if we use the bug tracker.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Problems with setting up prosody with IPv6 and certbot

[Clément Lassieur]

Hi nee,

Thank you for the report!

nee <nee@cock.li> writes:

> Proper fix:
> Build prosody with luasocket 3.0rc1 which introduced ipv6 support and is
> recommended on http://prosody.im/doc/ipv6
> Currently we only have luasocket 2.0.2 packaged.

I sent a patch that updates lua5.1-socket, see
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29562.

> I packaged luasocket 3.0-ac3201d in my package path. 3.0-ac3201d is the
> version which is used by Debian and Arch, it fixed some build system
> bugs that are in the 3.0rc1 version that hasn't been updated since 2013.

Debian and Arch use different versions.  The one used by Debian seems to
introduce other bugs, so they added extra patches to fix them, see
https://groups.google.com/forum/#!topic/linux.debian.bugs.rc/Kt84Dq4iFwI.
I believe it's safer to stick with 3.0-rc1, which is recommended by
Prosody anyway.

Clément

Re: Problems with setting up prosody with IPv6 and certbot

[Clément Lassieur]

nee <nee@cock.li> writes:

> 4. Ipv6 is not enabled by default on GuixSD

All my GuixSD machines have IPv6 addresses, and I never did anything
special.

> Problem:
> With the default configuration `ifconfig`
> and `ip addr` did not show an ipv6 address for my server.
> This resulted in `prosodyctl check` printing:
>
> ________________________________________________________________________
> Checking DNS for host tomato.hidamari.blue...
>     tomato.hidamari.blue AAAA record points to unknown address
> 2a03:4000:1d:1cb::
>     Host tomato.hidamari.blue does not seem to resolve to this server (IPv6)
>     Only some targets for tomato.hidamari.blue appear to resolve to this
> server.
> ________________________________________________________________________
>
> Workaround:
> ip -6 addr add <my ipv6 address here> dev eth0
>
> Proper fix:
> I don't know. Something has to be changed about system/base.scm? I don't
> know what exactly it is.

Could you please display the output of "ip addr"?  

I can imagine several reasons why the autoconfiguration of your IPv6
addresses didn't work:

1. your link-local address isn't unique,
2. your router didn't send Router Advertisements,
3. your server behaves like a router because IP forwarding is enabled
   (most likely).

See https://tools.ietf.org/html/rfc4862,
https://askubuntu.com/questions/114971/ipv6-auto-configuration-not-working
and
https://serverfault.com/questions/380810/ipv6-stateless-autoconfiguration-not-working-on-centos-6-2.

Re: Problems with setting up prosody with IPv6 and certbot

[nee]

Thanks a bunch for your answers!

Am 07.12.2017 um 01:32 schrieb Clément Lassieur:
> Could you please display the output of "ip addr"?  
> 
root@tomato ~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
    link/ether 26:0d:0d:c3:c5:a4 brd ff:ff:ff:ff:ff:ff
    inet 185.183.157.103/22 brd 185.183.159.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a03:4000:1d:1cb::/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::240d:dff:fec3:c5a4/64 scope link
       valid_lft forever preferred_lft forever

This is after I did the workaround of course. I don't want to the server
reboot right now.

> 3. your server behaves like a router because IP forwarding is enabled
>    (most likely).
> 
> See https://tools.ietf.org/html/rfc4862,
> https://askubuntu.com/questions/114971/ipv6-auto-configuration-not-working
> and
> https://serverfault.com/questions/380810/ipv6-stateless-autoconfiguration-not-working-on-centos-6-2.
> 
I haven't looked through all of it, but that is probably the case.
What would be the guixsd config to hard-set my ipv6 address for eth0?