From mboxrd@z Thu Jan 1 00:00:00 1970 From: nee Subject: Problems with setting up prosody with IPv6 and certbot Date: Sun, 26 Nov 2017 16:26:08 +0100 Message-ID: <4fa516d8-1068-0899-8744-f450014f4d2a@cock.li> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47655) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eIyoq-0002Pg-3w for guix-devel@gnu.org; Sun, 26 Nov 2017 10:26:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eIyom-000254-4D for guix-devel@gnu.org; Sun, 26 Nov 2017 10:26:08 -0500 Received: from cock.li ([185.100.85.212]:53788) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eIyol-00023u-Ip for guix-devel@gnu.org; Sun, 26 Nov 2017 10:26:04 -0500 Content-Language: en-GB List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hello, I've been trying to setup the prosody xmpp service a few weeks ago, but a some things are not working out of the box. 1. Server-to-server connection failed: connection-timeout After adding a few people on other servers I keep getting messages like this when I login with a client: Error from @jabber.network: Server-to-server connection failed: connection-timeout This happens for multiple foreign servers, but not all. For example server-to-server connections to iro-iro.xyz work fine. I tried to upgraded prosody to 0.10, but it didn't change anything. Workaround: unknown Proper fix: unknown 2. Some users can't log into my server with the profanity client. The user couldn't log into my server from the 'profanity' client, but could do so with 'pidgin', profanity worked fine for other servers like jabber.network. I myself have no problems login in with profanity, we both used the same profanity version from guix. I suspect that a buggy ipv6 setup could be the culprit here (see below), but I have to recheck that. Workaround: unknown Proper fix: unknown 3. Using letsencrypt certificates Problem: Prosody can not read the certificates generated by the certbot service. The reason is, Prosody directly starts up as non-root user, unlike other services like for example murmur that start up as root, read certificates and then call setuid afterwards. So it has no rights to read from /etc/letsencrypt/... I know that there is a prosody script to fetch certs, but I wanted to use one I already generated for a website. Workaround: chgrp prosody -R /etc/letsencrypt/ chmod 2750 -R /etc/letsencrypt/ Proper fix: I don't know, but it should be easier than this. The documentation mentions should explain how to use certificates generated by certbot. 4. Ipv6 is not enabled by default on GuixSD Problem: With the default configuration `ifconfig` and `ip addr` did not show an ipv6 address for my server. This resulted in `prosodyctl check` printing: ________________________________________________________________________ Checking DNS for host tomato.hidamari.blue... tomato.hidamari.blue AAAA record points to unknown address 2a03:4000:1d:1cb:: Host tomato.hidamari.blue does not seem to resolve to this server (IP= v6) Only some targets for tomato.hidamari.blue appear to resolve to this server. ________________________________________________________________________ Workaround: ip -6 addr add dev eth0 Proper fix: I don't know. Something has to be changed about system/base.scm? I don't know what exactly it is. 5. Running `prosodyctl check` Problem: Now after I applied the ipv6 workaround `prosodyctl check` still has some problems. The complete output is: ________________________________________________________________________ ************************** Prosody was unable to find lua-bitops This package can be obtained in the following ways: Source: http://bitop.luajit.org/ Debian/Ubuntu: sudo apt-get install lua-bitop luarocks: luarocks install luabitop WebSocket support will not be available More help can be found on our website, at http://prosody.im/doc/depends ************************** Checking config... Done. Checking DNS for host tomato.hidamari.blue... Host tomato.hidamari.blue has AAAA records, but your version of LuaSocket does not support IPv6. Please see http://prosody.im/doc/ipv6 for more information. Checking certificates... Checking certificate for tomato.hidamari.blue Certificate: /etc/letsencrypt/live/tomato.hidamari.blue/fullchain.pem Certificate expires within one month. All checks passed, congratulations! ________________________________________________________________________ Proper fix: Build prosody with luasocket 3.0rc1 which introduced ipv6 support and is recommended on http://prosody.im/doc/ipv6 Currently we only have luasocket 2.0.2 packaged. lua-bitops is probably also something that should be packaged, but I just saw a patch for it on guix-patches. I also think that `prosodyctl check` should be run in the activation phase of prosody like the nginx configuration check during nginx activati= on. I packaged luasocket 3.0-ac3201d in my package path. 3.0-ac3201d is the version which is used by Debian and Arch, it fixed some build system bugs that are in the 3.0rc1 version that hasn't been updated since 2013. I haven't packaged the tests, since it needs a LUA_DEBUG env variable during compilation now. It probably must be solved like in the crawl package. https://hidamari.blue/git/packages/html/xmpp.scm.html This brought the output of `prosodyctl check` down to this, but did not solve the server-to-sever connection errors: ________________________________________________________________________ ************************** Prosody was unable to find lua-bitops This package can be obtained in the following ways: Source: http://bitop.luajit.org/ Debian/Ubuntu: sudo apt-get install lua-bitop luarocks: luarocks install luabitop WebSocket support will not be available More help can be found on our website, at http://prosody.im/doc/depends ************************** Checking config... Done. Checking DNS for host tomato.hidamari.blue... Checking certificates... Checking certificate for tomato.hidamari.blue Certificate: /etc/letsencrypt/live/tomato.hidamari.blue/fullchain.pem Certificate expires within one month. All checks passed, congratulations! ________________________________________________________________________