ejabberd: Dane updates

progmaticltd · Feb 24, 2024 · 654796d · 654796d
1 parent dae5320
commit 654796d
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/roles/ejabberd/files/renew-xmpp-cert.sh b/roles/ejabberd/files/renew-xmpp-cert.sh
@@ -49,11 +49,11 @@ if [ $server_until_epoch -lt $file_until_epoch ]; then
     elif [ "$action" = "activate" ]; then
 
         # Refresh the DANE records if needed
-        /usr/local/sbin/dane-set-record xmpp 5223
+        /usr/local/sbin/dane-set-record @ 5223
 
-        # Create the s2s record as well
+        # Create the s2s DANE record as well
         if nc -z 127.0.0.1 5269; then
-            /usr/local/sbin/dane-set-record xmpp 5269
+            /usr/local/sbin/dane-set-record @ 5269
         fi
 
         systemctl reload ejabberd

diff --git a/roles/ejabberd/tasks/check/certificates.yml b/roles/ejabberd/tasks/check/certificates.yml
@@ -1,6 +1,5 @@
 ---
 
-
 - name: Load TLS ciphers used
   register: tls_ciphers_report
   ansible.builtin.shell: sslscan --no-colour smtp.{{ network.domain }}:5223
@@ -31,9 +30,10 @@
     loop_var: tls_version
 
 - name: Check DANE records for client to server
-  ansible.builtin.shell: danetool --port 5223 --check xmpp.{{ network.domain }}
+  ansible.builtin.shell: danetool --port 5223 --check {{ network.domain }}
   changed_when: false
 
 - name: Check DANE records for server to server
-  ansible.builtin.shell: danetool --port 5269 --check xmpp.{{ network.domain }}
+  when: ejabberd.s2s.active
+  ansible.builtin.shell: danetool --port 5269 --check {{ network.domain }}
   changed_when: false
diff --git a/roles/ejabberd/templates/conf/ejabberd.yml b/roles/ejabberd/templates/conf/ejabberd.yml
@@ -58,15 +58,16 @@ host_config:
     sql_database: ejabberd
 
 
+# Client to server parameters
+c2s_ciphers: TLS_CIPHERS
+c2s_protocol_options: TLS_OPTIONS
+
+# Server to server parameters
 s2s_ciphers: TLS_CIPHERS
 s2s_use_starttls: required
 s2s_protocol_options: TLS_OPTIONS
 
 
-c2s_ciphers: TLS_CIPHERS
-c2s_protocol_options: TLS_OPTIONS
-
-
 listen:
 
   - module: ejabberd_c2s
@@ -307,6 +308,8 @@ modules:
     max_connections: 5
     access: proxy65_access
     shaper: proxy65_shaper
+    # Use the right certificate for this service
+    certfile: '/etc/ssl/certs/proxy.{{ network.domain }}.crt'
 
   ### Publish-Subscribe Service (XEP-0060)
   mod_pubsub:
@@ -319,6 +322,9 @@ modules:
     plugins:
       - flat
       - pep
+    # Use the right certificate for this service
+    certfile: '/etc/ssl/certs/pubsub.{{ network.domain }}.crt'
+
 
   mod_push: { }
   mod_push_keepalive: { }