ejabberd: Fix setting up certificates for multiple domains

Fixes: #2566. Thanks to joeDoe for helping with identifying the bug and confirming a fix. - Currently, when multiple domains are configured, only one certificate is setup. One domains properly and other domains will end up using the certificate for the configured domain. This leads to domain validation errors on the client-side. - Copy certificates for all domains to /etc/ejabberd/letsencrypt directory whether they are configured for ejabberd or not. - Use the new certfiles: directive to provide multiple certificates. Don't use and remove the old s2s_certfile: directive. Migrate old configuration. Tests: - Functional tests for ejabberd work. - Installing ejabberd freshly works. s2s_certfile: is not present in the configuration file. certfiles: is present with wildcard for LE certs. - Install ejabberd without the patch. s2s_certfile: is present and certfiles: does not contain the wildcard for LE certificates. Apply the patch. Setup is re-run for ejabberd app and succeeds. s2s_certfile: is removed from configuration file. certfiles: contains wildcard for LE certificates. /etc/ejabberd/letsencrypt/ contains certificates for all the configured domains on the system. - Adding domain works. Certificate for newly configured domain is copied into the ejabberd LE cert directory. ejabberd daemon is reloaded. hosts: list is updated. - Removing domain works. Certificate for the old domain is retained in the ejabberd LE directory. ejabberd daemon is not reloaded. - Setting the list of domains works. Old certificates are retained in the ejabberd LE directory. ejabberd daemon is reloaded. hosts: list is updated. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-03-11 09:04:54 +00:00 · 2026-02-26 08:43:15 -08:00 · 2026-02-26 08:43:15 -08:00 · 6ba35df665
commit 6ba35df665
parent e4ee756918
2 changed files with 19 additions and 16 deletions
--- a/plinth/modules/ejabberd/init.py
+++ b/plinth/modules/ejabberd/init.py
@ -50,7 +50,7 @@ class EjabberdApp(app_module.App):

    app_id = 'ejabberd'

-    _version = 9
+    _version = 10

    def __init__(self) -> None:
        """Create components for the app."""
@ -98,8 +98,10 @@ class EjabberdApp(app_module.App):
                              urls=['http://{host}/bosh/'])
        self.add(webserver)

+        # Always setup certificates for all domains to keep configuration
+        # simple.
        letsencrypt = LetsEncrypt(
-            'letsencrypt-ejabberd', domains=get_domains, daemons=['ejabberd'],
+            'letsencrypt-ejabberd', domains='*', daemons=['ejabberd'],
            should_copy_certificates=True,
            private_key_path='/etc/ejabberd/letsencrypt/{domain}/ejabberd.pem',
            certificate_path='/etc/ejabberd/letsencrypt/{domain}/ejabberd.pem',
@ -140,11 +142,10 @@ class EjabberdApp(app_module.App):
        logger.info('ejabberd service domain name - %s', domain_name)

        privileged.pre_install(domain_name)
-        # XXX: Configure all other domain names
        super().setup(old_version)
-        self.get_component('letsencrypt-ejabberd').setup_certificates(
-            [domain_name])
-        privileged.setup(domain_name)
+        # Setup certificates for all domains to keep configuration simple
+        self.get_component('letsencrypt-ejabberd').setup_certificates()
+        privileged.setup()
        if not old_version:
            self.enable()

--- a/plinth/modules/ejabberd/privileged.py
+++ b/plinth/modules/ejabberd/privileged.py
@ -45,7 +45,7 @@ def pre_install(domain_name: str):


@privileged
-def setup(domain_name: str):
+def setup() -> None:
    """Enable LDAP authentication."""
    with open(EJABBERD_CONFIG, 'r', encoding='utf-8') as file_handle:
        conf = yaml.load(file_handle)
@ -83,10 +83,16 @@ def setup(domain_name: str):
    conf['ldap_base'] = scalarstring.DoubleQuotedScalarString(
        'ou=users,dc=thisbox')

+    # Read all available certificates
+    conf['certfiles'].append(
+        scalarstring.DoubleQuotedScalarString(
+            '/etc/ejabberd/letsencrypt/*/ejabberd.pem'))
+    conf['certfiles'] = list(set(conf['certfiles']))
+
    with open(EJABBERD_CONFIG, 'w', encoding='utf-8') as file_handle:
        yaml.dump(conf, file_handle)

-    _upgrade_config(domain_name)
+    _upgrade_config()

    try:
        action_utils.run(['ejabberdctl', 'restart'], check=True)
@ -95,7 +101,7 @@ def setup(domain_name: str):
                    err)


-def _upgrade_config(domain):
+def _upgrade_config() -> None:
    """Fix the config file by removing deprecated settings."""
    current_version = _get_version()
    if not current_version:
@ -125,13 +131,9 @@ def _upgrade_config(domain):
            if listen_port['port'] == 5280:
                listen_port['port'] = 5443

-    cert_dir = Path('/etc/ejabberd/letsencrypt') / domain
-    cert_file = str(cert_dir / 'ejabberd.pem')
-    cert_file = scalarstring.DoubleQuotedScalarString(cert_file)
-    conf['s2s_certfile'] = cert_file
-    for listen_port in conf['listen']:
-        if 'certfile' in listen_port:
-            listen_port['certfile'] = cert_file
+    # s2s_certfile is deprecated in favor of certfiles
+    if 's2s_certfile' in conf:
+        conf.pop('s2s_certfile')

    # Write changes back to the file
    with open(EJABBERD_CONFIG, 'w', encoding='utf-8') as file_handle: