[pkg-lua-devel] SSL certificate (and virtual host examples) in Prosody package

Matthew Wild mwild1 at gmail.com
Sun May 13 15:31:49 UTC 2012 

On 13 May 2012 15:46, Sergei Golovan <sgolovan at gmail.com> wrote:
> Hi!
>
> On Sun, May 13, 2012 at 3:15 PM, Matthew Wild <mwild1 at gmail.com> wrote:
>>

>>> I'd suggest to comment out the ssl options and add this certificate to
>>> conf.d/localhost.cfg.lua.
>>
>> Legacy SSL and HTTPS (the latter is now enabled by default for all
>> HTTP plugins, such as BOSH) require the global one. I think in some
>> earlier versions Prosody almost demanded a global SSL cert if one
>> didn't exist. I think it would be fine to move it to the localhost
>> config now though.
>
> Aha, I see. I tend to think that legacy SSL shouldn't be enabled in
> default configuration, but HTTPS is another story. So, let the ssl
> options live in the main config.

Agreed (legacy SSL isn't enabled by default).

>> For what it's worth, we have a new command in 0.9: `prosodyctl cert
>> generate`. It allows you to generate a proper XMPP certificate or CSR
>> (or even just OpenSSL config) for one or more hosts in the config
>> file.
>
> There's make-ssl-cert in ssl-cert package which creates self-signed
> SSL certificate together with private key. Though having prosodyctl
> command is nice.

Yes. The difference with the prosodyctl command is that it adds in
XMPP extensions to the certificate. This is extremely useful when you
want to send a CSR to a CA, because it's hard to get these things
right in the OpenSSL config file manually.

>>> 4) Currently, we have virtual host 'example.com' in the main config
>>> and in an example config in /etc/prosody/conf.avail. Would it be
>>> better to remove (or comment out) the one in the main config file?
>>>
>>> Thoughts?
>>
>> I think I kept this just to show that you /can/ put host definitions
>> in the main config file. I won't cry if there's reason to remove it,
>> but as someone who much prefers the single config to split-config, I
>> like it there.
>
> Then maybe it's better to rename example.com hostname to example.org
> or something in the included config? (I don't like two virtual hosts
> with the same name, what if someone will try yo enable them both?)

I'm fine with renaming it. Enabling both won't really cause
problems... the settings from both will be merged (and the second will
overwrite any settings that are already set).

Regards,
Matthew

More information about the pkg-lua-devel mailing list