├── README.md ├── fixing-1000's-errors-in-signal-server.md ├── redis-bug.md ├── requirements.md ├── setup_cds_unfinished.md ├── setup_nginx_and_letsencrypt.md ├── setup_signal_server.md ├── setup_turn_and_stun.md └── setup_whisper_store.md /README.md: -------------------------------------------------------------------------------- 1 | # SignalApp-Setup 2.55 2 | 3 | I was recently tasked with setting up one Signal Server, after a few days of reading through most the developing threads here, I was able to successfully set up Video Calls, Voice Calls, Messages and Login and Registering. We arrived at the final part of setting up CloudFront CDN and then an unfortunate situation occurred, so I do not have any documentation on this yet. 4 | 5 | I was removed from the project due to a dispute between me and the boss but was left with this documentation and decided to publicly release it, as its public information just spread across the forums in sections. This means that the documentation only covers up to the server-side configuration and not client building, but these steps are fairly easy to cover. 6 | 7 | If you’re prepared to help out, please fork the repo and fill in any necessary steps or procedures that you feel are important or missing :smiley: 8 | 9 | # Steps: 10 | 11 | - [Requirements](./requirements.md) 12 | - [Setup Signal Server](./setup_signal_server.md) 13 | - [Setup Nginx & LetsEncrypt](./setup_nginx_and_letsencrypt.md) 14 | - [Setup Turn And Stun](./setup_turn_and_stun.md) 15 | - [Setup Whisper Store](./setup_whisper_store.md) 16 | - Common Issues 17 | - [Account Database Crawler (Removes the horrid warn log)](./fixing-1000's-errors-in-signal-server.md) 18 | - [Redis crashing](./redis-bug.md) 19 | 20 | 21 | -------------------------------------------------------------------------------- /fixing-1000's-errors-in-signal-server.md: -------------------------------------------------------------------------------- 1 | ## The noisy screen with 1000000000000000s errors a second, which isn't needed and made the server actually work. 2 | 3 | First, you need to enter the directory of the server. 4 | 5 | Proceed to edit this file: 6 | 7 | ``` /service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java ``` 8 | 9 | Find this: 10 | 11 | ``` environment.lifecycle().manage(accountDatabaseCrawler); ``` 12 | 13 | And replace with this: 14 | 15 | ``` // environment.lifecycle().manage(accountDatabaseCrawler); ``` 16 | 17 | And then rebuild the signal server from the main directory with 18 | 19 | ``` mvn install -DskipTests ``` 20 | 21 | And restart the server and you should see nice happy console. 22 | -------------------------------------------------------------------------------- /redis-bug.md: -------------------------------------------------------------------------------- 1 | # If you experienced a Redis issue, where it will not start again, this because Redis is configured to use a read only system which is incorrect. 2 | 3 | # First, you will need to create a directory in your /home folder. 4 | 5 | ```bash 6 | mkdir /home/Redis 7 | chown -R redis:redis /home/Redis 8 | ``` 9 | 10 | # Now, nano /etc/systemd/system/redis.service and edit the following lines 11 | 12 | ``` 13 | [Unit] 14 | Description=Advanced key-value store 15 | After=network.target 16 | Documentation=http://redis.io/documentation, man:redis-server(1) 17 | 18 | [Service] 19 | Type=forking 20 | ExecStart=/usr/bin/redis-server /etc/redis/redis.conf 21 | ExecStop=/bin/kill -s TERM $MAINPID 22 | PIDFile=/var/run/redis/redis-server.pid 23 | TimeoutStopSec=0 24 | Restart=always 25 | User=redis 26 | Group=redis 27 | RuntimeDirectory=redis 28 | RuntimeDirectoryMode=2755 29 | 30 | UMask=007 31 | PrivateTmp=yes 32 | LimitNOFILE=65535 33 | PrivateDevices=yes 34 | #ProtectHome=yes 35 | ReadOnlyDirectories=/ 36 | ReadWriteDirectories=-/var/lib/redis 37 | ReadWriteDirectories=-/var/log/redis 38 | ReadWriteDirectories=-/var/run/redis 39 | ReadWriteDirectories=-/home/redis 40 | 41 | NoNewPrivileges=true 42 | CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE 43 | MemoryDenyWriteExecute=true 44 | ProtectKernelModules=true 45 | ProtectKernelTunables=true 46 | ProtectControlGroups=true 47 | RestrictRealtime=true 48 | RestrictNamespaces=true 49 | RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX 50 | 51 | # redis-server can write to its own config file when in cluster mode so we 52 | # permit writing there by default. If you are not using this feature, it is 53 | # recommended that you replace the following lines with "ProtectSystem=full". 54 | ProtectSystem=true 55 | ReadWriteDirectories=-/home/redis 56 | 57 | [Install] 58 | WantedBy=multi-user.target 59 | Alias=redis.service 60 | 61 | ``` 62 | -------------------------------------------------------------------------------- /requirements.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | * Ubuntu 18.04 (Tested) 4 | 5 | If you're planning to setup the Contact Discovery, I personally recommend setting that up first. 6 | 7 | 8 | To be sure to have the latest version of the software. 9 | 10 | ``` 11 | sudo apt-get update 12 | sudo apt-get -y install maven build-essential 13 | ``` 14 | 15 | ### Install Java 16 | 17 | You will need to create an oracle account to download the actual software. 18 | 19 | ``` 20 | Oracle Java 11 can’t be directly downloaded from Oracle website any more! Now you HAVE to log in and manually download Oracle Java 11 .tar.gz, and place the archive in /var/cache/oracle-jdk11-installer-local/ 21 | ``` 22 | 23 | ```bash 24 | sudo add-apt-repository ppa:linuxuprising/java 25 | sudo apt-get update 26 | sudo apt-get install oracle-java11-installer-local 27 | sudo apt-get install oracle-java11-set-default-local 28 | ``` 29 | 30 | ### Install Redis 31 | ``` 32 | sudo apt-get install -y redis-server redis-sentinel 33 | sudo systemctl start redis 34 | sudo systemctl enable redis 35 | sudo systemctl start redis-sentinel 36 | sudo systemctl enable redis-sentinel 37 | ``` 38 | 39 | 40 | ### Install database 41 | ``` 42 | sudo apt-get install postgresql postgresql-contrib -y 43 | sudo -i -u postgres 44 | createdb accountdb 45 | createdb messagedb 46 | createuser --interactive 47 | psql 48 | ALTER USER "Signal" WITH PASSWORD 'Signal!!'; 49 | ``` 50 | 51 | 52 | ## Remotely access to the PostgreSQL database 53 | 54 | To open the port 5432 edit your ```/etc/postgresql/10/main/postgresql.conf``` and change 55 | 56 | ``` 57 | listen_addresses='localhost' // listen_addresses='*' 58 | ``` 59 | 60 | To modify the access configuration edit your ``/etc/postgresql/10/main/pg_hba.conf``` and add this to the bottom of the file 61 | 62 | ``` 63 | host all all * md5 64 | ``` 65 | 66 | And restart or restart you DBMS 67 | 68 | ``` 69 | invoke-rc.d postgresql restart 70 | ``` 71 | -------------------------------------------------------------------------------- /setup_cds_unfinished.md: -------------------------------------------------------------------------------- 1 | ## Setup SGX Driver 2 | 3 | First, you need to clone `linux-sgx-driver` repository to your computer: 4 | ```bash 5 | git clone https://github.com/intel/linux-sgx-driver.git 6 | ``` 7 | 8 | Change directory to local repository: 9 | ```bash 10 | cd linux-sgx-driver 11 | ``` 12 | 13 | Then you need to use `sgx2` branch: 14 | ``` 15 | git checkout sgx2 16 | ``` 17 | 18 | You can follow guide provided in the repository: [Build and Install the Intel(R) SGX Driver](https://github.com/intel/linux-sgx-driver/#build-and-install-the-intelr-sgx-driver) 19 | 20 | But I will provide example to build and install in Ubuntu 18.04, maybe it will be useful for you to get the general idea. 21 | 22 | Check if matching kernel headers are installed: 23 | ```bash 24 | $ dpkg-query -s linux-headers-$(uname -r) 25 | ``` 26 | 27 | To install matching headers: 28 | ```bash 29 | $ sudo apt-get install linux-headers-$(uname -r) 30 | ``` 31 | 32 | Build the driver from source code: 33 | ``` 34 | $ make 35 | ``` 36 | 37 | To install the Intel(R) SGX driver, enter the following command with root privilege: 38 | ``` 39 | $ sudo mkdir -p "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx" 40 | $ sudo cp isgx.ko "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx" 41 | $ sudo sh -c "cat /etc/modules | grep -Fxq isgx || echo isgx >> /etc/modules" 42 | $ sudo /sbin/depmod 43 | $ sudo /sbin/modprobe isgx 44 | ``` 45 | 46 | 47 | ## Setup SGX PSW 48 | 49 | [You want to contribute? Please submit GitHub issue and Pull Request.] 50 | 51 | 52 | ## Get Intel SGX PCK Certificate 53 | 54 | Environment: 55 | 1. fresh Azure Confidential Compute VM (remove checkmark in "Install OpenEnclave things...", using West Europe region) 56 | 1. Ubuntu 18.04 57 | 58 | 59 | First, install DKMS: 60 | ``` 61 | $ sudo apt install dkms 62 | ``` 63 | 64 | 65 | Then installing Intel compiled ready-to-use SGX driver: 66 | ``` 67 | $ wget https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/sgx_linux_x64_driver_1.12_c110012.bin 68 | $ chmod +x sgx_linux_x64_driver_1.12_c110012.bin 69 | 70 | $ sudo ./sgx_linux_x64_driver_1.12_c110012.bin 71 | ``` 72 | 73 | 74 | Proceed to install SGX SDK: 75 | ``` 76 | $ wget https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/sgx_linux_x64_sdk_2.6.100.51363.bin 77 | 78 | $ chmod +x sgx_linux_x64_sdk_2.6.100.51285.bin 79 | 80 | $ sudo ./sgx_linux_x64_sdk_2.6.100.51285.bin 81 | ``` 82 | 83 | 84 | Activate SGX environment (I guess we don't need it): 85 | ``` 86 | $ source ~/sgxsdk/environment 87 | ``` 88 | 89 | 90 | Continue to install SGX PSW: 91 | ``` 92 | $ sudo apt install libprotobuf10 93 | 94 | $ wget https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/libsgx-enclave-common_2.6.100.51363-bionic1_amd64.deb 95 | 96 | $ sudo dpkg -i libsgx-enclave-common_2.6.100.51285-bionic1_amd64.deb 97 | ``` 98 | 99 | 100 | Alright, please install SGX DCAP: 101 | ``` 102 | $ wget https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/libsgx-dcap-ql_1.2.100.51313-bionic1_amd64.deb 103 | 104 | $ sudo dpkg -i libsgx-dcap-ql_1.2.100.51313-bionic1_amd64.deb 105 | ``` 106 | 107 | 108 | Finally, download and run PCKIDRetrieval Tool: 109 | ``` 110 | $ wget https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/PCKIDRetrievalTool_v1.2.100.51313.tar.gz 111 | 112 | $ tar xzf PCKIDRetrievalTool_v1.2.100.51313.tar.gz 113 | 114 | $ cd PCKIDRetrievalTool_v1.2.100.51313 115 | 116 | $ ./PCKIDRetrievalTool 117 | ``` 118 | 119 | 120 | In my Azure Confidential Compute VM, it was successfully generated a CSV file with required values. And I can get a PCK Certificate from Intel API. StdOut: 121 | ``` 122 | Intel(R) Software Guard Extensions PCK ID Retrieval Tool Version 1.2.0 123 | 124 | pckid_retrieval.csv has been generated successfully! 125 | ``` 126 | 127 | 128 | ## Setup Signal CDS (Contact Discovery Service) 129 | 130 | You can see sample of YML configuration file for Signal CDS: [config-signal-cds.yml](config-signal-cds.yml) 131 | 132 | `spid` is "Service Provider ID" assigned by Intel for you. You can get it by sign-up for an Intel account, and start service subscription in [Intel's SGX self-service portal](https://api.portal.trustedservices.intel.com/EPID-attestation) 133 | 134 | Then you will need X.590 certificate and RSA private key. You can generate one by using this command: 135 | ```bash 136 | openssl req -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 365 137 | ``` 138 | 139 | Please check your `server.key` file value, is it started with string below: 140 | ``` 141 | -----BEGIN PRIVATE KEY----- 142 | ``` 143 | 144 | If so, we need to convert the key in PKCS#8 format to old PKCS#1, format expected by the CDS program using this command: 145 | ```bash 146 | openssl rsa -in server.key -out server_new.key 147 | ``` 148 | 149 | Copy-and-paste value of `server.crt` to `certificate` field inside YML configuration file. For `key` field, you need to copy value from `server.key` or `server_new.key` which started with string below: 150 | ``` 151 | -----BEGIN RSA PRIVATE KEY----- 152 | ``` 153 | 154 | Then please build your `enclave` using this command: 155 | ``` 156 | make -C /enclave 157 | ``` 158 | 159 | It will place a file (your compiled CDS SGX enclave) inside this directory: 160 | ``` 161 | services/src/main/resources/enclave/ 162 | ``` 163 | 164 | Your SGX enclave binary file will be named 64-chars long, with ".so" suffix like this: 165 | ``` 166 | services/src/main/resources/enclave/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.so 167 | ``` 168 | 169 | -------------------------------------------------------------------------------- /setup_nginx_and_letsencrypt.md: -------------------------------------------------------------------------------- 1 | ## Install Nginx HTTP Server 2 | 3 | ```bash 4 | sudo apt update 5 | sudo apt-get remove httpd -y 6 | sudo apt install nginx -y 7 | sudo systemctl stop nginx.service 8 | sudo systemctl enable nginx.service 9 | ``` 10 | 11 | # Install PHP 7.2-FPM and Related Modules 12 | ```bash 13 | sudo apt-get install software-properties-common 14 | sudo add-apt-repository ppa:ondrej/php 15 | sudo apt update 16 | sudo apt install php7.2-fpm php7.2-common php7.2-mbstring php7.2-xmlrpc php7.2-soap php7.2-gd php7.2-xml php7.2-intl php7.2-mysql php7.2-cli php7.2-zip php7.2-curl 17 | ``` 18 | 19 | # Create the vhost configuration for the domain. 20 | ```bash 21 | nano /etc/nginx/conf.d/domain.com.conf 22 | ``` 23 | 24 | # Do not forget to set DNS this important for the SSL. 25 | 26 | ``` 27 | server { 28 | listen 80; 29 | listen 443; 30 | server_name domain.com; 31 | 32 | ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot 33 | ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot 34 | 35 | ssl on; 36 | ssl_session_cache builtin:1000 shared:SSL:10m; 37 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 38 | ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; 39 | ssl_prefer_server_ciphers on; 40 | 41 | access_log /var/log/nginx/jenkins.access.log; 42 | 43 | location /v1/websocket { 44 | proxy_pass http://localhost:8080/v1/websocket; 45 | proxy_http_version 1.1; 46 | proxy_set_header Upgrade $http_upgrade; 47 | proxy_set_header Connection "upgrade"; 48 | proxy_set_header Host $host; 49 | } 50 | 51 | 52 | location / { 53 | 54 | proxy_set_header Host $host; 55 | proxy_set_header X-Real-IP $remote_addr; 56 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 57 | proxy_set_header X-Forwarded-Proto $scheme; 58 | 59 | # Fix the “It appears that your reverse proxy set up is broken" error. 60 | proxy_pass http://localhost:8080; 61 | proxy_read_timeout 90; 62 | } 63 | } 64 | 65 | ``` 66 | 67 | # Install letsencrypt and restart nginx. 68 | ``` 69 | sudo add-apt-repository ppa:certbot/certbot 70 | sudo apt install python-certbot-apache 71 | sudo certbot certonly -d your_domain -d www.your_domain 72 | ``` 73 | 74 | Start a standalone server let the verification start and complete. 75 | 76 | # Now, restart Nginx (If 502 gateway, restart Signal Server) 77 | 78 | 79 | ``` 80 | service nginx restart 81 | ``` 82 | -------------------------------------------------------------------------------- /setup_signal_server.md: -------------------------------------------------------------------------------- 1 | ## Setup Signal Server 2 | 3 | First, you need to clone the latest `Signal-Server` repository to your computer: 4 | 5 | ```bash 6 | git clone {directory to the latest signal-server} 7 | ``` 8 | 9 | Change directory to local repository: 10 | ```bash 11 | cd {directory to the latest signal-server} 12 | ``` 13 | 14 | Build the main server jar 15 | ```bash 16 | mvn install -DskipTests 17 | ``` 18 | 19 | 20 | Once the build, has completed. You will be able to configure the configuration.yml and find the main server.jar file. 21 | ```bash 22 | cd service/config/ 23 | nano sample.yml 24 | ``` 25 | 26 | You now need to fill in all the necessary sections for you to start the signal server, once you have verified the configuration is correct. 27 | 28 | ```bash 29 | 30 | java -jar service/target/TextSecureServer-1.88.jar messagedb migrate config/Signal.yml 31 | java -jar service/target/TextSecureServer-1.88.jar accountdb migrate config/Signal.yml 32 | java -jar service/target/TextSecureServer-1.88.jar abusedb migrate config/Signal.yml 33 | 34 | screen -S signal_server 35 | cd ../service/target 36 | java -jar target/TextSecureServer-2.55.jar server config/sample.yml 37 | ``` 38 | -------------------------------------------------------------------------------- /setup_turn_and_stun.md: -------------------------------------------------------------------------------- 1 | # Requirements 2 | 3 | - Coturn/Stun Servers [source built] 4 | 5 | ```bash 6 | sudo apt-get -y update 7 | sudo apt-get -y install build-essential sqlite libsqlite3-dev libevent-dev libssl-dev 8 | ``` 9 | 10 | ```bash 11 | wget http://turnserver.open-sys.org/downloads/v4.5.0.8/turnserver-4.5.0.8.tar.gz 12 | tar -xzvf turnserver-4.5.0.8.tar.gz 13 | cd turnserver-4.5.0.8 14 | ./configure 15 | make && sudo make install 16 | ``` 17 | 18 | # Configuring the Coturn Server 19 | 20 | 21 | ``` 22 | sudo cp /usr/local/etc/turnserver.conf turnserver.cnf.bk 23 | nano /usr/local/etc/turnserver.conf 24 | ``` 25 | 26 | Replace these values: 27 | 28 | ``` 29 | listening-port=3478 30 | tls-listening-port=5349 31 | 32 | listening-ip=IPV4 ADDRESS 33 | 34 | relay-ip=IPV4 ADDRESS 35 | external-ip=IPV4 ADDRESS 36 | 37 | realm=domain.pointing.com 38 | server-name=domain.pointing.com 39 | 40 | lt-cred-mech 41 | userdb=/var/lib/turn/turndb 42 | 43 | oauth 44 | user=test:test 45 | 46 | 47 | # Lets Encrypt from NGINX 48 | cert=/etc/letsencrypt/live/domain.pointing.com/cert.pem 49 | pkey=/etc/letsencrypt/live/domain.pointing.com/privkey.pem 50 | 51 | 52 | ``` 53 | 54 | 55 | Then to proceed to edit the signal-server configuration with this: 56 | 57 | ``` 58 | turn: # TURN server configuration 59 | secret: test 60 | uris: 61 | - stun:0.0.0.0:3478 # REPLACE 0.0.0.0 with your IP. 62 | - stun:0.0.0.0:5349 63 | - turn:0.0.0.0:5349?transport=udp 64 | - turn:0.0.0.0:3478?transport=udp 65 | ``` 66 | 67 | # Restart Turn & Stuns and also the signal server and Calls and Video Calls will work :) 68 | -------------------------------------------------------------------------------- /setup_whisper_store.md: -------------------------------------------------------------------------------- 1 | # Requirements 2 | 3 | - KeyStore Explorer = https://keystore-explorer.org/ 4 | 5 | Enter the directory for the Signal-Android and proceed to the /src/raw/. You will fine whisper.store, proceed to open this file with keystore and you will be prompted for the password which is whisper. 6 | 7 | The next step requires, you to be on the Signal Server 8 | 9 | # Enter SSL Certificate Location 10 | ``` 11 | sudo su 12 | cd /etc/letsencrypt/live/{domain name} 13 | ``` 14 | 15 | # convert certificate chain + private key to the PKCS#12 file format 16 | ``` 17 | openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem 18 | ``` 19 | 20 | # Updating Whisper.Store. 21 | 22 | Download keystore PKCS12 file from the server and procced to keystore explorer. 23 | 24 | Press the import key pair and procced with selecting the file, you've just downloaded and fill the in the required information. 25 | 26 | Now, rebuild the application and your SSL key issues will be fixed. 27 | --------------------------------------------------------------------------------