Веб-администратор ejabberd: сбой безопасного соединения

Исходная информация

Операционная система: стабильный Debian (9.6)

версия ejabberd: 18.09-2 (из задних портов)

Моя конфигурация основана на https://gitlab.com/hanno/ejabberd-config (Я изменил свой настоящий URL на example.com)

# _%%_ Ejabberd config from schokokeks.org XMPP server.
# _%%_ We try to enable modern XMPP features and document to which XEP
# _%%_ they relate.
# _%%_ We also use a modern and secure TLS configuration where possible.

define_macro:
  'CIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL:!RSA@STRENGTH"
  'TLSOPTS':
    - "no_sslv2"
    - "no_sslv3"
    - "cipher_server_preference"
# generated with: openssl dhparam -out dhparams.pem 2048
  'DHFILE': "/etc/ejabberd/dh2048-ejabberd.pem"
certfiles:
  - "/etc/letsencrypt/live/*/fullchain.pem"
  - "/etc/letsencrypt/live/*/privkey.pem"

hosts:
  - "example.com"
access:
  announce:
    admin: allow
  c2s:
    blocked: deny
    all: allow
  c2s_shaper:
    admin: none
    all: normal
  local:
    local: allow
  max_user_offline_messages:
    admin: 5000
    all: 100
  max_user_sessions:
    all: 10
  muc:
    all: allow
  muc_admin:
    admin: allow
  muc_create:
    local: allow
  pubsub_createnode:
    all: allow
  register:
#  _%%_ Don't allow registration
    all: deny
  s2s_shaper:
    all: fast
acl:
  admin:
    user:
      - "kiigass": "example.com"
  local:
    user_regexp:
      - ""
#  _%%_ We want internal authentication
auth_method:
  - mnesia
#  _%%_ store passwords with scram hash method.
#  _%%_ no DIGEST-MD5, needs plaintext storage of passwords.
auth_password_format: scram
disable_sasl_mechanisms: "DIGEST-MD5"
language: "en"
listen:
  -
    ip: "0.0.0.0"
    port: 5222
    module: ejabberd_c2s
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
#  _%%_ DEPRECATED, uses mod_stream_mgmt
#  _%%_ XEP-0198, Stream Management
#  _%%_ Note: This is enabled by default, but we'd like to explicitly enable it
#    stream_management: true
#  _%%_ TLS compression is dangerous, see CRIME attack
    tls_compression: false
#  _%%_ Diffie Hellman parameters with 2048 bit, created with "openssl dhparam 2048"
    dhfile: 'DHFILE'
#  _%%_ We only want "HIGH" strength ciphers and explicitly disable
#  _%%_ 3DES (SWEET32 attack), RSA (no forward secrecy, Bleichenbacher attacks),
#  _%%_ CAMELLIA (unusual and not needed).
    ciphers: 'CIPHERS'
#  _%%_ We require STARTTLS for clients. No unencrypted logins
    starttls_required: true
#    certfile: "/etc/ejabberd/ejabberd.pem"
#  _%%_ Due to DROWN (SSLv2) and POODLE (SSLv3) all old SSL versions are considered insecure
    protocol_options: 'TLSOPTS'
  -
    ip: "0.0.0.0"
    port: 5269
    module: ejabberd_s2s_in
    max_stanza_size: 131072
    shaper: s2s_shaper
    protocol_options: 'TLSOPTS'
  -
    port: 5280
    module: ejabberd_http
    web_admin: true
    http_bind: true
    captcha: true
#  _%%_ XEP-0363, HTTP File Upload
#  _%%_ Note: This only opens the port, further below is the module config itself
  -
    port: 5443
    module: ejabberd_http
    tls: true
#    certfile: "/etc/ejabberd/ejabberd.pem"
#  _%%_ See comments above for justification of TLS options
    tls_compression: false
    dhfile: 'DHFILE'
    ciphers: 'CIPHERS'
    protocol_options: 'TLSOPTS'
    request_handlers:
      "": mod_http_upload
loglevel: 4
max_fsm_queue: 1000
modules:
  mod_admin_extra: []
  mod_adhoc: []
  mod_announce:
    access: announce
#  _%%_ XEP-0115, Entity Capabilities
  mod_caps: []
# XEP-0157
  mod_disco:
    server_info:
      -
        modules: all
        name: "abuse-addresses"
        urls: ["mailto:kiigass@example.com"]
      -
        modules: all
        name: "security-addresses"
        urls: ["mailto:kiigass@example.com"]
  mod_bosh: []
  mod_last: []
#  _%%_ XEP-0045, Mult-User Chat (MUC)
  mod_muc:
    access: muc
    access_create: muc_create
    access_persistent: muc_create
    access_admin: muc_admin
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping:
    send_pings: true
    ping_interval: 10
    ping_ack_timeout: 5
    timeout_action: kill
  mod_privacy: []
  mod_private: []
#  _%%_ XEP-0065, SOCKS5 Bytestreams (Proxy)
  mod_proxy65:
    host: "proxy65.example.com"
    hostname: "proxy65.example.com"
    ip: "0.0.0.0"
    port: 7777
  mod_pubsub:
    access_createnode: pubsub_createnode
    ignore_pep_from_offline: false
    last_item_cache: true
    plugins:
      - "flat"
      - "hometree"
#  _%%_ XEP-0163, Personal Eventing Protocol (PEP), needed for Avatars / OMEMO
      - "pep"
#  _%%_ XEP-0237, Roster Versioning
  mod_roster:
    versioning: true
  mod_shared_roster: []
  mod_stats: []
#  _%%_ XEP-0198, Stream Management
#  _%%_ Note: This is enabled by default, but we'd like to explicitly enable it
  mod_stream_mgmt:
    max_resume_timeout: 30
    resend_on_timeout: if_offline
    resume_timeout: 30
    ack_timeout: 30
  mod_time: []
  mod_vcard: []
  mod_version: []
#  _%%_ XEP-0313, Message Archive Management (MAM)
  mod_mam:
    default: always
    assume_mam_usage: true
#  _%%_ XEP-0191, Blocking Command
  mod_blocking: []
#  _%%_ XEP-0352, Client State Indicator
  mod_client_state: []
#  _%%_ XEP-0280, Message Carbons
  mod_carboncopy: []
#  _%%_ XEP-0363, HTTP File Upload
#  _%%_ This is the configuration for the module, port config above.
  mod_http_upload:
#  _%%_ With this configuration for each domain name there must be a subdirectory
#  _%%_ in the docroot, e.g. /var/ejabberd-http-upload/example.org/
    thumbnail: false
    docroot: "/var/ejabberd-http-upload/"
    put_url: "https://example.com:5443/@HOST@"
  mod_s2s_dialback: []
  mod_legacy_auth: []
shaper:
  normal: 1000
  fast: 50000

# _%%_ TLS settings for s2s communication
s2s_use_starttls: required
#s2s_certfile: "/etc/ejabberd/ejabberd.pem"
s2s_dhfile: 'DHFILE'
# _%%_ For s2s we allow RSA key exchange for more compatibility
s2s_ciphers: 'CIPHERS'

Проблема

Когда я пытаюсь подключиться к https://example.com:5280/ или https://example.com:5280/admin/ Я получаю от firefox:

Безопасное соединение не удалось

Соединение с example.com:5280 было прервано во время загрузки страницы.

Страница, которую вы пытаетесь просмотреть, не может быть показана, потому что не удалось проверить подлинность полученных данных.

Пожалуйста, свяжитесь с владельцами веб-сайтов, чтобы сообщить им об этой проблеме.

Когда я смотрю /var/log/ejabberd/ejabberd.log (tail -f) одновременно, я получаю:

2018-12-09 13: 24: 32.021 [info] <0.353.0> @ejabberd_listener: accept: 221 (<0.479.0>) Принятое соединение x.x.x.x: 7048 -> x.x.y.y: 5280

Вопрос

Что я неправильно сконфигурировал и как мне это настроить, чтобы заставить работать?