ejabberd with RapidSSL wildcard certs
The ejabberd XMPP server requires the server key and certificate in the one pem file, in that order. Alas, writing these out caused new connections to drop. Oops.
The first catch was my pem file wasn't readable by the ejabberd user, a rookie mistake.
$ ls -l server.pem ==> -r-------- 1 root root 6124 Sep 16 05:56 server.pem $ chown ejabberd:ejabberd server.pem ==> -r-------- 1 ejabberd ejabberd 6124 Sep 16 05:56 server.pem
Connections could now be established, but verification failed:
$ openssl s_client -connect subdomain.server.tld:5222 -starttls xmpp ==> [..] ==> Verify return code: 21 (unable to verify the first certificate)
Not to get all Malcolm
Turnbull Gladwell on you, but turns out you need to append the intermediate RapidSSL CA as well. For me, this required both sets of certs from this knowledgebase article.
Lesson learned; if you use a wildcard RapidSSL cert with ejabberd, make sure you include the RapidSSL and GeoTrust certs in the pem file.