ejabberd with RapidSSL wildcard certs


The ejabberd XMPP server requires the server key and certificate in the one pem file, in that order. Alas, writing these out caused new connections to drop. Oops.

The first catch was my pem file wasn't readable by the ejabberd user, a rookie mistake.

$ ls -l server.pem
location: sydney
$ chown ejabberd:ejabberd server.pem
location: sydney

Connections could now be established, but verification failed:

$ openssl s_client -connect subdomain.server.tld:5222 -starttls xmpp
==> [..]
==> Verify return code: 21 (unable to verify the first certificate)

Not to get all Malcolm Turnbull Gladwell on you, but turns out you need to append the intermediate RapidSSL CA as well. For me, this required both sets of certs from this knowledgebase article.

Lesson learned; if you use a wildcard RapidSSL cert with ejabberd, make sure you include the RapidSSL and GeoTrust certs in the pem file.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.