ejabberd with RapidSSL wildcard certs

The ejabberd XMPP server requires the server key and certificate in the one pem file, in that order. Alas, writing these out caused new connections to drop. Oops.

The first catch was my pem file wasn't readable by the ejabberd user, a rookie mistake.

$ ls -l server.pem
==> -r-------- 1 root root 6124 Sep 16 05:56 server.pem

$ chown ejabberd:ejabberd server.pem
==> -r-------- 1 ejabberd ejabberd 6124 Sep 16 05:56 server.pem

Connections could now be established, but verification failed:

$ openssl s_client -connect subdomain.server.tld:5222 -starttls xmpp
==> [..]
==> Verify return code: 21 (unable to verify the first certificate)

Not to get all Malcolm Turnbull Gladwell on you, but turns out you need to append the intermediate RapidSSL CA as well. For me, this required both sets of certs from this knowledgebase article.

Lesson learned; if you use a wildcard RapidSSL cert with ejabberd, make sure you include the RapidSSL and GeoTrust certs in the pem file.


Imprint

This is one of about 5000 posts on Rubénerd. View the home page for the latest, or related posts also tagged with:

If you liked this post, feel free to buy me a coffee, leave me a comment on Twitter, or email me at weblog2017@rubenschade.com. Thanks :).