ejabberd with RapidSSL wildcard certs

Software

The ejabberd XMPP server requires the server key and certificate in the one pem file, in that order. Alas, writing these out caused new connections to drop. Oops.

The first catch was my pem file wasn't readable by the ejabberd user, a rookie mistake.

$ ls -l server.pem
location: sydney
---
$ chown ejabberd:ejabberd server.pem
location: sydney
---

Connections could now be established, but verification failed:

$ openssl s_client -connect subdomain.server.tld:5222 -starttls xmpp
==> [..]
==> Verify return code: 21 (unable to verify the first certificate)

Not to get all Malcolm Turnbull Gladwell on you, but turns out you need to append the intermediate RapidSSL CA as well. For me, this required both sets of certs from this knowledgebase article.

Lesson learned; if you use a wildcard RapidSSL cert with ejabberd, make sure you include the RapidSSL and GeoTrust certs in the pem file.

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!