The ejabberd XMPP server requires the server key and certificate in the one pem file, in that order. Alas, writing these out caused new connections to drop. Oops.
The first catch was my pem file wasn't readable by the ejabberd user, a rookie mistake.
$ ls -l server.pem location: sydney --- $ chown ejabberd:ejabberd server.pem location: sydney ---
Connections could now be established, but verification failed:
$ openssl s_client -connect subdomain.server.tld:5222 -starttls xmpp ==> [..] ==> Verify return code: 21 (unable to verify the first certificate)
Not to get all Malcolm
Turnbull Gladwell on you, but turns out you need to append the intermediate RapidSSL CA as well. For me, this required both sets of certs from this knowledgebase article.
Lesson learned; if you use a wildcard RapidSSL cert with ejabberd, make sure you include the RapidSSL and GeoTrust certs in the pem file.