0

I am trying to configure a certificate for usage with my ejabberd server. This is not a self-signed cert but one from PossitiveSSL from Comodo valid for 1 year. Cert is not expired.

I have the private key in PEM format, the certificate in .crt and the chain in .ca-bundle

In the /opt/ejabberd/conf/ejabberd.yml there is a line that says:

certfiles:
   - /opt/ejabberd/conf/server.example.com.crt
   - /opt/ejabberd/conf/server.example.com.ca-bundle
   - /opt/ejabberd/conf/privkey.pem

for the privkey.pem I had to remove passphrase as ejabberd services could not start. It failed to read the private key.

My question is: Do I have to have a single PEM file where I will cat privkey+cert+chain?

I tried both options and it works the same for Gajim client required to do TLS on connection. In may case is easier to leave three lines in config each pointing to proper container.

Anyway, I have a gajim windows XMPP client that connects fine with TLS required to the server and no errors and it's using TLS

When I try to connect another JID via an Android device I get this:

Accept Unkonwn Certificate? The server certificate is not signed by a known Certificate AUthority.

Why would I get this? While in Android I have the option to "Always accept" which I do not want to do anyway, since I'm using a signed certificate from Authority, the apple devices don't even give the option to accept anything and TLS connection breaks.

I have tried multiple things but I still get this pop up in android.

Is this entry:

certfiles:
   - /opt/ejabberd/conf/server.example.com.crt
   - /opt/ejabberd/conf/server.example.com.ca-bundle
   - /opt/ejabberd/conf/privkey.pem

Global? Meaning if I specify certfiles here I do not have to specify per each module? like for c2S module, do I have to specify the path for cert file? 

listen:
  -
    port: 5222
    module: ejabberd_c2s
    ##
    ## If TLS is compiled in and you installed a SSL
    ## certificate, specify the full path to the
    ## file and uncomment these lines:
    ##
    ## certfile: "/path/to/ssl.pem"
    ## starttls: true

Thanks in advance.

Badlop
  • 580
  • 3
  • 5
ddywz
  • 1

2 Answers2

0

Meaning if I specify certfiles here I do not have to specify per each module? like for c2S module, do I have to specify the path for cert file?

Looking at the documentation, it clearly says that the option certfiles is global, so ejabberd uses it whenever it has to get certificates in any of its modules:

Global Options There are some additional global options that can be specified in the ejabberd configuration file (outside listen):

acme: Automated SSL certificate management. See section ACME.

certfiles: List of paths: The option accepts a list of file paths (optionally with wildcards) containing either PEM certificates or PEM private keys. At startup, ejabberd sorts the certificates, finds matching private keys and rebuilds full certificates chains. Use this option when enabling options like starttls or tls in listeners ejabberd_c2s, ejabberd_s2s or ejabberd_http.

https://docs.ejabberd.im/admin/configuration/#global-options

Also, there are a few example configurations that use certfiles global option to define certificates that later are used by specific modules:

https://docs.ejabberd.im/admin/configuration/#mod-register-web

https://docs.ejabberd.im/admin/configuration/#mod-http-upload

Badlop
  • 580
  • 3
  • 5
0

Thanks for the info and the links. I went through them and all is set as it should. Again the gajim client on windows 10 does not complain on anything and its JID connects securely on server. Android and Apple devices complain on "The server certificate is not signed by a known Certificate Authority" All the clients are on same internal LAN.

Not sure what else to try,

ddywz
  • 1