Ejabberd certificate renew


#1

Hi Friends!
I’m enabling the ejabberd service.
My question is: using a cumulative certificate (multiple domains in the same) is it possible to link directly on eJabberd config the “pem” certs?
And eventually how automate the creation and renewal of the “ejabberd.pem”?

##
## s2s_certfile: Specify a certificate file.
##
s2s_certfile: "/etc/ejabberd/ejabberd.pem"

Many many thanks!

Davide


#2

There’s a few things to address, in order:

  1. How are you going to perform domain validation for the certificate? Do you run a webserver on port 80, and if so, which one? If not, could you open port 80?
  2. s2s_certfile appears to be what is a combined format certificate. That is to say, it is a concatenation of the private key, the certificate, and its intermediate(s). By default, Certbot does not generate combined certificates, so you would have to do some customization (via hooks) in order to create the right file format for ejabberd.
  3. Can you reload ejabberd’s certificate without restarting the entire ejabberd service? Let’s Encrypt certificates only last 90 days. If you have to restart ejabberd every 60-90 days, is that a problem (operationally) for you?

#3

Hi @_az
and thanks for your help!

I perform certificate domain validation on port 443

Yes, I’ve seen.
I’ve found this workaround but seems essential to disable cert renewal cronjob built into Certbot. What do you think about?

Here I don’t know well, I’m searching to deepen an Ejabberd support web page or mailing list

Thanks again!

Davide


#4

I wouldn’t do that. You can write a fairly simple deploy hook to create the file and (if necessary) reload/restart ejabberd. You don’t have to touch Certbot’s systemd timer/cron job.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.