Hi Friends!
I’m enabling the ejabberd service.
My question is: using a cumulative certificate (multiple domains in the same) is it possible to link directly on eJabberd config the “pem” certs?
And eventually how automate the creation and renewal of the “ejabberd.pem”?
##
## s2s_certfile: Specify a certificate file.
##
s2s_certfile: "/etc/ejabberd/ejabberd.pem"
How are you going to perform domain validation for the certificate? Do you run a webserver on port 80, and if so, which one? If not, could you open port 80?
s2s_certfile appears to be what is a combined format certificate. That is to say, it is a concatenation of the private key, the certificate, and its intermediate(s). By default, Certbot does not generate combined certificates, so you would have to do some customization (via hooks) in order to create the right file format for ejabberd.
Can you reload ejabberd’s certificate without restarting the entire ejabberd service? Let’s Encrypt certificates only last 90 days. If you have to restart ejabberd every 60-90 days, is that a problem (operationally) for you?
I wouldn't do that. You can write a fairly simple deploy hook to create the file and (if necessary) reload/restart ejabberd. You don't have to touch Certbot's systemd timer/cron job.