Once I've obtained free certificates from Let's Encrypt, preferrably with dehydrated on FreeBSD, I'm going to combine them into single PEM file so it can be used by my favourite XMPP server - ejabberd - for securing both c2s (client-to-server) and s2s (server-to-server) traffic.
Assuming I'm storing my Let's Encrypt certificates in dehydrated's default directory, and my domain is mimar.rs, I just need to merge
fullchain.pem into separate file:
cat /usr/local/etc/dehydrated/certs/mimar.rs/privkey.pem \ /usr/local/etc/dehydrated/certs/mimar.rs/fullchain.pem > \ ~/mimar.rs-combined.pem
We need to move this file to more appropriate location (
/etc/ssl/private/ on FreeBSD), and - as it contains our private key - make sure it is readable by ejabberd account only:
mv ~/mimar.rs-combined.pem /etc/ssl/private/ chown ejabberd:ejabberd /etc/ssl/private/mimar.rs-combined.pem chmod 400 /etc/ssl/private/mimar.rs-combined.pem
All that remains to be done in order to secure our chats from prying eyes is to instruct ejabberd to use combined certificate where appropriate.