As of ejabberd-17.11, configuration option certfile, which should point to combined PEM file which consists of private key, server certificate and intermediate certificate(s), was replaced with configuration option certfiles, which should point to directory which holds private key, server certificate, and intermediate certificate(s) in separate PEM files. Also, ca_file configuration option was introduced, which should point to "trusted root certificate bundle".

For ejabberd-17.11 and newer, configuration is similar to:

###   ======= CERTIFICATES ========   ###
  - "/etc/ssl/certs/live/*.pem"
ca_file: "/usr/local/etc/ssl/cert.pem"

The original article is below, for historycal reasons.

Once I've obtained free certificates from Let's Encrypt, preferrably following procedure I described in another article here on Mimar, Let's Encrypt Wildcard Certificates On FreeBSD With BIND DNS Validation, I'm going to combine them into single PEM file so it can be used by my favourite XMPP server - ejabberd - for securing both c2s (client-to-server) and s2s (server-to-server) traffic.

Assuming I'm storing my Let's Encrypt certificates in dehydrated's default directory, and my domain is, I just need to merge privkey.pem and fullchain.pem into separate file:

cat /usr/local/etc/letsencrypt/live/ \
   /usr/local/etc/letsencrypt/live/ > \

We need to move this file to more appropriate location (/etc/ssl/private/ on FreeBSD), and - as it contains our private key - make sure it is readable by ejabberd account only:

mv ~/ /etc/ssl/private/
chown ejabberd:ejabberd /etc/ssl/private/
chmod 400 /etc/ssl/private/

All that remains to be done in order to secure our chats from prying eyes is to instruct ejabberd to use combined certificate where appropriate.

Next Post Previous Post