I have set up StartTLS on my personal server for S2S connections. As far as I can tell, this side is working now.
But since other servers are using CAcert for their root CA, I want to make my server trust CAcert as a root certificate.
I have the certificate file in /etc/ssl/certs already. What steps do I need to take to make ejabberd trust this certificate?
try this
- get CACert root certificate
- add to your SSL system (OpenSSL) to make sure your SSL system can recognize CACert. CACert root certificate still not shipped with OpenSSL by default.
- check your certificate, with command 'openssl verify .certificate file name.'
must done on both side
http://www.ejabberd.im/node/4
http://www.ejabberd.im/node/4345
Here is the crucial point that hung me up for an hour:
The ejabberd.pem contains three pieces of information, all of which are necessary to establish the secure connection. Your RSA private key, your certificate issued by the CA, and the CA's intermediate certificate.
Therefore the contents of the .pem file to which your ejabberd.cfg points should look like this:
-----BEGIN RSA PRIVATE KEY-----
[... your private key data ... ]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[... your own certificate ...]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[... your CA's intermediate certificate ...]
-----END CERTIFICATE-----
That pem file should only be readable by the user under which ejabberd runs.