Ejabberd: Feature-Request: be able to read SSL cert and key from different files

:+1:

Probably quite a few people would be really happy to see this feature implemented.

It seems the situation has changed. This issue got upvoted and for Let'S Encrypt (with automation) it is really crucially to be able to specify both files and the private key might not change so fast, but the certificate has to do (every 90 days).

Also, after much trouble i noticed that for some reason ejabberd attempts to acquire write access on the certificate file, and if it doesn't have write permission it usually fails with E_ACCESS error. I don't feel that it needs the write access at all and it should not be required.

ejabberd doesn't attempt to acquire write access, see #1375 for details.

Hmm, that's very obscure :) Any suggestions for mitigating this? This definitely adversely affects the usage scenario with Let's Encrypt.

Probably not to treat access(2) as an 'access attempt', no? Because this is not an attempt, but a check.

I guess I meant in a sense of mitigating it with ejabberd configuration (unlikely), or selinux policy...

This is now implemented, will be available in 17.11

@zinid : What's the name of the option in Ejabberd 17.11 to say where is located the private key of a certfile? I haven't found this information in the documentation. If I define

starttls: true
certifle: "/etc/ssl/private/host_chain.crt"

I get the following error:

Failed to secure c2s connection: TLS failed: SSL_CTX_use_PrivateKey_file failed: error:0906D06C:PEM routines:PEM_read_bio:no start line

I do have the key located in "/etc/ssl/private/host_chain.key" but I don't know how to inform ejabberd about it :-/

You should use certfiles option, see example here.

Thanks. It works with certfiles.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.