Renewing self-signed certificate for ejabberd

I run an ejabberd server on an Ubuntu 12.10 box and this week I started getting notified by my IM client that the server’s certificate had expired.

Here’s how I managed to generate a new certificate.

WARNING: this process backs up, deletes and then restores your ejabberd database, so it is probably fairly risky.

# Move any previous backups out of the way
sudo mv /var/backups/ejabberd-* ~/Desktop/

# Move the expired certificate out of the way
sudo mv /etc/ejabberd/ejabberd.pem /etc/ejabberd/ejabberd.pem.old

# Reconfigure the ejabberd package (WARNING: backs up and deletes your database!)
sudo dpkg-reconfigure ejabberd

# Make the database backup file readable
sudo chmod a+rx /var/backups/ejabberd-*/
sudo chmod a+r /var/backups/ejabberd-*/*

# Restore the backup
sudo ejabberdctl restore /var/backups/ejabberd-*/ejabberd-database

If you’re lucky, your server will now be back up with a new self-signed certificate.

In general, the policy of using dpkg-reconfigure to handle creating new self-signed certificate seems to work nicely.

6 thoughts on “Renewing self-signed certificate for ejabberd”

  1. Thanks. That seems to have worked OK for me too. However I’m not sure about the restoring of the database. I get a file not found error at that stage, but I’m not clear what you’re restoring.
    Are you restoring the database you just created, or should that last line reference the stuff you backed up to ~/Desktop?
    I have a working system so I’m not /too/ concerned :-)

  2. Why not use the routine creating the cert? In postinstall of debian ejabberd package it is (modified with the remove part):

    $: cat /root/scripts/regenerate-ejabberd.pem.sh
    #!/bin/bash
    # script to generate new ejabberd.pem

    # Making /etc/ejabberd/ejabberd.pem if it does not exist.
    cd /etc/ejabberd
    if [ -f ejabberd.pem ]
    rm ejabberd.pem
    fi
    if [ ! -f ejabberd.pem ]
    then
    echo “Generating SSL certificate /etc/ejabberd/ejabberd.pem…”
    EHOSTNAME=$(hostname -s 2>/dev/null || echo localhost)
    EDOMAINNAME=$(hostname -d 2>/dev/null || echo localdomain)
    openssl req -new -x509 -days 365 -nodes -out ejabberd.pem \
    -keyout ejabberd.pem > /dev/null 2>&1 < last line is fi) and then make it executeable with chmod a+x

  3. This no longer works. Is there an update on how to do it with the latest ejabberd available with raspbian?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.