XMPP, Prosody, TLS

My certificate expired recently and now i had to renew it. For this i tried to keep the private key and recreate a new certificate signing request. This can easily be done with

$ openssl req -new -key ssl.key -out ssl.csr

This generates a new signing request saved in ssl.csr. For xmpp certificates its important, that the common name the certificate is issued for is the domain name, not the hostname the service is actually running on. Prosody says it as following:

Which domain?

Sometimes there is confusion about which domain to get a certificate for, if your service uses SRV records to delegate XMPP services to a second domain (e.g. xmpp.example.com).

The answer is simple - your certificate simply needs to match whatever you have in your VirtualHost and Component definitions (e.g. example.com and conference.example.com), as these are the services you need to authenticate as. When you use the prosodyctl cert commands (see below), the correct entries are always included.

The next important thing is how to concatenate the certificates in order to work properly in prosody. So the first certificate has always to be the host certificate, followed immediately by the intermediate ca certificate of the issuer.

Update 18.04.: Since there are multiple Subdomains involved in providing functionality such as multi user chatrooms (muc) and anonymous login these Subdomains have to be made valid as well. One way to do this is to generate a valid key/certificate pair for each subdomain. Another way - at least with startcom - is, to provide multiple domain names when the certificate is set up. startcom supports up to five subdomains for one certificate. The list of subdomains for my certificate looks as following

metaccount.de
conference.metaccount.de
anon.metaccount.de
le.metaccount.de

xmpp.net score

XMPP, Prosody, TLS
Share this