You are here
Andris Koepe - Tue, 2017/04/04 - 22:56
Hy! I am using turnkey ejabberd on Amazon AWS. When connecting to the chat server from my client app I get an exception. It only occures if I try using SSL(TLS).
Could somebody give me some info about the default SSL certificate used by Turnkey? Who is it signed by etc. ? My client side might reject invalid or unknown signiture certificats.
Forum:
Sorry for slow reply...
The SSL certificate that your TurnKey server is using is a "self signed" certificate. I.e. it was created by, and signed by your server itself (during firstboot). As your server is not a recognised Certificate Authority (CA), warnings about the certificate are expected behaviour.
The generally excepted way of resolving that is to get a certificate signed by a recognised third party CA. Although if you plan to be communicating with known parties, an alternate approach would be to get each of the remote users to import your server as a known CA. I have little experience with that, so I can't really comment on the pros and cons, nor how you would actually do it; but I know it's possible.
Another thing that you may hit, is that the certificate (and server in general) may be using some sub-optimal SSL configuration. You may be able to improve that, although generally the best way to resolve it on TurnKey, is to migrate your data to the v14.x version of the appliance. Unfortunately though, we deprecated the Ejabberd appliance in v13.x. So there is no migration pathway to v14.x (which supports/provides much more secure "proper" SSL aka TLS).
But seeing as TurnKey is Debian under the hood, you could try doing an "in place" upgrade to Debian Jessie base. I can't guarantee that it will go smoothly (or even that it will work 100%) but it could be worth a try?! Personally I would not attempt it on a production server, but if you can create a snapshot of your current appliance first (and do a test run on the snapshot) then it's probably worth a try. Even though you won't be able to use TKLBAM (because there is no v14.x Ejabberd appliance), the doc page on migration, may still provide some valuable info?!
Change certificate
Thaks for your answer, this was exactly the information I was looking for.
Let's say I have a new certificate, can you help me how I can change/install it on the server? Amazon also offers SSL certificates on AWS, do you have any knowledge how these could be useful in my scenario?
Thanks again!
Unfortunately I know very little about eJabberd
However, looking at the build code, I can see that eJabberd just uses a copy of the default self signed SSL cert and can be found in /etc/ejabberd/ejabberd.pem
Regarding getting certs, although we do not provide a current eJabberd appliance, we have just updated confconsole for v14.2 to allow you to automagically get free SSL certs via Let's Encrypt. I haven't tested installing it on anything prior to v14.0 but perhaps that is possible? Alternatively, if you upgrade the base OS to Debian Jessie, then I'm almost certain it'd work.
Add new comment