Andris Koepe's picture
Andris Koepe - Tue, 2017/04/04 - 22:56

Hy! I am using turnkey ejabberd on Amazon AWS. When connecting to the chat server from my client app I get an exception. It only occures if I try using SSL(TLS). 

Could somebody give me some info about the default SSL certificate used by Turnkey? Who is it signed by etc. ? My client side might reject invalid or unknown signiture certificats.

Forum: 
Support
Tags: 
ejabberd
ssl
tls
aws
amazon
ec2
client
exception
Jeremy Davis's picture

Jeremy Davis - Fri, 2017/04/21 - 01:18
Not sure how I missed your post, but I just realised it was unanswered.

The SSL certificate that your TurnKey server is using is a "self signed" certificate. I.e. it was created by, and signed by your server itself (during firstboot). As your server is not a recognised Certificate Authority (CA), warnings about the certificate are expected behaviour.

The generally excepted way of resolving that is to get a certificate signed by a recognised third party CA. Although if you plan to be communicating with known parties, an alternate approach would be to get each of the remote users to import your server as a known CA. I have little experience with that, so I can't really comment on the pros and cons, nor how you would actually do it; but I know it's possible.

Another thing that you may hit, is that the certificate (and server in general) may be using some sub-optimal SSL configuration. You may be able to improve that, although generally the best way to resolve it on TurnKey, is to migrate your data to the v14.x version of the appliance. Unfortunately though, we deprecated the Ejabberd appliance in v13.x. So there is no migration pathway to v14.x (which supports/provides much more secure "proper" SSL aka TLS).

But seeing as TurnKey is Debian under the hood, you could try doing an "in place" upgrade to Debian Jessie base. I can't guarantee that it will go smoothly (or even that it will work 100%) but it could be worth a try?! Personally I would not attempt it on a production server, but if you can create a snapshot of your current appliance first (and do a test run on the snapshot) then it's probably worth a try. Even though you won't be able to use TKLBAM (because there is no v14.x Ejabberd appliance), the doc page on migration, may still provide some valuable info?!

Andris Koepe's picture

Andris Koepe - Fri, 2017/04/21 - 11:30

Thaks for your answer, this was exactly the information I was looking for.

Let's say I have a new certificate, can you help me how I can change/install it on the server? Amazon also offers SSL certificates on AWS, do you have any knowledge how these could be useful in my  scenario?

Thanks again!

Jeremy Davis's picture

Jeremy Davis - Thu, 2017/04/27 - 03:07
Unfortunately I know very little about the eJabberd appliance as I've never really sued it and it hasn't been released since I've been managing appliance releases (I started that for v14.0). So I can't really give you a lot of guidance on the specific requirements for eJabberd's SSL cert.

However, looking at the build code, I can see that eJabberd just uses a copy of the default self signed SSL cert and can be found in /etc/ejabberd/ejabberd.pem

Regarding getting certs, although we do not provide a current eJabberd appliance, we have just updated confconsole for v14.2 to allow you to automagically get free SSL certs via Let's Encrypt. I haven't tested installing it on anything prior to v14.0 but perhaps that is possible? Alternatively, if you upgrade the base OS to Debian Jessie, then I'm almost certain it'd work.

Add new comment