Certificate issue after changing domain

Avron · July 10, 2022, 8:41pm

Hello,

I changed the domain of the Freedombox (because it was a subdomain and after activating postfix/dovecot, I had the impression that I did not receive certain email to the main domain handled by another server).

However, whenever I try to connect to re-create an account with the new domain in Gajim, Gajim complains about the certificate and shows that the certificate it has received has the old name in “organization” and it says it was issue on Feb 2021 and expired on Feb 2022. It also gives a SN and fingerprints but I don’t know where to check that on the Freedombox.

I have a less detailed complain from another XMPP client (MAXS, android).

Still, I made sure that ejabberd points to the new domain, I also went into the Let’s encrypt configuration and asked to removed the certificate for the old domain that was still there. I also rebooted afterwards, in case, but still no success.

I also have Quassel complain about certificate but the client does not provide that detailed information.

Not sure what to do.

EDIT: the certificate visible when accessing plinth in the web browser is brand new, linked to the new domain and perfectly fine. In addition, email and CardDav/CalDav clients do’n’t complain either. The problem is only with ejabberd and quassel.

Avron · July 11, 2022, 5:26pm

I looked at /etc/ejabberd:

in the letsencrypt directory, there are 3 directories, one for the old domain, one for the new domain, one for an onion domain, each contains an ejabberd.pem file
there is an ejabberd.pem file directly in /etc/ejabberd
in ejabberd.yml, there is a line: s2s_certfile: "/etc/ejabberd/letsencrypt/\/ejabberd.pem"
I used "openssl x509 -i ejabberd.pem -text on the file in /etc/ejabberd and on the file in /etc/ejabberd/letsencrypt/\/
- I am unable to match what SN and sha256 checksums with what Gajim receives
- the validity dates on the file in /etc/ejabberd matches with what Gajim sees (i.e. Feb 24) while the validity dates on the file in /etc/ejabberd/letsencrypt/\/ are much newer
=> That seems to mean that ejabberd uses the certificate in /etc/ejabberd and not the one in /etc/ejabberd/letsencrypt/\/.

I would be tempted to copy the certificate for the new domain to /etc/ejabberd but what will happen at the renewal date? Should ejabberd.yml also be updated to point to the file in the letsencrypt directory? And then, will it work after renewal?

Avron · July 14, 2022, 2:23pm

The certificate in /etc/ejabberd/ejabberd.pem is an expired self-signed certificate.

I removed it and put a link to /etc/ejabberd/letsencrypt/<new domain>/ejabberd.pem.

I restarted ejabberd service in cockpit. Now ejabberd is using the right certificate, but I don’t know whether renewal will work.

Besides, quassel is still not using the proper certificate, so I need to investigate that.

Avron · July 14, 2022, 7:41pm

For quassel, I looked at: Client-Core SSL support - Quassel IRC - Quassel IRC Issue Tracker

I ran
cat /etc/letsencrypt/live/<my domain>/{privkey.pem,fullchain.pem} > /var/lib/quassel/quasselCert.pem

and restarted quassel service from cockpit and now I have the new certificate.

Avron · October 9, 2022, 5:10pm

The Let’s encrypt certificate was just renewed but Quassel is not using it, so my fix does not work after renewal. Not sure about ejabberd, I will check.

By the way, I also decided to try matrix again, when I connect a client (nheko) it shows my username with the previous domain. So another issue here.