Monday, August 1, 2016

Easy-RSA Jabber SSL Certificate Problems

I'm currently setting up a new server and ran into something odd. Connecting to ejabberd with Pidgin, the later would reject the SSL certificate outright. At first I thought I had messed up the hostnames, or used an outdated Hash algorithm or whatever.

The errors I saw in the debug window were:


It turns out that SSL certificates can be flagged for what they can be used for, and I had simply created the certificate with the ./build-key command. Using ./build-key-server instead fixes the issue. The difference is that this will set nsCertType=server in the certificate.

I hope this helps anybody who runs into the same issue - it certainly had me pulling out my hair for a while.