Renewing self-signed certificate for ejabberd

July 15, 2014 [Tech]

I run an ejabberd server on an Ubuntu 12.10 box and this week I started getting notified by my IM client that the server's certificate had expired.

Here's how I managed to generate a new certificate.

WARNING: this process backs up, deletes and then restores your ejabberd database, so it is probably fairly risky.

# Move any previous backups out of the way
sudo mv /var/backups/ejabberd-* ~/Desktop/

# Move the expired certificate out of the way
sudo mv /etc/ejabberd/ejabberd.pem /etc/ejabberd/ejabberd.pem.old

# Reconfigure the ejabberd package (WARNING: backs up and deletes your database!)
sudo dpkg-reconfigure ejabberd

# Make the database backup file readable
sudo chmod a+rx /var/backups/ejabberd-*/
sudo chmod a+r /var/backups/ejabberd-*/*

# Restore the backup
sudo ejabberdctl restore /var/backups/ejabberd-*/ejabberd-database

If you're lucky, your server will now be back up with a new self-signed certificate.

In general, the policy of using dpkg-reconfigure to handle creating new self-signed certificate seems to work nicely.