Self-signed certificates not working in docker image

[lucasl84]

Hi,

I'm running a bit insane on how to properly setup ejabberd's certificates in the official docker image to run some basic tests. In principle, I just want to launch ejabberd in Docker and connect two external (not from docker) clients to it, and do some basic tests sending messages from a custom Python app. So far I've launched the official docker image and passed the self signed certificates with:

certfiles:
  - "/opt/ejabberd/certs/*.pem

in the ejabberd.yml file. The certificates were generated with the following commands:

openssl req -x509 -nodes -newkey rsa:4096 \
    -keyout selfsigned.key \
    -out selfsigned.crt -days 3650

cat selfsigned.key selfsigned.crt > selfsigned.pem

and then renamed it to the expected files by ejabberd in the certs directory:

/opt/ejabberd/certs/conference.mar1test.org.pem
/opt/ejabberd/certs/proxy.mar1test.org.pem
/opt/ejabberd/certs/pubsub.mar1test.org.pem
/opt/ejabberd/certs/upload.mar1test.org.pem

I'm generating the self signed certificate in my machine and then copying them through a Dockerfile. Note that all the certs are IDENTICAL for each .mar1test.org subdomain.

I'm using HOST as mar1test.org. Yet, I'm getting the following output from the log:

...
mar1test.ejabberd  | 2025-08-27 11:45:20.773 [warning] Invalid certificate in /opt/ejabberd/certs/server.pem: at line 53: self-signed certificate
mar1test.ejabberd  | 2025-08-27 11:45:20.773 [warning] Invalid certificate in /opt/ejabberd/certs/conference.mar1.org.pem: at line 53: self-signed certificate
mar1test.ejabberd  | 2025-08-27 11:45:20.773 [warning] Invalid certificate in /opt/ejabberd/certs/upload.mar1.org.pem: at line 53: self-signed certificate
mar1test.ejabberd  | 2025-08-27 11:45:20.773 [warning] Invalid certificate in /opt/ejabberd/certs/pubsub.mar1.org.pem: at line 53: self-signed certificate
mar1test.ejabberd  | 2025-08-27 11:45:20.773 [warning] Invalid certificate in /opt/ejabberd/certs/proxy.mar1.org.pem: at line 53: self-signed certificate
mar1test.ejabberd  | 2025-08-27 11:45:20.797 [warning] No certificate found matching mar1test.org
mar1test.ejabberd  | 2025-08-27 11:45:20.798 [warning] No certificate found matching pubsub.mar1test.org
mar1test.ejabberd  | 2025-08-27 11:45:20.798 [warning] No certificate found matching conference.mar1test.org
mar1test.ejabberd  | 2025-08-27 11:45:20.798 [warning] No certificate found matching upload.mar1test.org
mar1test.ejabberd  | 2025-08-27 11:45:20.798 [warning] No certificate found matching proxy.mar1test.org
mar1test.ejabberd  | 2025-08-27 11:45:20.801 [info] Requesting new certificate for mar1test.org, pubsub.mar1test.org and 3 more hosts from https://acme-v02.api.letsencrypt.org/directory
...
mar1test.ejabberd  | 2025-08-27 11:45:27.248 [error] Failed to request certificate for mar1test.org, pubsub.mar1test.org and 3 more hosts: Challenge failed for domain conference.mar1test.org: ACME server reported: DNS problem: NXDOMAIN looking up A for conference.mar1test.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for conference.mar1test.org - check that a DNS record exists for this domain (error type: dns)

What I don't understand:

1. It says: Invalid certificate in /opt/ejabberd/certs/server.pem: at line 53: self-signed certificate. Why a self-signed certificate is considered INVALID?
2. No certificate found matching mar1test.org. Why is this popping up? The certificate is there, but because is considered invalid, now is saying that there's no certificate found. This is confusing.
3. Requesting new certificate for mar1test.org, pubsub.mar1test.org and 3 more hosts from https://acme-v02.api.letsencrypt.org/directory. I don't want letsencrypt to bring certificates for my use case. How am I supposed to suppress it?

So, to recap: self-signed certificate is considered invalid, then as if not exists at all and finally requesting certs through letsencrypt.

Can someone share step by step how to run ejabberd without any of these warnings popping up for a local testing environment?

With what I've described above I've managed to connect gajim to ejabberd but it fails at some point for the same reason:

I couldn't find any information online as how to do this: search engines giving me wrong/not relevant information and as far as I can tell this doesn't seem to be mentioned anywhere in the docs that I've been reading. What is it that I'm missing/not doing? I don't understand why is it hard to get an isolated testing environment up and running.

Thanks in advance,
Lucas.

[licaon-kter]

do recheck the folder&files permissions just in case

[lucasl84]

Hi @licaon-kter, thanks for you reply. Permissions looks like this:

~ $ ls -lha certs/
total 52K    
drwxr-xr-x    3 ejabberd ejabberd    4.0K Aug 27 11:45 .
drwxr-xr-x   10 ejabberd ejabberd    4.0K Aug 27 14:16 ..
-rw-rw-r--    1 ejabberd ejabberd    5.0K Aug 27 11:24 conference.mar1.org.pem
drwxrwxr-x    2 ejabberd ejabberd    4.0K Aug 27 11:45 custom
-rw-rw-r--    1 ejabberd ejabberd    5.0K Aug 27 11:24 proxy.mar1.org.pem
-rw-rw-r--    1 ejabberd ejabberd    5.0K Aug 27 11:24 pubsub.mar1.org.pem
-rw-rw-r--    1 ejabberd ejabberd    5.0K Aug 27 11:24 server.pem
-rw-rw-r--    1 ejabberd ejabberd    5.0K Aug 27 11:24 upload.mar1.org.pem

~ $ ls -lha
total 52K    
drwxr-xr-x   10 ejabberd ejabberd    4.0K Aug 27 14:16 .
drwxr-xr-x    1 root     root        4.0K Aug 22 13:03 ..
-rw-------    1 ejabberd ejabberd      84 Aug 27 14:18 .ash_history
drwxr-xr-x    3 ejabberd ejabberd    4.0K Aug 27 11:45 .ejabberd-modules
-r--------    1 ejabberd ejabberd      20 Aug 27 00:00 .erlang.cookie
lrwxrwxrwx    1 root     ejabberd      15 Aug 13 14:54 bin -> /usr/local/bin/
drwxr-xr-x    3 ejabberd ejabberd    4.0K Aug 27 11:45 certs
drwxr-xr-x    2 ejabberd ejabberd    4.0K Aug 27 11:45 conf
drwxr-xr-x    5 ejabberd ejabberd    4.0K Aug 27 14:17 database
drwxr-xr-x    2 ejabberd ejabberd    4.0K Aug 27 11:45 logs
drwx------    2 ejabberd ejabberd    4.0K Aug 27 11:45 sockets
drwxr-xr-x    2 root     root        4.0K Aug 27 11:45 sql
drwxr-xr-x    2 ejabberd ejabberd    4.0K Aug 22 13:03 upload

Edit: Note that these should be *.mar1test.org.pem (this is because I forgot to make a change, as still testing), but the result is exactly the same.

Regards,
Lucas.

[badlop]

1. It says: Invalid certificate in /opt/ejabberd/certs/server.pem: at line 53: self-signed certificate. Why a self-signed certificate is considered INVALID?

The public_key library in OTP says: specific path validation errors, such as selfsigned_peer

For that reason, the pkix library returns an error when validating the path and reports that the certificate is self-signed.

But notice that ejabberd itself shows that message as a warning, not an error.

As ejabberd uses those certificates instead of rejecting them; it's important to show at least a warning in the log to alert the admin that the certificate is self-signed, just in case this is not a desired scenario.

---

3. Requesting new certificate for mar1test.org, pubsub.mar1test.org and 3 more hosts from https://acme-v02.api.letsencrypt.org/directory. I don't want letsencrypt to bring certificates for my use case. How am I supposed to suppress it?

It's mentioned in the documentation:
https://docs.ejabberd.im/admin/configuration/basic/#setting-up-acme

acme:
  auto: false

Anyway, that option is only needed because there are domains without any certificate. Once you successfully provide a cert for each domain (even if it is self-signed), then ACME will not trigger.

---

2. No certificate found matching mar1test.org. Why is this popping up? The certificate is there, but because is considered invalid, now is saying that there's no certificate found. This is confusing.

No idea what's wrong in your setup. I'll provide a full and detailed example to reproduce a valid scenario.

To simplify the example, I'll create only a cert for the first domain. I use Podman and the ejabberd container image, but this is surely 100 percent reproducible with docker and with the ecs container image.

Create the certificate and grant file permissions:

host=mar1test.org
pem_file=$host.pem

openssl req -x509 \
            -batch \
            -nodes \
            -newkey rsa:4096 \
            -keyout $pem_file \
            -out $pem_file \
            -days 3650 \
            -new \
            -utf8 \
            -nameopt lname,sep_multiline,utf8 \
            -addext "subjectAltName = DNS:$host" \
            -subj "/CN=$host" >'/dev/null' 2>&1 || :
openssl x509 -in $pem_file -noout -text | grep CN

podman unshare chown 9000:9000 mar1test.org.pem

Prepare pod.yml file:

apiVersion: v1

kind: Pod

metadata:
  name: ejabberd

spec:

  containers:
  - name: ejabberd
    image: ghcr.io/processone/ejabberd:latest
    env:
    - name: EJABBERD_MACRO_HOST
      value: mar1test.org
    - name: EJABBERD_MACRO_ADMIN
      value: admin@mar1test.org
    - name: REGISTER_ADMIN_PASSWORD
      value: someP4ss
    volumeMounts:
    - mountPath: /opt/ejabberd/conf/server.pem
      name: cert

  volumes:
  - name: cert
    hostPath:
      path: ./mar1test.org.pem
      type: File

Start the container:

podman play kube pod.yml --replace --wait

Now in another console, let's view the logs:

podman pod logs --color --latest --follow --names

2025-08-29 08:50:04.386 [warning]
  Invalid certificate in /opt/ejabberd/conf/server.pem:
  at line 53: self-signed certificate
2025-08-29 08:50:04.411 [warning]
  No certificate found matching pubsub.mar1test.org
2025-08-29 08:50:04.412 [warning]
  No certificate found matching conference.mar1test.org
2025-08-29 08:50:04.412 [warning]
  No certificate found matching upload.mar1test.org
2025-08-29 08:50:04.412 [warning]
  No certificate found matching proxy.mar1test.org

2025-08-29 08:50:04.414 [info]
  Requesting new certificate for pubsub.mar1test.org, conference.mar1test.org
  and 2 more hosts from https://acme-v02.api.letsencrypt.org/directory

As you can see, mar1test.org is no longer mentioned in the warnings, because we provided a valid certificate for it (even if it's self-signed and could be undesired, it is used and a warning is shown). Of course, now we should create certificates for the other domains, or add a wildcard.

Also notice that ACME is only triggered for the four domains that we didn't provide a certificate (not even a self-signed one)

[lucasl84]

Hi @badlop, thank you so much for your reply. It seems to be working. The reason why I opened this issue is because I've tried a LOT of different openssl commands to generate the certificates and none of them worked. I think it would be valuable to have a comment in ejabberd.yml where this is explained as the command that you shared (if not familiar with openssl) could be hard to come up with. Something like this (just above the certfiles option) should suffice and hopefully help others as well:

# If you want to use self-signed certificates for testing purposes you can
# use the following `openssl` command to generate them. You will need one for your
# server and one for each subdomain (conference.DOMAIN, proxy.DOMAIN, etc).
#
# If your domain is `example.com` then, in a BASH prompt run:
#
# host=example.com
# pem_file=$host.pem
# openssl req -x509 -batch -nodes -newkey rsa:4096 \
#     -keyout $pem_file -out $pem_file -days 3650 \
#     -new -utf8 -nameopt lname,sep_multiline,utf8 \
#     -addext "subjectAltName = DNS:$host" \
#     -subj "/CN=$host" > '/dev/null' 2>&1 || :
# openssl x509 -in $pem_file -noout -text | grep CN
#
# This will generate a self-signed certificate named `example.com.pem` which should be renamed
# to `server.pem` and referenced from the `certfiles` option, e.g:
#
# certfiles:
#   - /opt/ejabberd/conf/server.pem
#
# You should also re-run the above command to generate a certificate for each subdomain and
# get those referenced in `certfiles` as well.

Once again thanks for your answer,
Lucas.