Introduce 'certfiles' global option

The option is supposed to replace existing options 'c2s_certfile', 's2s_certfile' and 'domain_certfile'. The option accepts a list of file paths (optionally with wildcards "*") containing either PEM certificates or PEM private keys. At startup, ejabberd sorts the certificates, finds matching private keys and rebuilds full certificates chains which can be used by fast_tls. Example: certfiles: - "/etc/letsencrypt/live/example.org/*.pem" - "/etc/letsencrypt/live/example.com/*.pem"
2017-11-01 00:20:27 +03:00 · 2017-11-01 00:20:27 +03:00 · 35b7203e01
parent efc4996625
commit 35b7203e01
6 changed files with 317 additions and 135 deletions
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@ -108,7 +108,6 @@ hosts:
 ## Define common macros used by listeners
 ## define_macro:
 ##   'CERTFILE': "/path/to/xmpp.pem"
 ##   'CIPHERS': "ECDH:DH:!3DES:!aNULL:!eNULL:!MEDIUM@STRENGTH"
 ##   'TLSOPTS':
 ##     - "no_sslv2"
@ -130,11 +129,9 @@ listen:
    module: ejabberd_c2s
    ##
    ## If TLS is compiled in and you installed a SSL
-    ## certificate, specify the full path to the
+    ## certificate, uncomment these lines:
    ## file and uncomment these lines:
    ##
    ## starttls: true
    ## certfile: 'CERTFILE'
    ## protocol_options: 'TLSOPTS'
    ## dhfile: 'DHFILE'
    ## ciphers: 'CIPHERS'
@ -219,7 +216,7 @@ listen:
  ##   request_handlers:
  ##     "": mod_http_upload
  ##   tls: true
-  ##   certfile: 'CERTFILE'
+  ##   certfile: "/path/to/xmpp.pem"
  ##   protocol_options: 'TLSOPTS'
  ##   dhfile: 'DHFILE'
  ##   ciphers: 'CIPHERS'
@ -228,34 +225,31 @@ listen:
 ## password storage (see auth_password_format option).
 ## disable_sasl_mechanisms: "digest-md5"
 ###.  ============
 ###'  Certificates
 ## List all available PEM files containing certificates for your domains,
 ## chains of certificates or certificate keys. Full chains will be built
 ## automatically by ejabberd.
 ##
 ## certfiles:
 ##   - "/etc/letsencrypt/live/example.org/*.pem"
 ##   - "/etc/letsencrypt/live/example.com/*.pem"
 ###.  ==================
 ###'  S2S GLOBAL OPTIONS
 ##
 ## s2s_use_starttls: Enable STARTTLS for S2S connections.
 ## Allowed values are: false, optional or required
-## You must specify a certificate file.
+## You must specify 'certfiles' option
 ##
 ## s2s_use_starttls: required
 ##
 ## s2s_certfile: Specify a certificate file.
 ##
 ## s2s_certfile: 'CERTFILE'
 ## Custom OpenSSL options
 ##
 ## s2s_protocol_options: 'TLSOPTS'
 ##
 ## domain_certfile: Specify a different certificate for each served hostname.
 ##
 ## host_config:
 ##   "example.org":
 ##     domain_certfile: "/path/to/example_org.pem"
 ##   "example.com":
 ##     domain_certfile: "/path/to/example_com.pem"
 ##
 ## S2S whitelist or blacklist
 ##
--- a/rebar.config
+++ b/rebar.config
@ -30,6 +30,7 @@
        {jiffy, ".*", {git, "https://github.com/davisp/jiffy", {tag, "0.14.8"}}},
        {p1_oauth2, ".*", {git, "https://github.com/processone/p1_oauth2", {tag, "0.6.2"}}},
        {luerl, ".*", {git, "https://github.com/rvirding/luerl", {tag, "v0.2"}}},
 	{fs, ".*", {git, "https://github.com/synrc/fs.git", {tag, "2.12.0"}}},
 	{if_var_true, stun, {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.0.15"}}}},
 	{if_var_true, sip, {esip, ".*", {git, "https://github.com/processone/esip", {tag, "1.0.16"}}}},
        {if_var_true, mysql, {p1_mysql, ".*", {git, "https://github.com/processone/p1_mysql",
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@ -302,10 +302,7 @@ tls_options(#{lserver := LServer, tls_options := DefaultOpts,
    TLSOpts1 = case {Encrypted, proplists:get_value(certfile, DefaultOpts)} of
 		   {true, CertFile} when CertFile /= undefined -> DefaultOpts;
 		   {_, _} ->
-		       case ejabberd_config:get_option(
+		       case get_certfile(LServer) of
 			      {domain_certfile, LServer},
 			      ejabberd_config:get_option(
 				{c2s_certfile, LServer})) of
 			   undefined -> DefaultOpts;
 			   CertFile -> lists:keystore(certfile, 1, DefaultOpts,
 						      {certfile, CertFile})
@ -928,6 +925,17 @@ format_reason(_, {shutdown, _}) ->
 format_reason(_, _) ->
    <<"internal server error">>.
 -spec get_certfile(binary()) -> file:filename_all().
 get_certfile(LServer) ->
    case ejabberd_pkix:get_certfile(LServer) of
 	{ok, CertFile} ->
 	    CertFile;
 	error ->
 	    ejabberd_config:get_option(
 	      {domain_certfile, LServer},
 	      ejabberd_config:get_option({c2s_certfile, LServer}))
    end.
 transform_listen_option(Opt, Opts) ->
    [Opt|Opts].
@ -941,7 +949,11 @@ transform_listen_option(Opt, Opts) ->
 	      (resource_conflict) -> fun((resource_conflict()) -> resource_conflict());
 	      (disable_sasl_mechanisms) -> fun((binary() | [binary()]) -> [binary()]);
 	      (atom()) -> [atom()].
-opt_type(c2s_certfile) -> fun misc:try_read_file/1;
+opt_type(c2s_certfile = Opt) ->
    fun(File) ->
 	    ?WARNING_MSG("option '~s' is deprecated, use 'certfiles' instead", [Opt]),
 	    misc:try_read_file(File)
    end;
 opt_type(c2s_ciphers) -> fun iolist_to_binary/1;
 opt_type(c2s_dhfile) -> fun misc:try_read_file/1;
 opt_type(c2s_cafile) -> fun misc:try_read_file/1;
--- a/src/ejabberd_config.erl
+++ b/src/ejabberd_config.erl
@ -1417,8 +1417,11 @@ opt_type(cache_life_time) ->
       (infinity) -> infinity;
       (unlimited) -> infinity
    end;
-opt_type(domain_certfile) ->
+opt_type(domain_certfile = Opt) ->
-    fun misc:try_read_file/1;
+    fun(File) ->
 	    ?WARNING_MSG("option '~s' is deprecated, use 'certfiles' instead", [Opt]),
 	    misc:try_read_file(File)
    end;
 opt_type(shared_key) ->
    fun iolist_to_binary/1;
 opt_type(node_start) ->
--- a/src/ejabberd_pkix.erl
+++ b/src/ejabberd_pkix.erl
@ -27,7 +27,8 @@
 %% API
 -export([start_link/0, add_certfile/1, format_error/1, opt_type/1,
-	 get_certfile/1, try_certfile/1, route_registered/1]).
+	 get_certfile/1, try_certfile/1, route_registered/1,
 	 config_reloaded/0]).
 %% gen_server callbacks
 -export([init/1, handle_call/3, handle_cast/2, handle_info/2,
 	 terminate/2, code_change/3]).
@ -37,9 +38,11 @@
 -include("jid.hrl").
 -record(state, {validate = true :: boolean(),
-		certs = #{}}).
+		paths = [] :: [file:filename()],
-record(cert_state, {domains = [] :: [binary()]}).
+		certs = #{} :: map(),
 		keys = [] :: [public_key:private_key()]}).
 -type state() :: #state{}.
 -type cert() :: #'OTPCertificate'{}.
 -type priv_key() :: public_key:private_key().
 -type pub_key() :: #'RSAPublicKey'{} | {integer(), #'Dss-Parms'{}} | #'ECPoint'{}.
@ -62,8 +65,8 @@ add_certfile(Path) ->
 -spec try_certfile(filename:filename()) -> binary().
 try_certfile(Path0) ->
    Path = prep_path(Path0),
-    case mk_cert_state(Path, false) of
+    case load_certfile(Path) of
-	{ok, _} -> Path;
+	{ok, _, _} -> Path;
 	{error, _} -> erlang:error(badarg)
    end.
@ -78,14 +81,14 @@ format_error(not_pem) ->
 format_error(not_der) ->
    "failed to decode from DER format";
 format_error(encrypted) ->
-    "encrypted certificate found in the chain";
+    "encrypted certificate";
 format_error({bad_cert, cert_expired}) ->
    "certificate is no longer valid as its expiration date has passed";
 format_error({bad_cert, invalid_issuer}) ->
    "certificate issuer name does not match the name of the "
-	"issuer certificate in the chain";
+	"issuer certificate";
 format_error({bad_cert, invalid_signature}) ->
-    "certificate was not signed by its issuer certificate in the chain";
+    "certificate was not signed by its issuer certificate";
 format_error({bad_cert, name_not_permitted}) ->
    "invalid Subject Alternative Name extension";
 format_error({bad_cert, missing_basic_constraint}) ->
@ -95,7 +98,7 @@ format_error({bad_cert, invalid_key_usage}) ->
    "certificate key is used in an invalid way according "
 	"to the key-usage extension";
 format_error({bad_cert, selfsigned_peer}) ->
-    "self-signed certificate in the chain";
+    "self-signed certificate";
 format_error({bad_cert, unknown_sig_algo}) ->
    "certificate is signed using unknown algorithm";
 format_error({bad_cert, unknown_ca}) ->
@ -139,18 +142,29 @@ get_certfile(Domain) ->
 start_link() ->
    gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).
 config_reloaded() ->
    gen_server:cast(?MODULE, config_reloaded).
 opt_type(ca_path) ->
    fun(Path) -> iolist_to_binary(Path) end;
 opt_type(certfiles) ->
    fun(CertList) ->
 	    [binary_to_list(Path) || Path <- CertList]
    end;
 opt_type(_) ->
-    [ca_path].
+    [ca_path, certfiles].
 %%%===================================================================
 %%% gen_server callbacks
 %%%===================================================================
 init([]) ->
    application:load(fs),
    application:set_env(fs, backwards_compatible, false),
    ejabberd:start_app(fs),
    process_flag(trap_exit, true),
    ets:new(?MODULE, [named_table, public, bag]),
    ejabberd_hooks:add(route_registered, ?MODULE, route_registered, 50),
    ejabberd_hooks:add(config_reloaded, ?MODULE, config_reloaded, 30),
    Validate = case os:type() of
 		   {win32, _} -> false;
 		   _ ->
@ -162,34 +176,74 @@ init([]) ->
       true -> ok
    end,
    State = #state{validate = Validate},
-    {ok, add_certfiles(State)}.
+    case filelib:ensure_dir(filename:join(certs_dir(), "foo")) of
 	ok ->
 	    clean_dir(certs_dir()),
 	    case add_certfiles(State) of
 		{ok, State1} ->
 		    {ok, State1};
 		{error, Why} ->
 		    {stop, Why}
 	    end;
 	{error, Why} ->
 	    ?CRITICAL_MSG("Failed to create directory ~s: ~s",
 			  [certs_dir(), file:format_error(Why)]),
 	    {stop, Why}
    end.
 handle_call({add_certfile, Path}, _, State) ->
    {Result, NewState} = add_certfile(Path, State),
    {reply, Result, NewState};
 handle_call({route_registered, Host}, _, State) ->
-    NewState = add_certfiles(Host, State),
+    case add_certfiles(Host, State) of
-    case get_certfile(Host) of
+	{ok, NewState} ->
-	{ok, _} -> ok;
+	    case get_certfile(Host) of
-	error ->
+		{ok, _} -> ok;
-	    ?WARNING_MSG("No certificate found matching '~s': strictly "
+		error ->
-			 "configured clients or servers will reject "
+		    ?WARNING_MSG("No certificate found matching '~s': strictly "
-			 "connections with this host", [Host])
+				 "configured clients or servers will reject "
-    end,
+				 "connections with this host", [Host])
-    {reply, ok, NewState};
+	    end,
 	    {reply, ok, NewState};
 	{error, _} ->
 	    {reply, ok, State}
    end;
 handle_call(_Request, _From, State) ->
    Reply = ok,
    {reply, Reply, State}.
 handle_cast(config_reloaded, State) ->
    State1 = State#state{paths = [], certs = #{}, keys = []},
    case add_certfiles(State1) of
 	{ok, State2} ->
 	    {noreply, State2};
 	{error, _} ->
 	    {noreply, State}
    end;
 handle_cast(_Msg, State) ->
    {noreply, State}.
 handle_info({_, {fs, file_event}, {File, Events}}, State) ->
    ?DEBUG("got FS events for ~s: ~p", [File, Events]),
    Path = iolist_to_binary(File),
    case lists:member(modified, Events) of
 	true ->
 	    case lists:member(Path, State#state.paths) of
 		true ->
 		    handle_cast(config_reloaded, State);
 		false ->
 		    {noreply, State}
 	    end;
 	false ->
 	    {noreply, State}
    end;
 handle_info(_Info, State) ->
    ?WARNING_MSG("unexpected info: ~p", [_Info]),
    {noreply, State}.
 terminate(_Reason, _State) ->
-    ejabberd_hooks:delete(route_registered, ?MODULE, route_registered, 50).
+    ejabberd_hooks:delete(route_registered, ?MODULE, route_registered, 50),
    ejabberd_hooks:delete(config_reloaded, ?MODULE, config_reloaded, 30).
 code_change(_OldVsn, State, _Extra) ->
    {ok, State}.
@ -197,73 +251,150 @@ code_change(_OldVsn, State, _Extra) ->
 %%%===================================================================
 %%% Internal functions
 %%%===================================================================
 -spec certfiles_from_config_options() -> [atom()].
 certfiles_from_config_options() ->
    [c2s_certfile, s2s_certfile, domain_certfile].
 -spec get_certfiles_from_config_options(state()) -> [binary()].
 get_certfiles_from_config_options(State) ->
    Global = case ejabberd_config:get_option(certfiles) of
 		 undefined ->
 		     [];
 		 Paths ->
 		     lists:flatmap(fun filelib:wildcard/1, Paths)
 	     end,
    Local = lists:flatmap(
 	      fun(OptHost) ->
 		      case ejabberd_config:get_option(OptHost) of
 			  undefined -> [];
 			  Path -> [Path]
 		      end
 	      end, [{Opt, Host}
 		    || Opt <- certfiles_from_config_options(),
 		       Host <- ejabberd_config:get_myhosts()]),
    [iolist_to_binary(P) || P <- lists:usort(Local ++ Global)].
 -spec add_certfiles(state()) -> {ok, state()} | {error, bad_cert()}.
 add_certfiles(State) ->
-    lists:foldl(
+    Paths = get_certfiles_from_config_options(State),
-      fun(Host, AccState) ->
+    State1 = lists:foldl(
-	      add_certfiles(Host, AccState)
+	       fun(Path, Acc) ->
-      end, State, ejabberd_config:get_myhosts()).
+		       {_, NewAcc} = add_certfile(Path, Acc),
 		       NewAcc
 	       end, State, Paths),
    case build_chain_and_check(State1) of
 	ok -> {ok, State1};
 	{error, _} = Err -> Err
    end.
 -spec add_certfiles(binary(), state()) -> {ok, state()} | {error, bad_cert()}.
 add_certfiles(Host, State) ->
-    lists:foldl(
+    State1 = lists:foldl(
-      fun(Opt, AccState) ->
+	       fun(Opt, AccState) ->
-	      case ejabberd_config:get_option({Opt, Host}) of
+		       case ejabberd_config:get_option({Opt, Host}) of
-		  undefined -> AccState;
+			   undefined -> AccState;
-		  Path ->
+			   Path ->
-		      {_, NewAccState} = add_certfile(Path, AccState),
+			       {_, NewAccState} = add_certfile(Path, AccState),
-		      NewAccState
+			       NewAccState
-	      end
+		       end
-      end, State, [c2s_certfile, s2s_certfile, domain_certfile]).
+	       end, State, certfiles_from_config_options()),
    if State /= State1 ->
 	    case build_chain_and_check(State1) of
 		ok -> {ok, State1};
 		{error, _} = Err -> Err
 	    end;
       true ->
 	    {ok, State}
    end.
 -spec add_certfile(file:filename_all(), state()) -> {ok, state()} |
 						    {{error, cert_error()}, state()}.
 add_certfile(Path, State) ->
-    case maps:get(Path, State#state.certs, undefined) of
+    case lists:member(Path, State#state.paths) of
-	#cert_state{} ->
+	true ->
 	    {ok, State};
-	undefined ->
+	false ->
-	    case mk_cert_state(Path, State#state.validate) of
+	    case load_certfile(Path) of
-		{error, Reason} ->
+		{ok, Certs, Keys} ->
-		    {{error, Reason}, State};
+		    NewCerts = lists:foldl(
-		{ok, CertState} ->
+				 fun(Cert, Acc) ->
-		    NewCerts = maps:put(Path, CertState, State#state.certs),
+					 maps:put(Cert, Path, Acc)
-		    lists:foreach(
+				 end, State#state.certs, Certs),
-		      fun(Domain) ->
+		    {ok, State#state{paths = [Path|State#state.paths],
-			      ets:insert(?MODULE, {Domain, Path})
+				     certs = NewCerts,
-		      end, CertState#cert_state.domains),
+				     keys = Keys ++ State#state.keys}};
-		    {ok, State#state{certs = NewCerts}}
+		{error, Why} = Err ->
 		    ?ERROR_MSG("failed to read certificate from ~s: ~s",
 			       [Path, format_error(Why)]),
 		    {Err, State}
 	    end
    end.
-mk_cert_state(Path, Validate) ->
+-spec build_chain_and_check(state()) -> ok | {error, bad_cert()}.
-    case check_certfile(Path, Validate) of
+build_chain_and_check(State) ->
-	{ok, Ds} ->
+    ?DEBUG("Rebuilding certificate chains from ~s",
-	    {ok, #cert_state{domains = Ds}};
+	   [str:join(State#state.paths, <<", ">>)]),
-	{invalid, Ds, {bad_cert, _} = Why} ->
+    CertPaths = get_cert_paths(maps:keys(State#state.certs)),
-	    ?WARNING_MSG("certificate from ~s is invalid: ~s",
+    case match_cert_keys(CertPaths, State#state.keys) of
-			 [Path, format_error(Why)]),
+	{ok, Chains} ->
-	    {ok, #cert_state{domains = Ds}};
+	    CertFilesWithDomains = store_certs(Chains, []),
-	{error, Why} = Err ->
+	    ets:delete_all_objects(?MODULE),
-	    ?ERROR_MSG("failed to read certificate from ~s: ~s",
+	    lists:foreach(
 	      fun({Path, Domain}) ->
 		      ets:insert(?MODULE, {Domain, Path})
 	      end, CertFilesWithDomains),
 	    Errors = validate(CertPaths, State#state.validate),
 	    subscribe(State),
 	    lists:foreach(
 	      fun({Cert, Why}) ->
 		      Path = maps:get(Cert, State#state.certs),
 		      ?ERROR_MSG("Failed to validate certificate from ~s: ~s",
 				 [Path, format_error(Why)])
 	      end, Errors);
 	{error, Cert, Why} ->
 	    Path = maps:get(Cert, State#state.certs),
 	    ?ERROR_MSG("Failed to build certificate chain for ~s: ~s",
 		       [Path, format_error(Why)]),
-	    Err
+	    {error, Why}
    end.
-spec check_certfile(filename:filename(), boolean())
+-spec store_certs([{[cert()], priv_key()}],
-      -> {ok, [binary()]} | {invalid, [binary()], bad_cert()} |
+		  [{binary(), binary()}]) -> [{binary(), binary()}].
-	 {error, cert_error() | file:posix()}.
+store_certs([{Certs, Key}|Chains], Acc) ->
-check_certfile(Path, Validate) ->
+    CertPEMs = public_key:pem_encode(
 		 lists:map(
 		   fun(Cert) ->
 			   Type = element(1, Cert),
 			   DER = public_key:pkix_encode(Type, Cert, otp),
 			   {'Certificate', DER, not_encrypted}
 		   end, Certs)),
    KeyPEM = public_key:pem_encode(
 	       [{element(1, Key),
 		 public_key:der_encode(element(1, Key), Key),
 		 not_encrypted}]),
    PEMs = <<CertPEMs/binary, KeyPEM/binary>>,
    Cert = hd(Certs),
    Domains = xmpp_stream_pkix:get_cert_domains(Cert),
    FileName = filename:join(certs_dir(), str:sha(PEMs)),
    case file:write_file(FileName, PEMs) of
 	ok ->
 	    file:change_mode(FileName, 8#600),
 	    NewAcc = [{FileName, Domain} || Domain <- Domains] ++ Acc,
 	    store_certs(Chains, NewAcc);
 	{error, Why} ->
 	    ?ERROR_MSG("Failed to write to ~s: ~s",
 		       [FileName, file:format_error(Why)]),
 	    store_certs(Chains, [])
    end;
 store_certs([], Acc) ->
    Acc.
 -spec load_certfile(file:filename_all()) -> {ok, [cert()], [priv_key()]} |
 					    {error, cert_error() | file:posix()}.
 load_certfile(Path) ->
    try
 	{ok, Data} = file:read_file(Path),
-	{ok, Certs, PrivKeys} = pem_decode(Data),
+	pem_decode(Data)
 	CertPaths = get_cert_paths(Certs),
 	Domains = get_domains(CertPaths),
 	case match_cert_keys(CertPaths, PrivKeys) of
 	    {ok, _} ->
 		case validate(CertPaths, Validate) of
 		    ok -> {ok, Domains};
 		    {error, Why} -> {invalid, Domains, Why}
 		end;
 	    {error, Why} ->
 		{invalid, Domains, Why}
 	end
    catch _:{badmatch, {error, _} = Err} ->
 	    Err
    end.
@ -281,7 +412,7 @@ pem_decode(Data) ->
 			   fun(#'OTPCertificate'{}) -> true;
 			      (_) -> false
 			   end, Objects) of
-			{[], _} ->
+			{[], []} ->
 			    {error, not_cert};
 			{Certs, PrivKeys} ->
 			    {ok, Certs, PrivKeys}
@ -331,41 +462,44 @@ decode_certs(PemEntries) ->
 	    {error, not_der}
    end.
-spec validate([{path, [cert()]}], boolean()) -> ok | {error, bad_cert()}.
+-spec validate([{path, [cert()]}], boolean()) -> [{cert(), bad_cert()}].
-validate([{path, Path}|Paths], true) ->
+validate(Paths, true) ->
-    case validate_path(Path) of
+    lists:flatmap(
-	ok ->
+      fun({path, Path}) ->
-	    validate(Paths, true);
+	      case validate_path(Path) of
-	Err ->
+		  ok ->
-	    Err
+		      [];
-    end;
+		  {error, Cert, Reason} ->
 		      [{Cert, Reason}]
 	      end
      end, Paths);
 validate(_, _) ->
    ok.
-spec validate_path([cert()]) -> ok | {error, bad_cert()}.
+-spec validate_path([cert()]) -> ok | {error, cert(), bad_cert()}.
 validate_path([Cert|_] = Certs) ->
    case find_local_issuer(Cert) of
 	{ok, IssuerCert} ->
 	    try public_key:pkix_path_validation(IssuerCert, Certs, []) of
 		{ok, _} ->
 		    ok;
-		Err ->
+		{error, Reason} ->
-		    Err
+		    {error, Cert, Reason}
 	    catch error:function_clause ->
 		    case erlang:get_stacktrace() of
 			[{public_key, pkix_sign_types, _, _}|_] ->
-			    {error, {bad_cert, unknown_sig_algo}};
+			    {error, Cert, {bad_cert, unknown_sig_algo}};
 			ST ->
 			    %% Bug in public_key application
 			    erlang:raise(error, function_clause, ST)
 		    end
 	    end;
-	{error, _} = Err ->
+	{error, Reason} ->
 	    case public_key:pkix_is_self_signed(Cert) of
 		true ->
-		    {error, {bad_cert, selfsigned_peer}};
+		    {error, Cert, {bad_cert, selfsigned_peer}};
 		false ->
-		    Err
+		    {error, Cert, Reason}
 	    end
    end.
@ -373,6 +507,25 @@ validate_path([Cert|_] = Certs) ->
 ca_dir() ->
    ejabberd_config:get_option(ca_path, "/etc/ssl/certs").
 -spec certs_dir() -> string().
 certs_dir() ->
    MnesiaDir = mnesia:system_info(directory),
    filename:join(MnesiaDir, "certs").
 -spec clean_dir(file:filename_all()) -> ok.
 clean_dir(Dir) ->
    ?DEBUG("Cleaning directory ~s", [Dir]),
    Files = filelib:wildcard(filename:join(Dir, "*")),
    lists:foreach(
      fun(Path) ->
 	      case filelib:is_file(Path) of
 		  true ->
 		      file:delete(Path);
 		  false ->
 		      ok
 	      end
      end, Files).
 -spec check_ca_dir() -> ok.
 check_ca_dir() ->
    case filelib:wildcard(filename:join(ca_dir(), "*.0")) of
@ -424,13 +577,13 @@ match_cert_keys(CertPaths, PrivKeys) ->
 -spec match_cert_keys([{path, [cert()]}], [{pub_key(), priv_key()}],
 		      [{cert(), priv_key()}])
-      -> {ok, [{cert(), priv_key()}]} | {error, {bad_cert, missing_priv_key}}.
+      -> {ok, [{[cert()], priv_key()}]} | {error, cert(), {bad_cert, missing_priv_key}}.
 match_cert_keys([{path, Certs}|CertPaths], KeyPairs, Result) ->
    [Cert|_] = RevCerts = lists:reverse(Certs),
    PubKey = pubkey_from_cert(Cert),
    case lists:keyfind(PubKey, 1, KeyPairs) of
 	false ->
-	    {error, {bad_cert, missing_priv_key}};
+	    {error, Cert, {bad_cert, missing_priv_key}};
 	{_, PrivKey} ->
 	    match_cert_keys(CertPaths, KeyPairs, [{RevCerts, PrivKey}|Result])
    end;
@ -465,15 +618,6 @@ pubkey_from_privkey(#'DSAPrivateKey'{p = P, q = Q, g = G, y = Y}) ->
 pubkey_from_privkey(#'ECPrivateKey'{publicKey = Key}) ->
    #'ECPoint'{point = Key}.
 -spec get_domains([{path, [cert()]}]) -> [binary()].
 get_domains(CertPaths) ->
    lists:usort(
      lists:flatmap(
 	fun({path, Certs}) ->
 		Cert = lists:last(Certs),
 		xmpp_stream_pkix:get_cert_domains(Cert)
 	end, CertPaths)).
 -spec get_cert_paths([cert()]) -> [{path, [cert()]}].
 get_cert_paths(Certs) ->
    G = digraph:new([acyclic]),
@ -533,3 +677,18 @@ short_name_hash(IssuerID) ->
 short_name_hash(_) ->
    "".
 -endif.
 -spec subscribe(state()) -> ok.
 subscribe(State) ->
    lists:foreach(
      fun(Path) ->
 	      Dir = filename:dirname(Path),
 	      Name = list_to_atom(integer_to_list(erlang:phash2(Dir))),
 	      case fs:start_link(Name, Dir) of
 		  {ok, _} ->
 		      ?DEBUG("Subscribed to FS events from ~s", [Dir]),
 		      fs:subscribe(Name);
 		  {error, _} ->
 		      ok
 	      end
      end, State#state.paths).
--- a/src/ejabberd_s2s.erl
+++ b/src/ejabberd_s2s.erl
@ -198,13 +198,11 @@ dirty_get_connections() ->
 -spec tls_options(binary(), [proplists:property()]) -> [proplists:property()].
 tls_options(LServer, DefaultOpts) ->
-    TLSOpts1 = case ejabberd_config:get_option(
+    TLSOpts1 = case get_certfile(LServer) of
 		      {domain_certfile, LServer},
 		      ejabberd_config:get_option(
 			{s2s_certfile, LServer})) of
 		   undefined -> DefaultOpts;
-		   CertFile -> lists:keystore(certfile, 1, DefaultOpts,
+		   CertFile ->
-					      {certfile, CertFile})
+		       lists:keystore(certfile, 1, DefaultOpts,
 				      {certfile, CertFile})
 	       end,
    TLSOpts2 = case ejabberd_config:get_option(
 		      {s2s_ciphers, LServer}) of
@ -269,6 +267,17 @@ queue_type(LServer) ->
      {s2s_queue_type, LServer},
      ejabberd_config:default_queue_type(LServer)).
 -spec get_certfile(binary()) -> file:filename_all().
 get_certfile(LServer) ->
    case ejabberd_pkix:get_certfile(LServer) of
 	{ok, CertFile} ->
 	    CertFile;
 	error ->
 	    ejabberd_config:get_option(
 	      {domain_certfile, LServer},
 	      ejabberd_config:get_option({s2s_certfile, LServer}))
    end.
 %%====================================================================
 %% gen_server callbacks
 %%====================================================================
@ -711,7 +720,11 @@ opt_type(route_subdomains) ->
    end;
 opt_type(s2s_access) ->
    fun acl:access_rules_validator/1;
-opt_type(s2s_certfile) -> fun misc:try_read_file/1;
+opt_type(s2s_certfile = Opt) ->
    fun(File) ->
 	    ?WARNING_MSG("option '~s' is deprecated, use 'certfiles' instead", [Opt]),
 	    misc:try_read_file(File)
    end;
 opt_type(s2s_ciphers) -> fun iolist_to_binary/1;
 opt_type(s2s_dhfile) -> fun misc:try_read_file/1;
 opt_type(s2s_cafile) -> fun misc:try_read_file/1;