"A certificate for the domain of this server is missing" error, despite the certificate is there

Hello, I seems to faced some issue understanding how certificates are working for openfire admin interface.

I do have a certificate installed using certificate manager from let’s encrypt for exactly my domain and it seems to be picked up (please, see screenshot attached), but my admin UI is still doesn’t work on 9091 port (the port is opened) and I see this error message.

What am I missing here?

It seems to be related to another topic raised a few years ago by @Luksias, but there is no fix / response there.

Any help would be much appreciated!!

There are different names that the certificate should cover:

  • the fully qualified name of the server that is running Openfire (eg: the ‘URL’ that you use in your browser to load the admin console)
  • the XMPP domain name
  • some subdomains of the XMPP domain name (such as ‘conference’).

have you restarted openfire after importing the cert? you may have hit a minor issue that I’ve seen with cert manager.

Thank you, @guus !

How do I know all of the subdomains required?

I would love just to provide a wildcard certificate, but let’s encrypt let me do it only via DNS challenge (requiring DNS manipulations), which is troublesome, almost impossible in my case.

wildcard with lets encrypt is easier than you might think :slight_smile: I’m currently doing it with little effort! If I can do it, anyone can! lol

Sure, I did a restart, a couple of times. It didn’t help.

let’s encrypt is easy indeed, but, in a way I understood, wildcard could be only confirmed via DNS challenge, which can’t be automated in many DNS providers, including mine, and having certificates managed manually is not an option for me.

you are correct. DNS is needed for wildcard, but there is a way to work around a dns provider that doesn’t support it, and automate it all. I have a meeting, but I’ll be happy to help you out afterwards. (60 min from this posting).

1 Like

would love to get all the support I could, whenever you find it comfortable, thank you!

the catch is that you’ll need to write up some documentation/guide and post it here for others!

no problems as I document steps for myself as well anyway

Reverting back here as promised. Thanks @speedy for sharing this!

Wildcard certificate works only with DNS challenge.

For this challenge to work certbot plugin is required, which will perform DNS manipulations to satisfy the challenge.

If your provider doesn’t provide certbot plugin, you can ‘redirect’ specific sub-domain to the provider who support it - could be Digital Ocean.

Here are the (not yet tested) steps to make it work:

  • create a DNS zone [acme.MyDomain.com] at DO
  • create 3 NS records at DeprecatedDNS provider for acme.MyDomain.com to point to ns1,2,3.digitalocean.com
  • create CNAME at DeprecatedDNS provider for _acme-challenge.MyDomain.com that points to _acme-challenge.acme.MyDomain.com
  • use certbot digital ocean plugin, as described here
  • pray, it should work

In my particular case I have found that Gandi have certbot plugin: GitHub - obynio/certbot-plugin-gandi: Certbot plugin for authentication using Gandi LiveDNS and hexonet seems to have plugin as well: Authentication/cleanup hook for acme certbot to authenticate a domain via DNS-01 challenge and using hexonet API (ISP API) · GitHub

Gandi certbot howto

sudo pip install certbot-plugin-gandi

sudo tee -a /etc/letsencrypt/gandi.ini > /dev/null <<EOT
# live dns v5 api key
dns_gandi_api_key=APIKEY

# optional organization id, remove it if not used
# dns_gandi_sharing_id=SHARINGID
EOT

sudo chmod 600 /etc/letsencrypt/gandi.ini

sudo certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory -d $DOMAIN_NAME -d \*.$DOMAIN_NAME

I shall keep this posted updated as I progress with more examples.