Certificate manager does not work

bashkim · March 10, 2021, 5:09pm

Installed certificate manager
Copied letsencrypt certs to the hotdeploy folder.
In the logs, it notices a change but then it does neither install the new cert nor does it delete the files as checked off in its configuration.
What does the plugin need to work?
Am I doomed to manually renew the certs every 3 months?

2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.keystore.CertificateStoreWatcher - A file system change was detected. A(nother) certificate store that is backed by file 'C:\Program Files (x86)\Openfire\resources\security\keystore' will be reloaded.
2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s] - Reconfigured.
2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s-legacyMode] - Reconfigured.
2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s-legacyMode] - Reconfigured.
2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[connection_manager-legacyMode] - Reconfigured.
2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.http.HttpSessionManager - Stopping instance
2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service stopped
2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.http.HttpSessionManager - Starting instance
2021.03.10 12:01:16 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service started
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-29]: org.jivesoftware.openfire.keystore.IdentityStore - Installed a new private key and corresponding certificate chain.
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.keystore.CertificateStoreWatcher - A file system change was detected. A(nother) certificate store that is backed by file 'C:\Program Files (x86)\Openfire\resources\security\keystore' will be reloaded.
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s] - Reconfigured.
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s-legacyMode] - Reconfigured.
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s-legacyMode] - Reconfigured.
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[connection_manager-legacyMode] - Reconfigured.
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.http.HttpSessionManager - Stopping instance
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service stopped
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.EncryptionArtifactFactory - Creating new SslContextFactory instance
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.http.HttpSessionManager - Starting instance
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service started
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.keystore.CertificateStoreWatcher - A file system change was detected. A(nother) certificate store that is backed by file 'C:\Program Files (x86)\Openfire\resources\security\keystore' will be reloaded.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'proxy.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'masha'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'rtpbridge.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'conference.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'search.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'httpfileupload.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'pubsub.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'relay.domain.com'.
2021.03.10 12:02:23 INFO  [pool-3-thread-1]: org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s] - Reconfigured.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'proxy.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'masha'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'rtpbridge.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'conference.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'search.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'httpfileupload.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'pubsub.domain.com'.
2021.03.10 12:02:23 INFO  [Jetty-QTP-AdminConsole-30]: org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'domain.com_1' is missing DNS identity 'relay.domain.com'.

bashkim · March 10, 2021, 11:18pm

@guus Any chance you could look into this?

guus · March 23, 2021, 11:59am

I’ve just tried using that plugin, and am not running into any issues with it. It is important that both files (the private key file and the certificate chain file) are placed in the hotdeploy folder at the same time, and that the Openfire process owner can read the files.

Lets see if we can get to the bottom of the issue, by having Openfire generate more logging.

In the openfire installation directory, there’s a folder named lib. In that directory, a file exists named log4j2.xml. Open that in a text editor, and look for this line near the bottom of the file:

<Logger name="org.eclipse.jetty" level="warn"/>

Directly under that line, add a new line that contains this text:

<Logger name="org.igniterealtime.openfire.plugins.certificatemanager" level="all"/>

Save the file, and wait 30 seconds for the changes to have been picked up by Openfire.

Next, retry renewing the certificate by placing new certificate files in the hotdeploy folder.