powered by Jive Software

Certificate Manager - not working with Let's Encrypt certificates

Dear friends,

I just set up a fresh instance of Openfire and additionally installed the Certificate Manager plugin to hotdeploy the letsencrypt certificates.

My certbot is properly setup for my domain, and is generating certs.
As described in the plugin, I copied the certificates generated by certbot from /etc/letsencrypt/live/jabber.mydomain.tld/ to /usr/share/openfire/resources/security/hotdeploy
Now I have four *.pem files (cert.pem, chain.pem, fullchain.pem, privkey.pem) in that directory.

To my understanding, the Certificate Manager Plugin should grab that certs, and automatically deploy it to my Openfire instance. But somehow, this isn’t happening.

As part of troubleshooting, I already reloaded the plugin, and restartet Openfire, with no success. Am I missing something?

Best regards,
Vince

Check the logs at /openfire/logs/all.log

Just to make sure, XMPP Domain value shown on the first page of Admin Console is the same as jabber.mydomain.tld?

1 Like

The only thing that is present in the logs about Certificate Manager is:

INFO org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Watching /usr/share/openfire/resources/security/hotdeploy for updates for installed certificate chains and private keys.

And that’s it. The FQDN fits the certificate. I also deployed the certificates manually, which also works fine. I can write a script to automatically deploy the certs and then restart openfire, but I really would love to use that hotdeploy instead.
Is *.pem the proper format? Do I need all four files in that directory?

By FQDN you mean the Server Host Name? Certificate should fit the XMPP Domain Name. You say that you have installed them manually. So, does it work when you login in a client using XMPP Domain Name?

Readme says pem should work, although it only mentions private key and chain. Not sure about the other files. Maybe @guus (the author of this plugin) can comment on that.

1 Like

Yes, I mean the hostname. I have a letsencrypt cert for jabber.mydomain.tld, and it works after the manual import using keytool. My only problem is the plugin not automatically updating (or probably even recognizing) the certs as soon as they are placed inside the hotdeploy directory. I also made sure, that the permissions on the certs are set properly for openfire.
It’s not a big dealbreaker for me, rather a small inconvenience that the server has to be restartet through a cronjob once in a while.

What i mean is that certificate should cover your XMPP Domain name, not server’s hostname. This might be the cause of it failing to auto-import. Although i would expect some kind of error in the logs. After you import it with keytool what does it show on the Admin Console > TLS/SSL Certificates > first Manage Store Contents link? Is it showing your imported cert?

Your XMPP Domain Name isn’t jabber.mydomain.tld? Do you put jabber.mydomain.tld into a client to login? If so, this is not by XMPP standards and you can have issues because of that. Clients should login to XMPP domain and they would expect a certificate covering that domain.

1 Like

What @wroot said is correct: the cert should at least cover the XMPP domain name (which depending on how you installed things, can be different from the FQDN of the server that’s running Openfire.

Increasing the log level to debug shout give more information on the workings of the certmanager plugin.

1 Like

The cert is covering my XMPP domain name, the cert was made for this sole purpose.
Bildschirmfoto%20von%202019-10-18%2022-53-57

It’s just the plugin that isn’t working properly. I’ll switch the log level to debug and take a deeper dive.