First, Thank you for an incredible system. I have been a fan for many many years. I’m always defending Open Fire when someone is pushing the latest shiny toy (whispers Matrix for one).
(xmpp:bob@mpaq.org) I have been trying to get our XMPP server “certified” for a LONG LONG time. We have finely managed to open up our “lets-encrypt” certs having been stuck at 4 subdomains for several years. Our XMPP runs on the standard ports but it wont “federate” because of the cert problem. Our main routing handles the certs before it gets to any of our inside sites/address. Open Fire still remains UN-certifide and I would really like to fix this now that we don’t have that problem anymore. The network is all handled by a proxy server running NGINX.
What you’re running into is a common setup question in XMPP deployments: how to correctly handle Let’s Encrypt certificates across both a web-facing proxy and Openfire’s own TLS needs (including federation).
A good approach is the following:
On your main system (NGINX layer), you can safely generate Let’s Encrypt certificates for all relevant domains and subdomains, including both:
your public web services (e.g. mpaq.org, mail.mpaq.org, etc.)
your XMPP-related domains (e.g. xmpp.mpaq.org, conference.mpaq.org, or whatever your Openfire domains use)
Let’s Encrypt does not care whether these are “websites” or “XMPP services”, as long as the domain is validated via HTTP-01 or DNS-01 challenges, certificates will be issued normally. So it is completely fine (and typical) to request certificates for XMPP-related hostnames even if they are not directly serving web content.
Once those certificates are generated and renewed by NGINX/Certbot (or your ACME client), Openfire can reuse them directly.
The usual pattern is:
Let NGINX/Certbot handle certificate issuance and renewal for all required domains.
Use a small script to copy the resulting files: fullchain.pem and privkey.pem into the hotdeploy directory.
When certificate files are dropped into this directory, Openfire automatically detects them. It then installs and activates the updated certificates without requiring a full manual reconfiguration.