powered by Jive Software

Help Getting Let's Encrypt certificates to work

I am trying to import my Let’s Encrypt certificate into the keystore at the command line but I seem to be having a problem in that I can import them but the Openfire Identity Certificate Store keeps giving me the warning A certificate for the domain of this server is missing. Click here to generate a self-signed certificate or here to import a signed certificate and its private key.

As my Let’s Encrypt certificate does not come with a pkcs12 file I create it first with:

openssl pkcs12 -export -name www.howitts.co.uk -out /root/keystore.p12 -inkey /etc/letsencrypt/live/www.howitts.co.uk/privkey.pem -in /etc/letsencrypt/live/www.howitts.co.uk/fullchain.pem -password "pass:changeit"

This is using the fullchain file, so certificate and intermediate certificate.
I then import it with:

keytool -importkeystore -alias www.howitts.co.uk -destkeystore /usr/share/openfire/resources/security/keystore -deststorepass changeit -destkeypass changeit -srcstoretype PKCS12 -srcstorepass changeit -srckeystore /root/keystore.p12

It imports with a warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/share/openfire/resources/security/keystore -destkeystore /usr/share/openfire/resources/security/keystore -deststoretype pkcs12".

Which is odd as I am importing it as a pkcs12, but anyway … I still get the when I go to manage the store contents.

I have tried separately importing the intermediate/chain certificate into the truststore with:

keytool -import -trustcacerts -alias www.howitts.co.uk -file /etc/letsencrypt/live/www.howitts.co.uk/chain.pem -keystore /usr/share/openfire/resources/security/truststore -storepass changeit

But it does not get rid of the warning. How to I import the certificates correctly?

It looks like the above commands do work, but there is a big caveat. I only got rid of the error by using a wildcard certificate.

This then leads to the question, which subdomains domains need to be covered by the certificate if you don’t use a wildcard certificate?