I just wasted several hours trying to figure out why the certs that my scheduled task moved to hotdeploy folder do not get deployed. There was no change to any of the scheduled tasks/scripts, in years. No changes to the OF or its configuration, in months, since I upgraded to 4.8.1. The only difference was the last batch of certs, and I have no idea how different they are other than in their issue/expiry dates.
When I imported the cert/key manually, they imported without issue and showed up in the store and on IM clients.
I do not see any errors being logged that have something to do with certificates or hotdeploy.
No amount of restarting OF service (which I did not have to do previously) helped replace the certs with hotdeploy.
Never had this issue on the previous 4.6.something previous version, in several years.
As someone who uses the plugin i feel obligated to tell that there is not issue with the plugin for me.
It works perfectly. What OS are you running your Openfire on? check if your certs belong to Openfire when they arrive at the directory.
Some users of Openfire who had similar problems suggested to remove the default self signed certs. Not sure this helps also in your case.
This continues to give me headaches.
The certificate manager plugin flat out refuses to react to the appearance of new certs in the hotdeploy folder. It ignores the fact.
I have to delete the old cert/key manually every time and impor the new ones.
Can anyone at all explain what has changed since about May 2024?
Is something wrong on this screen, like a wrong version?
Is something wrong here like wrong path?
Certs look no different from their historic predecessors, and everything else recognizes them without issues (httpd, smtpd etc)
This used to work for years with no changes other than that upgrade to 4.8.1 a while ago but had worked since and up to May.
I don’t know if this is related but I found a post on Letsencrypt web site to the affect that
Before feb 8th LetsEncrypt sent 3 certs in the chain, presumably the X3/X1 compatibility cert.
After feb 8th, the chain consists of 2 cert
The fellow is correct. Prior to that date, there used to be 3 sections in the full chain. This is my Dec 2023 cert:
-----BEGIN CERTIFICATE-----
EwJSMzAeFw0yMzEyMTkwMDQxMDhaFw0yNDAzMTgwMDQxMDdaMBoxGDAWBgNVBAMT
***
G5Gjnt4MaT/xwQsJkxc7rnTUBl/M3pYVi3BEKiVqQvc5R1WUuUlhBdmX9iz6ki6b
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
***
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
***
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
-----END CERTIFICATE-----
Since then there are only two. This is my March 2024 cert:
-----BEGIN CERTIFICATE-----
D2VhcnRobG92ZXNtZS5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
***
EE4+a73x0YGzXZJ3up4PXofWSgVX5FQtoqFCPf+ZbQP80bRfMlmUsMZH7Bl/6juN
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
***
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
-----END CERTIFICATE-----
That does not jive with my issues start day of May 2024+ but at least this is a change that occurred recently, on their end.
In April, they made a change to “secondary validation”, but that has absolutely nothing to do with OF. Out of ideas at this point.
I’m sorry to hear that you keep running into issues @bashkim.
Have you tried switching the log level of Openfire to ‘trace’ just before a renewal / hotdeploy? That might give you more information.
Do you have any system properties that start with certificate-manager (such as certificate-manager.directory-watcher.watched-path). What are their values?
No, I did not try to kick up the log level. Since I do not see anything at all in the logs around the time the certs are being deposited, I was not keen on doing so. What do you suppose we are going to see?
As to settings, do you mean these? I guess they are vanilla, not mine. No one has ever changed or added anything on this screen that I know of.
That table is wide, by the way. I had to crank the zoom down to 80% just to see it all the way to the right side. It could use better CSS.