I notice this thread has been noisy, I will respond to it all in a single post to prevent it getting anymore noisy.
I am not able to babysit the server for extended intervals, but yes, hundreds of connections appear very soon after restart. I donāt know how soon but it is within a few hours meaning less than 2-3. This is a server that only 3 of my test IM clients hit, nobody else. So, only a handful of test IMs are being exchanged, no outside world.
Unfortunately this is a lot of what sysadmin isā¦ you got to have the time to sit there and watch what is going on, and monitor the server, if you canāt do this then maybe you need to consider outsourcing the hosting to someone else who can monitor the server, servers arenāt just setup and leave, they must be maintained.
It is too late to reinstall. Iāve already beaten my head against the wall with 4.7.3 for long enough to run out of allotted time, having not known that it was a bugged release. I only came here, having exhausted every note left by the admin of the old 4.6 install about config items they had to put, so enough time had been wasted as it stands.
I havenāt got experience with the older versions, however is there any reason you couldnāt give 4.8.1
a shot? 4.8.x
includes the netty rewrite which heavily modifies how Openfire handles network connections, and see as you are having issues with network connections, this might be a good idea. I understand it is time consuming, but there is not many alternatives.
Windows or not, my web, application, DB or SMTP/POP3 servers or whatnot only listen on the specified ports and make no rogue connections to themselves, needless to say not in the 100-s. Apparently, 4.6 had not done it, otherwise there would have been a note to that affect in our ITIL.
Wait, are these applications on the same server? Could you unplug the network to the server, and kill all services using the server and see if it is actually Openfire making these connections to themself, or some other program on the same server.
The ādomainā of this server is domain.com
. Its host name is mail
.
The certificate for domain.com
is listed right under that message, in the Identity table.
So what is missing? Does the message actually mean that OF expects a certificate for mail.domain.com
hostname?
This warning appears when there is one or more missing FQDNs within the certificate, for whatever reason Openfire requires all the FQDNs to be within a single certificate, therefore requiring the use of SAN certificates, or a wildcard certificate (if you donāt want to mess about, maybe just stick a wildcard certificate in, and call it a day).
What FQDNs you are missing is dependent on your configuration.
This IS a fresh install on a test lab to be prod soon.
Possible issue with your configuration? by āfreshā you mean the very base installation, no further configuration? all default values (apart from the domain name etc).
From this ordeal, it is clear that OF dev team misunderstands the way log levels are supposed to be used. This is how it is usually done:
Critical logs messages from errors that prevent the server serving its clients.
Error logs messages from all errors.
Warning logs additional messages considered minor.
Info logs additional messages considered even less important.
Debug, finally, dumps stack traces on top of Critical and Error messages.
Openfire is open source, if there is an issue you are free to patch it, the codebase is old and the logging decision was made decades ago, going through the codebase and changing what messages classify as what log level is a lengthy process, and none of the developers are paid to do so. The logging works, even if it is possibly too verbose, there is bigger fish to fry.
Secondly, nobody here is paid to support you, they have no obligation to help, continuing being aggressive and flinging mud will not yield a solution, and will likely result in your messages simply being ignored.
To recap:
Errors from closing connections still should be looked after.
SRV records warning still should be looked after. If nslookup
can query them fine, then OF should as well.
Encryption cert/key warning should be looked after.
Seeing how OF complains about items clearly present, I can only think of one reason for those warnings: the actual queries in the code do not match the information shown on the front end.
If I did not paste enough logs here you should let me know and Iāll provide, but I have neither knowledge nor time to investigate all of that on my own. I am not able to go into every code base that I have to admin.
A recap is not required, people are more than able to scroll through the thread history and see what has been attempted, and what the results of said attempt were.
Also please stop making the logging your enemy, the logging isnāt what is causing your issues and you are making a huge deal out of a small problem.
Please consider some of the suggestions above.