Openfire 4.7.1 SSL/TLS certificate question

Kevin_Greene · April 20, 2022, 8:58pm

Hello:

I seem to be going round and round trying to sort how to install the certificates as the Openfire SSL guidelines document is a bit dated and seems to be more focused on much earlier versions of the server. I am getting a bit frustrated now.

The challenge I have is this: The server runs with the domain name of “chat.ruwg.net” for the XMPP clients and the admin section is running as admin.ruwg.net (on port 9091). I have the “Lets Encrypt” certificate installed for the “chat” ports but I seem to run into errors when I try to install the admin certificate (there are two different certs). Perhaps I am installing them in the wrong place.

I also tried using the certificate management plugin and while I can put the file there (“fullchain.pem”) , it does not seem to get used by the plugin application.

Not to complain about the Openfire application at all as I have been using it for years before it was migrated to a new instance and relocated from one data center to another. In the prior versions, we used first a commercial certificate (GoDaddy) and then we switched Lets Encrypt and that went well. The only suggestion I have is for someone to update the textual information on the admin web page on how to use the stores correctly. It is not that the information may be wrong but rather it would help to explain it differently perhaps.

Thank you.
Kevin Greene

guus · May 10, 2022, 12:32pm

Hi Kevin,

Sorry you have to go through this. TLS configuration is always tricky, and Openfire’s UI does not make this any easier. Bring in restrictions added by Lets Encrypt’s certbot, and you have a difficult puzzle to solve.

Pragmatically, I found the most workable solution to have Lets Encrypt issue a certificate that covers all of these:

the XMPP domain name (chat.ruwg.net)
the ‘conference’ and ‘pubsub’ subdomain of the XMPP domain (conference.chat.ruwg.net, pubsub.chat.ruwg.net), and possibly some other subdomains (which will be listed in your Openfire admin console).
the server’s fully qualified domain name (admin.ruwg.net)

That should give you one certificate that is usable for every Openfire endpoint: XMPP, BOSH, the Admin console, and the various web endpoints that some plugins add.

Alternatively (but I have less experience with this approach), you can configure different identity (and trust) stores to hold a (different) certificate for each of the endpoints. To do this, you can navigate in Openfire’s Admin Console to the TLS/SSL Certificates page, and manually modify its URL to add a parameter. The full path of the address should be something like this: security-certificate-store-management.jsp?showAll=true