1.already created certs for my apache httpd with certbot and it works
2.on openfire 4.2.3 , Ubuntu 16.04 . Default generated certs are not trusted. all the time asking agree or nor cert.
3.How i can import ready certs ? or generate new letsencrypt certs for xmpp server ?
Importing ? or whats i cant understand.
keystore located on /opt/openfire/resources/security
The following bash lines are part of our Let’s Encrypt (LE) deployment system based on Debian. We have one central server renewing certs with LE (not the xmpp server) using https://github.com/srvrco/getssl. Certs are then copied by rsync the the xmpp server and some commands to import and reload executed remotely by ssh.
#!/bin/bash
# fqdn from cert (used in filenames)
domain="jabber.example.org"
# hostname(s) for ssh connect (multiple if clustered)
servers="
jabber.example.org
"
# assuming this script and certs are in same directory
# we operate in directory that contains the script
cwd=$(dirname $0)
# some ssh options needed (adjust to your needs)
# passwordless login via pubkey authentication strongly recommended
ssh="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
for server in $servers; do
echo "Deploying certificate to $server ..."
chmod 644 $cwd/*.crt*
chown root.ssl-cert $cwd/*.key*
chmod 640 $cwd/*.key*
# create combined file with cert and CA chain
cat $cwd/$domain.crt $cwd/chain.crt > $cwd/$domain.chained.crt
# copy cert and private key to server (keeps file owner and rights)
rsync -a $cwd/$domain.crt $server:/etc/ssl/certs/$domain.crt
rsync -a $cwd/chain.crt $server:/etc/ssl/certs/$domain.chain.crt
rsync -a $cwd/$domain.chained.crt $server:/etc/ssl/certs/$domain.chained.crt
rsync -a $cwd/$domain.key $server:/etc/ssl/private/$domain.key
# update remote server's hash database
ssh $server "c_rehash > /dev/null 2>&1"
# To have LE certs in OpenFire we need to:
# * import private key in java keystore
# * add LE CA to java keystore to provide full chain to your clients and remote servers
# * import LE's public CA cert in java truststore to accept incoming connections from remote servers using LE
# ** don't wipe that database. You'll lose TLS connectivity to remote jabber servers and need to reimport widely accepted CAs to restore connectivity
# ** ignore import errors when LE CA already exists in truststore
# commands till EOSSH line are executed on xmpp server(s)
$ssh -t $server /bin/bash << EOSSH
/etc/init.d/openfire stop
cp /usr/share/openfire/resources/security/keystore /usr/share/openfire/resources/security/keystore.bak
rm -f /usr/share/openfire/resources/security/keystore
keytool -import -trustcacerts -storepass changeit -alias "Let's Encrypt Authority X3" -file /etc/ssl/certs/jabber.example.org.chain.crt -keystore /usr/share/openfire/resources/security/truststore >/dev/null
openssl pkcs12 -export -in /etc/ssl/certs/jabber.example.org.chained.crt -inkey /etc/ssl/private/jabber.example.org.key -out /etc/ssl/private/jabber.example.org.allwithkey.p12 -name "jabber.example.org" -CAfile /etc/ssl/certs/jabber.example.org.chain.crt -passout pass:"changeit"
chown root.ssl-cert /etc/ssl/private/jabber.example.org.allwithkey.p12
chmod 640 /etc/ssl/private/jabber.example.org.allwithkey.p12
keytool -importkeystore -deststorepass changeit -srcstorepass changeit -destkeystore /usr/share/openfire/resources/security/keystore -srckeystore /etc/ssl/private/jabber.example.org.allwithkey.p12 -srcstoretype PKCS12 -alias "jabber.example.org"
keytool -import -trustcacerts -storepass changeit -alias "Let's Encrypt Authority X3" -file /etc/ssl/certs/jabber.example.org.chain.crt -keystore /usr/share/openfire/resources/security/keystore
/etc/init.d/openfire start
EOSSH
done
Currently tested with OpenFire 4.2.3. Couldn’t test with 4.3.2 yet, because of upgrading issue.