powered by Jive Software

Problem with using letsencrypt certs on Openfire 4.2.3


#1

1.already created certs for my apache httpd with certbot and it works
2.on openfire 4.2.3 , Ubuntu 16.04 . Default generated certs are not trusted. all the time asking agree or nor cert.

3.How i can import ready certs ? or generate new letsencrypt certs for xmpp server ?

Importing ? or whats i cant understand.

keystore located on /opt/openfire/resources/security

============================

find one good answer but its was to version 4.2.1

sudo -u openfire keytool -importkeystore -deststorepass xxx -destkeypass xxx -destkeystore /etc/openfire/security/keystore -srckeystore /etc/letsencrypt/live/jddd.tld/fullchain.pks12 -srcstoretype PKCS12 -srcstorepass xxx -alias jddd.tld -noprompt
service openfire stop
service openfire start

#2

Are you saying that Openfire does not show them as trusted or that when clients connect, it is not shown as trusted or both?


#3

shown as trusted . can i generate new SSL ? from letsencrypt ? or imported created? help plz to import created certs . thanks


#4

any one have ideas ?


#5

The following bash lines are part of our Let’s Encrypt (LE) deployment system based on Debian. We have one central server renewing certs with LE (not the xmpp server) using https://github.com/srvrco/getssl. Certs are then copied by rsync the the xmpp server and some commands to import and reload executed remotely by ssh.

#!/bin/bash

# fqdn from cert (used in filenames)
domain="jabber.example.org"
# hostname(s) for ssh connect (multiple if clustered)
servers="
jabber.example.org
"
# assuming this script and certs are in same directory
# we operate in directory that contains the script
cwd=$(dirname $0)
# some ssh options needed (adjust to your needs)
# passwordless login via pubkey authentication strongly recommended
ssh="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"

for server in $servers; do
  echo "Deploying certificate to $server ..."
  chmod 644 $cwd/*.crt*
  chown root.ssl-cert $cwd/*.key*
  chmod 640 $cwd/*.key*

  # create combined file with cert and CA chain
  cat $cwd/$domain.crt $cwd/chain.crt > $cwd/$domain.chained.crt

  # copy cert and private key to server (keeps file owner and rights)
  rsync -a $cwd/$domain.crt $server:/etc/ssl/certs/$domain.crt
  rsync -a $cwd/chain.crt $server:/etc/ssl/certs/$domain.chain.crt
  rsync -a $cwd/$domain.chained.crt $server:/etc/ssl/certs/$domain.chained.crt
  rsync -a $cwd/$domain.key $server:/etc/ssl/private/$domain.key

  # update remote server's hash database
  ssh $server "c_rehash > /dev/null 2>&1"

  # To have LE certs in OpenFire we need to:
  # * import private key in java keystore
  # * add LE CA to java keystore to provide full chain to your clients and remote servers
  # * import LE's public CA cert in java truststore to accept incoming connections from remote servers using LE
  # ** don't wipe that database. You'll lose TLS connectivity to remote jabber servers and need to reimport widely accepted CAs to restore connectivity
  # ** ignore import errors when LE CA already exists in truststore

  # commands till EOSSH line are executed on xmpp server(s)
  $ssh -t $server /bin/bash << EOSSH
    /etc/init.d/openfire stop
    cp /usr/share/openfire/resources/security/keystore /usr/share/openfire/resources/security/keystore.bak
    rm -f /usr/share/openfire/resources/security/keystore
    keytool -import -trustcacerts -storepass changeit -alias "Let's Encrypt Authority X3" -file /etc/ssl/certs/jabber.example.org.chain.crt -keystore /usr/share/openfire/resources/security/truststore >/dev/null
    openssl pkcs12 -export -in /etc/ssl/certs/jabber.example.org.chained.crt -inkey /etc/ssl/private/jabber.example.org.key -out /etc/ssl/private/jabber.example.org.allwithkey.p12 -name "jabber.example.org" -CAfile /etc/ssl/certs/jabber.example.org.chain.crt -passout pass:"changeit"
    chown root.ssl-cert /etc/ssl/private/jabber.example.org.allwithkey.p12
    chmod 640 /etc/ssl/private/jabber.example.org.allwithkey.p12
    keytool -importkeystore -deststorepass changeit -srcstorepass changeit -destkeystore /usr/share/openfire/resources/security/keystore -srckeystore /etc/ssl/private/jabber.example.org.allwithkey.p12 -srcstoretype PKCS12 -alias "jabber.example.org"
    keytool -import -trustcacerts -storepass changeit -alias "Let's Encrypt Authority X3" -file /etc/ssl/certs/jabber.example.org.chain.crt -keystore /usr/share/openfire/resources/security/keystore
    /etc/init.d/openfire start
EOSSH
done

Currently tested with OpenFire 4.2.3. Couldn’t test with 4.3.2 yet, because of upgrading issue.