Hello. I am looking for someone to install openfire on my server, with all needed features, set up SSL, OMEMO support, configure Firewall, make everything as secure as possible using OpenFire and also make an installation tutorial with all steps done for my personal use, so I could do all that myself, when needed. If you are able to do all that, then please contact me and we will discuss a remuneration for this work. Thank You.
Luksias, OMEMO is client side, so youâll need a client that supports it. The rest is easy enough. Some things to keep in mind in your scopeâŚ
is this for internal use or will be accessible from the internet?
Will you be using ldap/ad?
Will you want to use an external database like mysql or ms sql?
since you mentioned sslâŚopenfire creates a self-signed cert. if youâd like a trusted cert from a public CA, then youâll need to have an external domain
Where do you want openfire placed on the network? dmz, lan? do you want to run a reverse proxy?
Hello. So Openfire should support OMEMO out of the box? If I use clients with OMEMO support it should just work?
The setup is for external use, to secure communication for an organisation, desktops and mobile.
Not sure if I need that LDAP/AD. Would you recommend implementing that for the setup that i need? Does that add more security? Im not familiar with that.
I am using MariaDB - that seems to be setup all good.
SSL: Is there an actual difference for a simple users if you use CA approved certificate or not? Security level is still the same, or not? I do have an external domain. Main domain is parked at different server, but i have A record and SERV records done to point to Openfire server with FQDN set as example: my.server.com. seems to work.
Would you recommend reverse proxy? 
Thanks!
correctâŚomemo is e2e encryption, so its client driven. it should work out of the box with openfire.
ldap/ad might be considered if you already have it in your environment, and if you want to use a single login. If you donât already have AD or LDAP, then there is no need to add it.
Cert from a 3rd party trusted CA is helpful if you want to federate your server with others. It will also (usually) prevents the certificate pops ups on clients (similar to how web browsers do with self signed certs).
Since your server will be internet facing, and no need to connect back to your lan; putting it on the DMZ would be okâŚno real need to run it through a reverse proxy.
1 Like
Hi there.
Could you please list things that need to be sorted/configured to have a most secure Openfire installation possible?
Also, i managed to test OMEMO messages from mobile device to browser, but I canât figure out how to encrypt Group chat messages. Maybe you could help me here, please?
Thanks
There is no such document or list that we can share. In general i would suggest enabling and enforcing TLS encryption for all connections (client and web admin). And maybe also using firewall to limit the access (especially to the web admin part).
As we said OMEMO is a client side feature. You should ask developers of the clients you are using. As far as i remember OMEMO can work in group chat only when all participants support it.
Is it safer in some way to install OpenFire not as root user? Thank you!
If you mean installation on Linux, then you can run install via sudo command. Openfire will create a user openfire:openfire to run its daemon, so it wonât be running as a root. In Windows case a service is running as a System user.
I use Centos. I understand that I can do it with other user, but does that add security or is there no dufference really? Cheers.
I think there wonât be much difference. Openfire user is created only to run Openfire and only should have access to Openfire files.
A post was split to a new topic: OMEMO issues with various clients
Hi guys. The new question is what do you guys use for FQDN and for main domain in your servers? What is the best setup DNS wise?
I currently have domain parked on another server, and pointed A record to XMPP server and also added SRV records that Openfire requested. Is that the best way to do this? How do you setup?
Also I was looking for some simple explanation on how to install SSL certificates via admin panel, could not find any. Could someone guide me through this process? where do I get a signing key which i need to provide to CA to get a signed certificate? Please assist.
I read a bit about certbot, but Im still confused about how does that certbot get the info that it needs to retrieve certificate? Do I need to provide Letâs Encrypt with any info, or does certbot do all the work, finding domains that need certificates?
Also which certbot do I need for my Openfire server? Standalone?
Thanks!
Nothing?
I like to set things up like you would email. so my xmpp domain would be mydomain.com. This would make the jid (user) look like speedy@mydomain.com
Then, youâd make an A record like xmpp.mydomain.com
Next create your SRV record that points to the newly created A record.
If you want to use a public CA, then get it for xmpp.mydomain.com, as the root domain should also be covered.
I dont recall how to create the CSR or if openfire does thatâŚit might have to be done via java toolingâŚI can check tomorrow when I"m at work.
I donât have experience with lets encryptâŚso I canât help you there.
1 Like
Thanks speedy. I guess this is the exact DNS setup I have now, and it seems to work ok.
I wil try to investigate myself a bit more about that Letâs Encrypt business when i find a bit more time too. Sad that there is no clear documentation how to do everything. Cheers!
There is some documentation here Openfire: TLS Guide although it is a bit outdated. When there are so few developers and they donât have much time to code, documentation is the most lagging behind thing usually. I will try to add a few newer bits to that document later. On my job iâm working with a system which costs a pile of money and in their documentation they donât cover how to generate private keys, csr, etc. Their support told me itâs your job to know how to do such things 
I think you can use OpenSSL also to generate a private key and csr. It doesnât have to be keytool. There is also a new plugin Certificate Manager, which allows to setup a hotplug folder to add new certiticates dynamically (say from Letâs encrypt bot).
This is hard to cover in a single document (all the options that can be).
Hi wroot. I was doing some work manually tryting to install SSL certificate, I came to the point where I have to do a chown command to change ownership of certificates for Openfire to be able to read them and use them, but when i did this chown openfire ⌠i got this:
chown: invalid user: âopenfireâ
Then I checked the user list:
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
mysql:x:997:995:MySQL server:/var/lib/mysql:/sbin/nologin
I donât see any openfire user. you mentioned that it gets created automatically. What do I do at this point? thanks!
Ive been also trying to install SSL. I have got the certbot, which installed certificate into the server for FQDN of the server (my.domain.com). Was not able to install for XMPP server name (domain.com), because it is pointing to different IP address (as discussed before), then i have copied those files to hotdeploy directory, changed their names to full domain name of certificate e.g. my.domain.com.cert and my.domain.com.key
changed permissions to daemon (i assume this is the user in charge of openfire, since there is no other user created for openfire to run), and chmod them to 400. I got this now:
total 8
-r-------- 1 daemon root 3554 Aug 26 13:10 my.domain.com.cert
-r-------- 1 daemon root 1708 Aug 26 13:09 my.domain.com.key
nothing got deployed or installedâŚ
I was thinking that maybe that Hotdeploy option does not work? Then I copied the .key and .cert contents into manual âImport Private Key and Certificateâ through Openfire administration page, and tried to import that way, and I got:
"There was an error while trying to import the private key and signed certificate. Internal server error: The supplied certificate chain does not cover the domain of this XMPP service. "
Whats my next move? I guess this SRV record thing is not really working, if you want to have a certificates that covers subdomain and domain name.
Any suggestions?
It is possible that this openfire user doesnât have a password. I havenât tried to login with it. When doing chown command use openfire:openfire as you must also specify a group as far as i remember.
Canât help with certificates. I only used self signed ones and never hosted Openfire on internet. I think SRV record is only meant to solve networking/dns issues, but not to make certificate issued for different domain to work. Unless i misunderstood and you actually have a cert issued for domain.com which is also your xmpp domain. If so, then maybe someone having more experience can comment on that.