powered by Jive Software

Using letsencrypt certs on Openfire

I’ve already created certs for my apache httpd with certbot and it works. (Chrome says it is trusted)
Now I’ve installed Openfire 4.2.1 on Ubuntu 17.10 and I don’t find any guide to use the same certs with openfire. If I put fullchain.pem and privkey.pem but it doesn’t works…
I tried “Certificate Manager” and pointed apache cert’s dir, but still the certs are not trusted (indeed are still used autocerts)
What can I do to use the same certs as Apache HTTPD?

Does Openfire log any message or the console report anything when you attempt to import the fullchain.pem and privkey.pem ?

Using Certificate Plugin I get this:

2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a private key file in the hot-deploy directory.
2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a private key file in the hot-deploy directory.
2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a private key file in the hot-deploy directory.
2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a certificate chain file in the hot-deploy directory.
2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a certificate chain file in the hot-deploy directory.

But it doesn’t install it.

EDIT: I reinstalled open fire, but now if I try to connect over HTTPS my log will print this:

2017.12.25 12:38:18 WARN  [Jetty-QTP-AdminConsole-56]: org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@5c264f0[p=1,l=209,c=8192,r=208]={\x16<<<\x03\x01\x00\xCc\x01\x00\x00\xC8\x03\x03\xAd\x94\xD2\xCen\xAa\xE1...\x00\x08\x9a\x9a\x00\x1d\x00\x17\x00\x18\xCa\xCa\x00\x01\x00>>>t/537.36 (KHTML, ...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017.12.25 12:38:18 WARN  [Jetty-QTP-AdminConsole-56]: org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@71a7dd05{r=0,c=false,a=IDLE,uri=}
2017.12.25 12:39:42 WARN  [Jetty-QTP-AdminConsole-57]: org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@3f04d2ae[p=1,l=209,c=8192,r=208]={\x16<<<\x03\x01\x00\xCc\x01\x00\x00\xC8\x03\x03y\xE6\xFb5\xC3\x83\xB1...\x00\x08\xEa\xEa\x00\x1d\x00\x17\x00\x18::\x00\x01\x00>>>ome/63.0.3239.84 ...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017.12.25 12:39:42 WARN  [Jetty-QTP-AdminConsole-57]: org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@41c5ac2e{r=0,c=false,a=IDLE,uri=}
2017.12.25 12:40:02 WARN  [Jetty-QTP-AdminConsole-53]: org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@35fcb9de[p=1,l=209,c=8192,r=208]={\x16<<<\x03\x01\x00\xCc\x01\x00\x00\xC8\x03\x03\xDe\xF1\x9cY\xD2&"...\x00\x08\xFa\xFa\x00\x1d\x00\x17\x00\x18ZZ\x00\x01\x00>>>t/537.36 (KHTML, ...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017.12.25 12:40:02 WARN  [Jetty-QTP-AdminConsole-53]: org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@50e42d0b{r=0,c=false,a=IDLE,uri=}
2017.12.25 12:40:04 WARN  [Jetty-QTP-AdminConsole-57]: org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@35fcb9de[p=1,l=209,c=8192,r=208]={\x16<<<\x03\x01\x00\xCc\x01\x00\x00\xC8\x03\x03\x07=2[\xDe\xAf\x00...\x00\x08::\x00\x1d\x00\x17\x00\x18ZZ\x00\x01\x00>>>t/537.36 (KHTML, ...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017.12.25 12:40:04 WARN  [Jetty-QTP-AdminConsole-57]: org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@4ec0749d{r=0,c=false,a=IDLE,uri=}

EDIT2:
I’ve imported manually the certs using priv.pem and certs.pem from admin console. Now it works. So now I need to do it manually each time my certs will change!

you might add something like the following to the certbot post hook:

sudo -u openfire keytool -importkeystore -deststorepass xxx -destkeypass xxx -destkeystore /etc/openfire/security/keystore -srckeystore /etc/letsencrypt/live/jddd.tld/fullchain.pks12 -srcstoretype PKCS12 -srcstorepass xxx -alias jddd.tld -noprompt
service openfire stop
service openfire start

Nice! It worked, with an edit to it I managed to import my certs in openfire, now I can add a background task to import it after letsencrypt update!

Hi Jorg,

I’ve never used keytool, I also have a valid let’s encrypt certificate, but I don’t know how to replace the xxx on the command you’ve suggested, and in my /etc/letsencrypt/live/mydomain.com/ I have no *.pks12 file, but a fullchain1.pem, how should I use keytool command or where is de doc for this command.

Thank you.

Don’t worry I found this article https://www.voztovoice.org/?q=node/1551, all was left for me was to delete the self signed files.

Thanks.

Hi all

I just spent all day figuring out how to fully automate this with Let’s Encrypt.
It seems easy enough to get the fullchain.pem to import, but the privkey.pem is the problem.

I finally found a solution to it, and this is the script to do it on my Fedora system,
adapt dirs etc to your needs/system.
Put this script into /etc/letsencrypt/renewal-hooks/deploy

openssl pkcs12 -export -passout pass:changeit -in /etc/letsencrypt/live/<your-hostname>/fullchain.pem -inkey /etc/letsencrypt/live/<your-hostname>/privkey.pem -name <your-hostname> -out cert.p12 
keytool -delete -keystore /opt/openfire/resources/security/keystore -alias <your-hostname> -storepass changeit -noprompt
keytool -importkeystore -deststorepass changeit -srcstorepass changeit -destkeystore /opt/openfire/resources/security/keystore -srckeystore cert.p12 -srcstoretype PKCS12 -deststoretype pkcs12
systemctl stop openfire 
systemctl start openfire

Do rename your previous KEYSTORE file before the first time you run this
(/opt/openfire/resources/security/keystore) here.

1 Like

There is a new Certificate Manager plugin for Openfire, which lets install new certificate automatically (without restarting Openfire) https://www.igniterealtime.org/projects/openfire/plugins/certificatemanager/readme.html

A post was split to a new topic: Exception in keytool with Let’s encrypt fullchain