powered by Jive Software

Using letsencrypt certs on Openfire


#1

I’ve already created certs for my apache httpd with certbot and it works. (Chrome says it is trusted)
Now I’ve installed Openfire 4.2.1 on Ubuntu 17.10 and I don’t find any guide to use the same certs with openfire. If I put fullchain.pem and privkey.pem but it doesn’t works…
I tried “Certificate Manager” and pointed apache cert’s dir, but still the certs are not trusted (indeed are still used autocerts)
What can I do to use the same certs as Apache HTTPD?


#2

Does Openfire log any message or the console report anything when you attempt to import the fullchain.pem and privkey.pem ?


#3

Using Certificate Plugin I get this:

2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a private key file in the hot-deploy directory.
2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a private key file in the hot-deploy directory.
2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a private key file in the hot-deploy directory.
2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a certificate chain file in the hot-deploy directory.
2017.12.25 12:10:28 INFO  [pool-2960-thread-1]: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Found a certificate chain file in the hot-deploy directory.

But it doesn’t install it.

EDIT: I reinstalled open fire, but now if I try to connect over HTTPS my log will print this:

2017.12.25 12:38:18 WARN  [Jetty-QTP-AdminConsole-56]: org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@5c264f0[p=1,l=209,c=8192,r=208]={\x16<<<\x03\x01\x00\xCc\x01\x00\x00\xC8\x03\x03\xAd\x94\xD2\xCen\xAa\xE1...\x00\x08\x9a\x9a\x00\x1d\x00\x17\x00\x18\xCa\xCa\x00\x01\x00>>>t/537.36 (KHTML, ...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017.12.25 12:38:18 WARN  [Jetty-QTP-AdminConsole-56]: org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@71a7dd05{r=0,c=false,a=IDLE,uri=}
2017.12.25 12:39:42 WARN  [Jetty-QTP-AdminConsole-57]: org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@3f04d2ae[p=1,l=209,c=8192,r=208]={\x16<<<\x03\x01\x00\xCc\x01\x00\x00\xC8\x03\x03y\xE6\xFb5\xC3\x83\xB1...\x00\x08\xEa\xEa\x00\x1d\x00\x17\x00\x18::\x00\x01\x00>>>ome/63.0.3239.84 ...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017.12.25 12:39:42 WARN  [Jetty-QTP-AdminConsole-57]: org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@41c5ac2e{r=0,c=false,a=IDLE,uri=}
2017.12.25 12:40:02 WARN  [Jetty-QTP-AdminConsole-53]: org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@35fcb9de[p=1,l=209,c=8192,r=208]={\x16<<<\x03\x01\x00\xCc\x01\x00\x00\xC8\x03\x03\xDe\xF1\x9cY\xD2&"...\x00\x08\xFa\xFa\x00\x1d\x00\x17\x00\x18ZZ\x00\x01\x00>>>t/537.36 (KHTML, ...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017.12.25 12:40:02 WARN  [Jetty-QTP-AdminConsole-53]: org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@50e42d0b{r=0,c=false,a=IDLE,uri=}
2017.12.25 12:40:04 WARN  [Jetty-QTP-AdminConsole-57]: org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@35fcb9de[p=1,l=209,c=8192,r=208]={\x16<<<\x03\x01\x00\xCc\x01\x00\x00\xC8\x03\x03\x07=2[\xDe\xAf\x00...\x00\x08::\x00\x1d\x00\x17\x00\x18ZZ\x00\x01\x00>>>t/537.36 (KHTML, ...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2017.12.25 12:40:04 WARN  [Jetty-QTP-AdminConsole-57]: org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@4ec0749d{r=0,c=false,a=IDLE,uri=}

EDIT2:
I’ve imported manually the certs using priv.pem and certs.pem from admin console. Now it works. So now I need to do it manually each time my certs will change!


#4

you might add something like the following to the certbot post hook:

sudo -u openfire keytool -importkeystore -deststorepass xxx -destkeypass xxx -destkeystore /etc/openfire/security/keystore -srckeystore /etc/letsencrypt/live/jddd.tld/fullchain.pks12 -srcstoretype PKCS12 -srcstorepass xxx -alias jddd.tld -noprompt
service openfire stop
service openfire start

#5

Nice! It worked, with an edit to it I managed to import my certs in openfire, now I can add a background task to import it after letsencrypt update!


#6

Hi Jorg,

I’ve never used keytool, I also have a valid let’s encrypt certificate, but I don’t know how to replace the xxx on the command you’ve suggested, and in my /etc/letsencrypt/live/mydomain.com/ I have no *.pks12 file, but a fullchain1.pem, how should I use keytool command or where is de doc for this command.

Thank you.


#7

Don’t worry I found this article https://www.voztovoice.org/?q=node/1551, all was left for me was to delete the self signed files.

Thanks.


#8

Hi all

I just spent all day figuring out how to fully automate this with Let’s Encrypt.
It seems easy enough to get the fullchain.pem to import, but the privkey.pem is the problem.

I finally found a solution to it, and this is the script to do it on my Fedora system,
adapt dirs etc to your needs/system.
Put this script into /etc/letsencrypt/renewal-hooks/deploy

openssl pkcs12 -export -passout pass:changeit -in /etc/letsencrypt/live/<your-hostname>/fullchain.pem -inkey /etc/letsencrypt/live/<your-hostname>/privkey.pem -name <your-hostname> -out cert.p12 
keytool -delete -keystore /opt/openfire/resources/security/keystore -alias <your-hostname> -storepass changeit -noprompt
keytool -importkeystore -deststorepass changeit -srcstorepass changeit -destkeystore /opt/openfire/resources/security/keystore -srckeystore cert.p12 -srcstoretype PKCS12 -deststoretype pkcs12
systemctl stop openfire 
systemctl start openfire

Do rename your previous KEYSTORE file before the first time you run this
(/opt/openfire/resources/security/keystore) here.


#10

There is a new Certificate Manager plugin for Openfire, which lets install new certificate automatically (without restarting Openfire) https://www.igniterealtime.org/projects/openfire/plugins/certificatemanager/readme.html