Looking for some help/docs on installing a certificate on Openfire & Windows. I had this working and our cert expired and now I can’t seem to get it to work with the new cert. Cert is a wildcard but I get an error of "Certificate hostname verification failed. I think we had this on Linux and then migrated to windows at CTO request.
Hi John,
Generally speaking, the certificate that is used for Openfire needs to be valid for a wide range of domains:
- The network name of the server that is running Openfire (the Fully Qualified Domain name). E.g.
myserver.example.org
- The XMPP domain that is configured in Openfire, for example
example.org
- A selection of subdomains for the XMPP domain (typically including
conference.example.org
andpubsub.example.org
, but this may vary depending on configuration).
What often works best is to have Openfire installed on a server that uses a hostname that ‘visually’ is a subdomain of the XMPP domain name (the two worlds don’t really combine, but it is convenient in the sense that the certificate subject names apply to both). You typically do that by having a wildcard certificate, that’s valid for the domain example.org
and has a wildcard for its subdomains (*.example.org
).
I hope this helps!
That’s what we have is a wildcard from godaddy. Our last expired so it had to be replaced. I used the keytool to import and it shows up but I’m still getting the same error on login using the example.org if I use myserver.example.org it works but is of course using the self-signed cert. Is it as simple as deleting the new self cert and restarting openfire?
Before you delete anything, make full backups of the stores.
Some versions of Java are particularly annoying when there are multiple certificates for the same domain present. If you have both a self-signed one and a CA-provided one, there’s no telling which one may be used. Removing the one that you do not want to see in use is considered good practice.
Awesome, just to be clear:
the self-signed is for myserver.example.org and the CA provided is for *.example.org
I would assume I can just copy each of the C:\Program Files\Openfire\resources\security* in windows to another directory? What is the process to restore a backup? Just put those back and restart openfire?
Openfire will generate a self-signed certificate for the XMPP domain name. If you say that you have a self-signed certificate for myserver.example.org
, then that suggests that your XMPP domain name is myserver.example.org
(not example.org
).
What is your XMPP domain name, and what is the fully qualified network name of the server that Openfire is running on (you’ll find both on the home page of the admin console)?
Yes - copy all of the ‘resources’ directory for good measure.
you should be able to use a wildcard cert without issue. I’ve used one multiple times. I don’t recall having issues.
ah, yes my xmpp domain is myserver.example.org
but was previously example.org
before my cert expired. I didn’t change it. Is it possible that it defaulted to machine FQDN after I deleted expired cert? Users have always been able to use
example.org
for domain. I thought that was because of my DNS service record pointing to _xmpp-client._tcp myserver.example.org
that made just example.org
work; am I wrong?
The XMPP domain name that is configured in Openfire is typically never modified. Doing so would make every XMPP address invalid (which is mostly a problem when you use federation). Have you re-installed the server? I think you can configure the xmpp domain in openfire.xml
- but as I said, this really shouldn’t be changed on a server once it has seen use. Proceed carefully.