Page MenuHomeDevCentral

WIP: deploy certificate to Openfire
Changes PlannedPublic

Authored by dereckson on Jan 1 2019, 21:55.


Diff Detail

rOPS Nasqueron Operations
Lint OK
No Unit Test Coverage
deploy-certificates (branched from master)
Build Status
Buildable 3219
Build 3468: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Jan 1 2019, 21:55
dereckson created this revision.
dereckson updated this revision to Diff 5211.Apr 23 2019, 18:22


dereckson updated this revision to Diff 5212.May 5 2019, 10:37

Let's continue the propagation

dereckson planned changes to this revision.Jan 15 2020, 11:41
dereckson added inline comments.

Unused, see online line 66

The certificate maanger plugin allows to use hot deployment for certificates.

Copy certificate and key to /srv/openfire/conf/security/hotdeploy and it should be handled in live.

To fix permissions, chown -R 101:101, but that's not needed as LE certificates use 644 and not 600.

$ cd /srv/openfire/conf/security/hotdeploy
$ cp /srv/letsencrypt/etc/live/ .
$ cp /srv/letsencrypt/etc/live/ .

That triggers the following issue:

13:33:07.270 [pool-8-thread-1] INFO  org.jivesoftware.openfire.keystore.IdentityStore - The supplied certificate chain does not cover the domain of this XMPP service (''). Instead, it covers [, xmpp.nas]
13:33:07.270 [pool-8-thread-1] WARN  org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Unable to hot-deploy certificate and private key.
org.jivesoftware.openfire.keystore.CertificateStoreConfigException: The supplied certificate chain does not cover the domain of this XMPP service.
        at org.jivesoftware.openfire.keystore.IdentityStore.replaceCertificate( ~[xmppserver-4.5.1.jar:4.5.1]
        at org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher$ [certificatemanager-1.1.0.jar!/:?]