Page MenuHomeDevCentral

WIP: deploy certificate to Openfire
Changes PlannedPublic

Authored by dereckson on Jan 1 2019, 21:55.

Details

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint OK
Unit
No Unit Test Coverage
Branch
deploy-certificates (branched from master)
Build Status
Buildable 3219
Build 3468: arc lint + arc unit

Event Timeline

dereckson created this revision.

Let's continue the propagation

dereckson added inline comments.
_modules/paas_docker.py
56

Unused, see online line 66

The certificate maanger plugin allows to use hot deployment for certificates.

Copy certificate and key to /srv/openfire/conf/security/hotdeploy and it should be handled in live.

To fix permissions, chown -R 101:101, but that's not needed as LE certificates use 644 and not 600.

$ cd /srv/openfire/conf/security/hotdeploy
$ cp /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem .
$ cp /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem .

That triggers the following issue:

13:33:07.270 [pool-8-thread-1] INFO  org.jivesoftware.openfire.keystore.IdentityStore - The supplied certificate chain does not cover the domain of this XMPP service ('nasqueron.org'). Instead, it covers [conference.nasqueron.org, xmpp.nas
queron.org]
13:33:07.270 [pool-8-thread-1] WARN  org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Unable to hot-deploy certificate and private key.
org.jivesoftware.openfire.keystore.CertificateStoreConfigException: The supplied certificate chain does not cover the domain of this XMPP service.
        at org.jivesoftware.openfire.keystore.IdentityStore.replaceCertificate(IdentityStore.java:263) ~[xmppserver-4.5.1.jar:4.5.1]
        at org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher$1.run(DirectoryWatcher.java:190) [certificatemanager-1.1.0.jar!/:?]