Page MenuHomeDevCentral

WIP: deploy certificate to Openfire
ClosedPublic

Authored by dereckson on Jan 1 2019, 21:55.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

dereckson created this revision.

Let's continue the propagation

dereckson added inline comments.
_modules/paas_docker.py
56 ↗(On Diff #5212)

Unused, see online line 66

The certificate maanger plugin allows to use hot deployment for certificates.

Copy certificate and key to /srv/openfire/conf/security/hotdeploy and it should be handled in live.

To fix permissions, chown -R 101:101, but that's not needed as LE certificates use 644 and not 600.

$ cd /srv/openfire/conf/security/hotdeploy
$ cp /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem .
$ cp /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem .

That triggers the following issue:

13:33:07.270 [pool-8-thread-1] INFO  org.jivesoftware.openfire.keystore.IdentityStore - The supplied certificate chain does not cover the domain of this XMPP service ('nasqueron.org'). Instead, it covers [conference.nasqueron.org, xmpp.nas
queron.org]
13:33:07.270 [pool-8-thread-1] WARN  org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Unable to hot-deploy certificate and private key.
org.jivesoftware.openfire.keystore.CertificateStoreConfigException: The supplied certificate chain does not cover the domain of this XMPP service.
        at org.jivesoftware.openfire.keystore.IdentityStore.replaceCertificate(IdentityStore.java:263) ~[xmppserver-4.5.1.jar:4.5.1]
        at org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher$1.run(DirectoryWatcher.java:190) [certificatemanager-1.1.0.jar!/:?]

Nowadays, we've a correct certificate with all the domains, renewed by DNS (xmpp.nasqueron.org nasqueron.org conference.nasqueron.org).

After a test of the script commands, the certificate has been correctly imported:

The instance is configured to use other subdomains:

21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'search.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'httpfileupload.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'pubsub.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'proxy.nasqueron.org'.

The previous certificate is still there and it's not clear if the services have been restarted or not, as the warning hints they haven't been but logs show something was reloaded:

21:46:49.801 [pool-2-thread-1] INFO  org.jivesoftware.openfire.keystore.CertificateStoreWatcher - A file system change was detected. A(nother) certificate store that is backed by file '/usr/share/openfire
/resources/security/keystore' will be reloaded.
21:46:49.805 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s] - Reconfigured.
21:46:49.812 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s-legacyMode] - Reconfigured.
21:46:49.815 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s] - Reconfigured.
21:46:49.819 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s-legacyMode] - Reconfigured.
21:46:49.822 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[component] - Reconfigured.
21:46:49.824 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[component-legacyMode] - Reconfigured.
21:46:49.826 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[connection_manager] - Reconfigured.
21:46:49.828 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[connection_manager-legacyMode] - Reconfigured.
21:46:49.897 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.w.WebAppContext@6f65eeee{/monitoring,null,STOPPED}{/usr/share/openfire/plugins/monitoring/classes/}
21:46:49.899 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.w.WebAppContext@24bf9af2{/httpfileupload,null,STOPPED}{/usr/share/openfire/plugins/httpfileupload/class
es}
21:46:49.900 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpSessionManager - Stopping instance
21:46:49.900 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@1523e81e{/http-bind,null,STOPPED}
21:46:49.902 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@79f6e93f{/ws,null,STOPPED}
21:46:49.902 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@18183c5c{/crossdomain.xml,null,STOPPED}
21:46:49.951 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Stopped ServerConnector@4ee9404{HTTP/1.1, (http/1.1)}{0.0.0.0:7070}
21:46:49.956 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Stopped ServerConnector@15d6eff9{SSL, (ssl, http/1.1)}{0.0.0.0:7443}
21:46:49.956 [pool-2-thread-1] INFO  org.eclipse.jetty.server.session - node0 Stopped scavenging
21:46:49.962 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service stopped
21:46:49.964 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.EncryptionArtifactFactory - Creating new SslContextFactory instance
21:46:49.966 [pool-2-thread-1] INFO  org.eclipse.jetty.server.Server - jetty-9.4.35.v20201120; built: 2020-11-20T21:17:03.964Z; git: bdc54f03a5e0a7e280fab27f55c3c75ee8da89fb; jvm 11.0.8+10
21:46:49.973 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpSessionManager - Starting instance
21:46:49.974 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@1523e81e{/http-bind,null,AVAILABLE}
21:46:49.997 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@79f6e93f{/ws,null,AVAILABLE}
21:46:49.997 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@18183c5c{/crossdomain.xml,null,AVAILABLE}
21:46:50.056 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.w.WebAppContext@6f65eeee{/monitoring,file:///var/lib/openfire/plugins/monitoring/classes/,AVAILABLE}{/u
sr/share/openfire/plugins/monitoring/classes/}
21:46:50.105 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.w.WebAppContext@24bf9af2{/httpfileupload,file:///var/lib/openfire/plugins/httpfileupload/classes/,AVAIL
ABLE}{/usr/share/openfire/plugins/httpfileupload/classes}
21:46:50.107 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Started ServerConnector@2a8ce228{HTTP/1.1, (http/1.1)}{0.0.0.0:7070}
21:46:50.108 [pool-2-thread-1] INFO  org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@806d4e4(nasqueron.org_2,h=[conference.nasqueron.org, nasqueron.org, xmpp.nasqueron.org],w=[]) for Server@3e9fa
3d9[provider=null,keyStore=null,trustStore=null]
21:46:50.109 [pool-2-thread-1] INFO  org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@5cba3093(xmpp.nasqueron.org,h=[conference.nasqueron.org, nasqueron.org, xmpp.nasqueron.org],w=[]) for Server@3
e9fa3d9[provider=null,keyStore=null,trustStore=null]
21:46:50.121 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Started ServerConnector@1bed56ae{SSL, (ssl, http/1.1)}{0.0.0.0:7443}
21:46:50.126 [pool-2-thread-1] INFO  org.eclipse.jetty.server.Server - Started @1031879436ms
21:46:50.126 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service started

Works fine.

Once cleaned up and merged, we can configure the Let's Encrypt client to call as post hook on renew:
openfire propagate-certificate openfire xmpp.nasqueron.org

_modules/paas_docker.py
60 ↗(On Diff #6144)

Nothing uses this function, and I don't remember the use case, so we can drop it.

roles/paas-docker/wrappers/files/openfire.sh
7

If we look this review date, it's more recent.

Call the wrapper as a certbot hook. Allow spaces in variables (thanks shellcheck).

Test for hook

$ salt-call --local state.apply roles/paas-docker/containers/openfire
[...]
----------
          ID: /srv/letsencrypt/etc/renewal/xmpp.nasqueron.org.conf
    Function: file.append
      Result: True
     Comment: File /srv/letsencrypt/etc/renewal/xmpp.nasqueron.org.conf is in correct state
     Started: 15:37:19.743076
    Duration: 16.64 ms
     Changes:

Test for wrapper

$ salt-call --local state.apply roles/paas-docker/wrappers
[...]
----------
          ID: /usr/bin/openfire
    Function: file.managed
      Result: True
     Comment: File /usr/bin/openfire updated
     Started: 15:42:02.045094
    Duration: 15.547 ms
[...]
This revision is now accepted and ready to land.Oct 3 2021, 15:43
This revision was automatically updated to reflect the committed changes.