Page MenuHomeDevCentral

WIP: deploy certificate to Openfire
Changes PlannedPublic

Authored by dereckson on Jan 1 2019, 21:55.


Diff Detail

rOPS Nasqueron Operations
Lint OK
No Unit Test Coverage
deploy-certificates (branched from master)
Build Status
Buildable 3219
Build 3468: arc lint + arc unit

Event Timeline

dereckson created this revision.

Let's continue the propagation

dereckson added inline comments.

Unused, see online line 66

The certificate maanger plugin allows to use hot deployment for certificates.

Copy certificate and key to /srv/openfire/conf/security/hotdeploy and it should be handled in live.

To fix permissions, chown -R 101:101, but that's not needed as LE certificates use 644 and not 600.

$ cd /srv/openfire/conf/security/hotdeploy
$ cp /srv/letsencrypt/etc/live/ .
$ cp /srv/letsencrypt/etc/live/ .

That triggers the following issue:

13:33:07.270 [pool-8-thread-1] INFO  org.jivesoftware.openfire.keystore.IdentityStore - The supplied certificate chain does not cover the domain of this XMPP service (''). Instead, it covers [, xmpp.nas]
13:33:07.270 [pool-8-thread-1] WARN  org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Unable to hot-deploy certificate and private key.
org.jivesoftware.openfire.keystore.CertificateStoreConfigException: The supplied certificate chain does not cover the domain of this XMPP service.
        at org.jivesoftware.openfire.keystore.IdentityStore.replaceCertificate( ~[xmppserver-4.5.1.jar:4.5.1]
        at org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher$ [certificatemanager-1.1.0.jar!/:?]