Page MenuHomeDevCentral
Differential D2050

WIP: deploy certificate to Openfire
ClosedPublic
Actions

Authored by dereckson on Jan 1 2019, 21:55.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 21, 08:19
Unknown Object (File)
Mon, Nov 18, 16:11
Unknown Object (File)
Sat, Nov 16, 20:02
Unknown Object (File)
Sat, Nov 16, 20:02
Unknown Object (File)
Sat, Nov 16, 20:02
Unknown Object (File)
Sat, Nov 16, 20:01
Unknown Object (File)
Sat, Nov 16, 20:01
Unknown Object (File)
Sat, Nov 16, 19:19
View All Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T1513: Propagate certificate to Openfire server
Commits
rOPS59b26cfe3b41: WIP: deploy certificate to Openfire
Summary

Ref T1513.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
SeverityLocationCodeMessage
Adviceroles/paas-docker/wrappers/files/openfire.sh:52SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:57SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:58SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:58SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:58SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:58SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:60SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:60SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:61SC2086SHELLCHECK
Adviceroles/paas-docker/wrappers/files/openfire.sh:84SC2086SHELLCHECK
Unit
No Test Coverage
Branch
deploy-certificates (branched from master)
Build Status
Buildable 3219
Build 3468: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Jan 1 2019, 21:55
dereckson created this revision.
Harbormaster completed remote builds in B3202: Diff 5180.Jan 1 2019, 21:55
dereckson updated this revision to Diff 5211.Apr 23 2019, 18:22

Rebased

Harbormaster completed remote builds in B3218: Diff 5211.Apr 23 2019, 18:22
dereckson updated this revision to Diff 5212.May 5 2019, 10:37

Let's continue the propagation

Harbormaster completed remote builds in B3219: Diff 5212.May 5 2019, 10:37
dereckson planned changes to this revision.Jan 15 2020, 11:41
dereckson added inline comments.
_modules/paas_docker.py
56

Unused, see online line 66

dereckson added a comment.Feb 4 2020, 14:28

The certificate maanger plugin allows to use hot deployment for certificates.

Copy certificate and key to /srv/openfire/conf/security/hotdeploy and it should be handled in live.

To fix permissions, chown -R 101:101, but that's not needed as LE certificates use 644 and not 600.

$ cd /srv/openfire/conf/security/hotdeploy
$ cp /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem .
$ cp /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem .

That triggers the following issue:

13:33:07.270 [pool-8-thread-1] INFO  org.jivesoftware.openfire.keystore.IdentityStore - The supplied certificate chain does not cover the domain of this XMPP service ('nasqueron.org'). Instead, it covers [conference.nasqueron.org, xmpp.nas
queron.org]
13:33:07.270 [pool-8-thread-1] WARN  org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Unable to hot-deploy certificate and private key.
org.jivesoftware.openfire.keystore.CertificateStoreConfigException: The supplied certificate chain does not cover the domain of this XMPP service.
        at org.jivesoftware.openfire.keystore.IdentityStore.replaceCertificate(IdentityStore.java:263) ~[xmppserver-4.5.1.jar:4.5.1]
        at org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher$1.run(DirectoryWatcher.java:190) [certificatemanager-1.1.0.jar!/:?]
dereckson edited the summary of this revision. (Show Details)Feb 4 2020, 14:54
dereckson added a task: T1513: Propagate certificate to Openfire server.
dereckson updated this revision to Diff 6144.Oct 2 2021, 21:34

Rebased

Harbormaster completed remote builds in B3796: Diff 6144.Oct 2 2021, 21:34
dereckson added a comment.Oct 2 2021, 21:55

Nowadays, we've a correct certificate with all the domains, renewed by DNS (xmpp.nasqueron.org nasqueron.org conference.nasqueron.org).

After a test of the script commands, the certificate has been correctly imported:

image.png (796×2 px, 279 KB)

The instance is configured to use other subdomains:

21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'search.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'httpfileupload.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'pubsub.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'proxy.nasqueron.org'.

The previous certificate is still there and it's not clear if the services have been restarted or not, as the warning hints they haven't been but logs show something was reloaded:

21:46:49.801 [pool-2-thread-1] INFO  org.jivesoftware.openfire.keystore.CertificateStoreWatcher - A file system change was detected. A(nother) certificate store that is backed by file '/usr/share/openfire
/resources/security/keystore' will be reloaded.
21:46:49.805 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s] - Reconfigured.
21:46:49.812 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s-legacyMode] - Reconfigured.
21:46:49.815 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s] - Reconfigured.
21:46:49.819 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s-legacyMode] - Reconfigured.
21:46:49.822 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[component] - Reconfigured.
21:46:49.824 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[component-legacyMode] - Reconfigured.
21:46:49.826 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[connection_manager] - Reconfigured.
21:46:49.828 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[connection_manager-legacyMode] - Reconfigured.
21:46:49.897 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.w.WebAppContext@6f65eeee{/monitoring,null,STOPPED}{/usr/share/openfire/plugins/monitoring/classes/}
21:46:49.899 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.w.WebAppContext@24bf9af2{/httpfileupload,null,STOPPED}{/usr/share/openfire/plugins/httpfileupload/class
es}
21:46:49.900 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpSessionManager - Stopping instance
21:46:49.900 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@1523e81e{/http-bind,null,STOPPED}
21:46:49.902 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@79f6e93f{/ws,null,STOPPED}
21:46:49.902 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@18183c5c{/crossdomain.xml,null,STOPPED}
21:46:49.951 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Stopped ServerConnector@4ee9404{HTTP/1.1, (http/1.1)}{0.0.0.0:7070}
21:46:49.956 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Stopped ServerConnector@15d6eff9{SSL, (ssl, http/1.1)}{0.0.0.0:7443}
21:46:49.956 [pool-2-thread-1] INFO  org.eclipse.jetty.server.session - node0 Stopped scavenging
21:46:49.962 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service stopped
21:46:49.964 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.EncryptionArtifactFactory - Creating new SslContextFactory instance
21:46:49.966 [pool-2-thread-1] INFO  org.eclipse.jetty.server.Server - jetty-9.4.35.v20201120; built: 2020-11-20T21:17:03.964Z; git: bdc54f03a5e0a7e280fab27f55c3c75ee8da89fb; jvm 11.0.8+10
21:46:49.973 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpSessionManager - Starting instance
21:46:49.974 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@1523e81e{/http-bind,null,AVAILABLE}
21:46:49.997 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@79f6e93f{/ws,null,AVAILABLE}
21:46:49.997 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@18183c5c{/crossdomain.xml,null,AVAILABLE}
21:46:50.056 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.w.WebAppContext@6f65eeee{/monitoring,file:///var/lib/openfire/plugins/monitoring/classes/,AVAILABLE}{/u
sr/share/openfire/plugins/monitoring/classes/}
21:46:50.105 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.w.WebAppContext@24bf9af2{/httpfileupload,file:///var/lib/openfire/plugins/httpfileupload/classes/,AVAIL
ABLE}{/usr/share/openfire/plugins/httpfileupload/classes}
21:46:50.107 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Started ServerConnector@2a8ce228{HTTP/1.1, (http/1.1)}{0.0.0.0:7070}
21:46:50.108 [pool-2-thread-1] INFO  org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@806d4e4(nasqueron.org_2,h=[conference.nasqueron.org, nasqueron.org, xmpp.nasqueron.org],w=[]) for Server@3e9fa
3d9[provider=null,keyStore=null,trustStore=null]
21:46:50.109 [pool-2-thread-1] INFO  org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@5cba3093(xmpp.nasqueron.org,h=[conference.nasqueron.org, nasqueron.org, xmpp.nasqueron.org],w=[]) for Server@3
e9fa3d9[provider=null,keyStore=null,trustStore=null]
21:46:50.121 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Started ServerConnector@1bed56ae{SSL, (ssl, http/1.1)}{0.0.0.0:7443}
21:46:50.126 [pool-2-thread-1] INFO  org.eclipse.jetty.server.Server - Started @1031879436ms
21:46:50.126 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service started
dereckson updated this revision to Diff 6147.Oct 2 2021, 23:25

Clean up, rebase

Harbormaster completed remote builds in B3798: Diff 6147.Oct 2 2021, 23:25
dereckson planned changes to this revision.Oct 2 2021, 23:26

Works fine.

Once cleaned up and merged, we can configure the Let's Encrypt client to call as post hook on renew:
openfire propagate-certificate openfire xmpp.nasqueron.org

_modules/paas_docker.py
60

Nothing uses this function, and I don't remember the use case, so we can drop it.

roles/paas-docker/wrappers/files/openfire.sh
8

If we look this review date, it's more recent.

dereckson updated this revision to Diff 6148.Oct 2 2021, 23:27

Fix typo

Harbormaster completed remote builds in B3799: Diff 6148.Oct 2 2021, 23:27
dereckson updated this revision to Diff 6149.Oct 3 2021, 15:30

Call the wrapper as a certbot hook. Allow spaces in variables (thanks shellcheck).

Harbormaster completed remote builds in B3800: Diff 6149.Oct 3 2021, 15:30
dereckson added a comment.Oct 3 2021, 15:43

Test for hook

$ salt-call --local state.apply roles/paas-docker/containers/openfire
[...]
----------
          ID: /srv/letsencrypt/etc/renewal/xmpp.nasqueron.org.conf
    Function: file.append
      Result: True
     Comment: File /srv/letsencrypt/etc/renewal/xmpp.nasqueron.org.conf is in correct state
     Started: 15:37:19.743076
    Duration: 16.64 ms
     Changes:

Test for wrapper

$ salt-call --local state.apply roles/paas-docker/wrappers
[...]
----------
          ID: /usr/bin/openfire
    Function: file.managed
      Result: True
     Comment: File /usr/bin/openfire updated
     Started: 15:42:02.045094
    Duration: 15.547 ms
[...]
dereckson accepted this revision.Oct 3 2021, 15:43
This revision is now accepted and ready to land.Oct 3 2021, 15:43
Closed by commit rOPS59b26cfe3b41: WIP: deploy certificate to Openfire (authored by dereckson). · Explain WhyOct 3 2021, 20:51
This revision was automatically updated to reflect the committed changes.
dereckson added a commit: rOPS59b26cfe3b41: WIP: deploy certificate to Openfire.

Revision Contents
Changeset List

PathSize
_modules/
18 lines
roles/
paas-docker/
wrappers/
files/
87 lines

Diff 5212

View Options

_modules/paas_docker.py

Loading...
View Options

roles/paas-docker/wrappers/files/openfire.sh

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator