Page MenuHomeDevCentral
Differential D2050

WIP: deploy certificate to Openfire
ClosedPublic
Actions

Authored by dereckson on Jan 1 2019, 21:55.
Tags
None
Referenced Files
F12367387: D2050.id6148.diff
Thu, Oct 30, 03:15
F12361897: D2050.id6147.diff
Wed, Oct 29, 09:36
Unknown Object (File)
Sun, Oct 26, 23:34
Unknown Object (File)
Sun, Oct 26, 14:47
Unknown Object (File)
Sat, Oct 25, 07:45
Unknown Object (File)
Sat, Oct 25, 01:31
Unknown Object (File)
Fri, Oct 24, 19:36
Unknown Object (File)
Thu, Oct 23, 14:04
View All Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T1513: Propagate certificate to Openfire server
Commits
rOPS59b26cfe3b41: WIP: deploy certificate to Openfire
Summary

Ref T1513.

Diff Detail

Event Timeline

dereckson requested review of this revision.Jan 1 2019, 21:55
dereckson created this revision.
Harbormaster completed remote builds in B3202: Diff 5180.Jan 1 2019, 21:55
dereckson updated this revision to Diff 5211.Apr 23 2019, 18:22

Rebased

Harbormaster completed remote builds in B3218: Diff 5211.Apr 23 2019, 18:22
dereckson updated this revision to Diff 5212.May 5 2019, 10:37

Let's continue the propagation

Harbormaster completed remote builds in B3219: Diff 5212.May 5 2019, 10:37
dereckson planned changes to this revision.Jan 15 2020, 11:41
dereckson added inline comments.
_modules/paas_docker.py
56 ↗(On Diff #5212)

Unused, see online line 66

dereckson added a comment.Feb 4 2020, 14:28

The certificate maanger plugin allows to use hot deployment for certificates.

Copy certificate and key to /srv/openfire/conf/security/hotdeploy and it should be handled in live.

To fix permissions, chown -R 101:101, but that's not needed as LE certificates use 644 and not 600.

$ cd /srv/openfire/conf/security/hotdeploy
$ cp /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem .
$ cp /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem .

That triggers the following issue:

13:33:07.270 [pool-8-thread-1] INFO  org.jivesoftware.openfire.keystore.IdentityStore - The supplied certificate chain does not cover the domain of this XMPP service ('nasqueron.org'). Instead, it covers [conference.nasqueron.org, xmpp.nas
queron.org]
13:33:07.270 [pool-8-thread-1] WARN  org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher - Unable to hot-deploy certificate and private key.
org.jivesoftware.openfire.keystore.CertificateStoreConfigException: The supplied certificate chain does not cover the domain of this XMPP service.
        at org.jivesoftware.openfire.keystore.IdentityStore.replaceCertificate(IdentityStore.java:263) ~[xmppserver-4.5.1.jar:4.5.1]
        at org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher$1.run(DirectoryWatcher.java:190) [certificatemanager-1.1.0.jar!/:?]
dereckson edited the summary of this revision. (Show Details)Feb 4 2020, 14:54
dereckson added a task: T1513: Propagate certificate to Openfire server.
dereckson updated this revision to Diff 6144.Oct 2 2021, 21:34

Rebased

Harbormaster completed remote builds in B3796: Diff 6144.Oct 2 2021, 21:34
dereckson added a comment.Oct 2 2021, 21:55

Nowadays, we've a correct certificate with all the domains, renewed by DNS (xmpp.nasqueron.org nasqueron.org conference.nasqueron.org).

After a test of the script commands, the certificate has been correctly imported:

image.png (796×2 px, 279 KB)

The instance is configured to use other subdomains:

21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'search.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'httpfileupload.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'pubsub.nasqueron.org'.
21:50:15.475 [Jetty-QTP-AdminConsole-65153] INFO  org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias 'xmpp.nasqueron.org' is missing DNS identity 'proxy.nasqueron.org'.

The previous certificate is still there and it's not clear if the services have been restarted or not, as the warning hints they haven't been but logs show something was reloaded:

21:46:49.801 [pool-2-thread-1] INFO  org.jivesoftware.openfire.keystore.CertificateStoreWatcher - A file system change was detected. A(nother) certificate store that is backed by file '/usr/share/openfire
/resources/security/keystore' will be reloaded.
21:46:49.805 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s] - Reconfigured.
21:46:49.812 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s-legacyMode] - Reconfigured.
21:46:49.815 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s] - Reconfigured.
21:46:49.819 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s-legacyMode] - Reconfigured.
21:46:49.822 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[component] - Reconfigured.
21:46:49.824 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[component-legacyMode] - Reconfigured.
21:46:49.826 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[connection_manager] - Reconfigured.
21:46:49.828 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.ConnectionListener[connection_manager-legacyMode] - Reconfigured.
21:46:49.897 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.w.WebAppContext@6f65eeee{/monitoring,null,STOPPED}{/usr/share/openfire/plugins/monitoring/classes/}
21:46:49.899 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.w.WebAppContext@24bf9af2{/httpfileupload,null,STOPPED}{/usr/share/openfire/plugins/httpfileupload/class
es}
21:46:49.900 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpSessionManager - Stopping instance
21:46:49.900 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@1523e81e{/http-bind,null,STOPPED}
21:46:49.902 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@79f6e93f{/ws,null,STOPPED}
21:46:49.902 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Stopped o.e.j.s.ServletContextHandler@18183c5c{/crossdomain.xml,null,STOPPED}
21:46:49.951 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Stopped ServerConnector@4ee9404{HTTP/1.1, (http/1.1)}{0.0.0.0:7070}
21:46:49.956 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Stopped ServerConnector@15d6eff9{SSL, (ssl, http/1.1)}{0.0.0.0:7443}
21:46:49.956 [pool-2-thread-1] INFO  org.eclipse.jetty.server.session - node0 Stopped scavenging
21:46:49.962 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service stopped
21:46:49.964 [pool-2-thread-1] INFO  org.jivesoftware.openfire.spi.EncryptionArtifactFactory - Creating new SslContextFactory instance
21:46:49.966 [pool-2-thread-1] INFO  org.eclipse.jetty.server.Server - jetty-9.4.35.v20201120; built: 2020-11-20T21:17:03.964Z; git: bdc54f03a5e0a7e280fab27f55c3c75ee8da89fb; jvm 11.0.8+10
21:46:49.973 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpSessionManager - Starting instance
21:46:49.974 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@1523e81e{/http-bind,null,AVAILABLE}
21:46:49.997 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@79f6e93f{/ws,null,AVAILABLE}
21:46:49.997 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.s.ServletContextHandler@18183c5c{/crossdomain.xml,null,AVAILABLE}
21:46:50.056 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.w.WebAppContext@6f65eeee{/monitoring,file:///var/lib/openfire/plugins/monitoring/classes/,AVAILABLE}{/u
sr/share/openfire/plugins/monitoring/classes/}
21:46:50.105 [pool-2-thread-1] INFO  org.eclipse.jetty.server.handler.ContextHandler - Started o.e.j.w.WebAppContext@24bf9af2{/httpfileupload,file:///var/lib/openfire/plugins/httpfileupload/classes/,AVAIL
ABLE}{/usr/share/openfire/plugins/httpfileupload/classes}
21:46:50.107 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Started ServerConnector@2a8ce228{HTTP/1.1, (http/1.1)}{0.0.0.0:7070}
21:46:50.108 [pool-2-thread-1] INFO  org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@806d4e4(nasqueron.org_2,h=[conference.nasqueron.org, nasqueron.org, xmpp.nasqueron.org],w=[]) for Server@3e9fa
3d9[provider=null,keyStore=null,trustStore=null]
21:46:50.109 [pool-2-thread-1] INFO  org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@5cba3093(xmpp.nasqueron.org,h=[conference.nasqueron.org, nasqueron.org, xmpp.nasqueron.org],w=[]) for Server@3
e9fa3d9[provider=null,keyStore=null,trustStore=null]
21:46:50.121 [pool-2-thread-1] INFO  org.eclipse.jetty.server.AbstractConnector - Started ServerConnector@1bed56ae{SSL, (ssl, http/1.1)}{0.0.0.0:7443}
21:46:50.126 [pool-2-thread-1] INFO  org.eclipse.jetty.server.Server - Started @1031879436ms
21:46:50.126 [pool-2-thread-1] INFO  org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service started
dereckson updated this revision to Diff 6147.Oct 2 2021, 23:25

Clean up, rebase

Harbormaster completed remote builds in B3798: Diff 6147.Oct 2 2021, 23:25
dereckson planned changes to this revision.Oct 2 2021, 23:26

Works fine.

Once cleaned up and merged, we can configure the Let's Encrypt client to call as post hook on renew:
openfire propagate-certificate openfire xmpp.nasqueron.org

_modules/paas_docker.py
60 ↗(On Diff #6144)

Nothing uses this function, and I don't remember the use case, so we can drop it.

roles/paas-docker/wrappers/files/openfire.sh
8

If we look this review date, it's more recent.

dereckson updated this revision to Diff 6148.Oct 2 2021, 23:27

Fix typo

Harbormaster completed remote builds in B3799: Diff 6148.Oct 2 2021, 23:27
dereckson updated this revision to Diff 6149.Oct 3 2021, 15:30

Call the wrapper as a certbot hook. Allow spaces in variables (thanks shellcheck).

Harbormaster completed remote builds in B3800: Diff 6149.Oct 3 2021, 15:30
dereckson added a comment.Oct 3 2021, 15:43

Test for hook

$ salt-call --local state.apply roles/paas-docker/containers/openfire
[...]
----------
          ID: /srv/letsencrypt/etc/renewal/xmpp.nasqueron.org.conf
    Function: file.append
      Result: True
     Comment: File /srv/letsencrypt/etc/renewal/xmpp.nasqueron.org.conf is in correct state
     Started: 15:37:19.743076
    Duration: 16.64 ms
     Changes:

Test for wrapper

$ salt-call --local state.apply roles/paas-docker/wrappers
[...]
----------
          ID: /usr/bin/openfire
    Function: file.managed
      Result: True
     Comment: File /usr/bin/openfire updated
     Started: 15:42:02.045094
    Duration: 15.547 ms
[...]
dereckson accepted this revision.Oct 3 2021, 15:43
This revision is now accepted and ready to land.Oct 3 2021, 15:43
Closed by commit rOPS59b26cfe3b41: WIP: deploy certificate to Openfire (authored by dereckson). · Explain WhyOct 3 2021, 20:51
This revision was automatically updated to reflect the committed changes.
dereckson added a commit: rOPS59b26cfe3b41: WIP: deploy certificate to Openfire.

Revision Contents
Changeset List

PathSize
roles/
paas-docker/
wrappers/
files/
86 lines
2 lines

Diff 6147

View Options

roles/paas-docker/wrappers/files/openfire.sh

Loading...
View Options

roles/paas-docker/wrappers/init.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator