# setting up openfire (4.6.0,1)



## zsb (Jan 26, 2021)

Hi,

I have installed openfire from package (OS: 12.1-RELEASE-p12) and I can't make TLS work.

I have a Let's encrypt server certificate that matches the XMPP domain.

I have added the private key and the cert via Server > TLS/SSL Certificates but didn't work.
Then I have installed the certificate manager plugin, configured it and copied the private key, the certificate and the fullchain files under /usr/local/share/java/openfire/resources/security/hotdeploy/ but it didn't help.

Whatever I try I can't make TLS work so the admin WebUI is unsafe and clients can't connect because of TLS errors (also 'openssl s_client' errors show that something is wrong).

Is there somewhere a working uptodate step-by-step documentation about setting up openfire?

Thanks,
zsb


----------



## SirDice (Jan 26, 2021)

zsb said:


> I have added the private key and the cert via Server > TLS/SSL Certificates but didn't work.


Didn't work doesn't tell you or us much. Any errors in the logging? Like not being able to read the certificates for example?

Also: 





> This document outlines how to manually customize the SSL support in Openfire. As of Openfire 3.2 certificate management can be performed from the Admin Console. However, if needed you can still manually manage certificates using Java Develpment Kit (JDK) tools. Important note: Once the setup process is completed Openfire will create self-signed certificates for the assigned Openfire's domain. Most users should either get the created certificates signed by a Certificate Authority or replace the created certificates with your own certificates.





			Openfire: SSL Guide


----------



## zsb (Jan 26, 2021)

I know that guide, thank you.

The certificate is valid for:
mydomain.com
mail.mydomain.com
www.mydomain.com

It is being used for web and mail.

XMPP Domain Name is set to "mydomain.com" so the certificate should be OK for this.


What I have tried so far:

1)
- explicitly opened port 5223 as it is written in the document mentioned above


2) 

I have set up the Certificate Manager plugin and put the LE certificates in the hotdeploy directory (first time in separate files, later the cert and fullchain into a combined one). This part of the plugin's documentation is unclear, what files are exactly needed by the plugin (cert.pem, fullchain.pem, any kind of combination of them, etc. etc.). File and directory ownership was granted for openfire.

Result:
This had no effect, there were no certificates in the Identity store.

Also a warning was shown at Server > Server information "XMPP Domain Name: Unable to find certificate that is valid for the server domain."


3) 

Then I have removed the plugin, restarted the whole service and added the LE certificate manually.
I have also added LE CA to the Trusted store just to be on the safe side.

Result:
- the above mentioned warning ("Unable to find certificate...") is gone
- the certificate is listed in the Identity store, the icon is a red ribbon with a green checkmark and the floating text is something like "the cert is OK and should be accepted by the clients"
- but Identity store still shows: "A certificate for the domain of this server is missing. Click here ...."
- clicking the certificate doesn't show any problem, all the details are valid (the cert is good until Apr 1, 2021)
- port 9091 is not open
- port 5223 is not open
- log only shows that database is opened/closed
- clients are showing various TLS errors and can't connect.

I'm stuck here.


----------



## zsb (Jan 26, 2021)

Progress: with a dirty hack I have just copied the trust store file to client.truststore and now port 9091 is open and clients can connect. Although they consider the certificate not properly signed and the risk has to be accepted.


----------

