Changing SSL certificate in the app does not actually change the certificate, is just replaces it in keytool.

[benoitg]

This is fine to process an updated LetsEncrypt certificate, but you can't for example actually switch from self signed to LetsEncrypt and vice-versa.

[benoitg]

Ok, after reading http://download.igniterealtime.org/openfire/docs/latest/documentation/ssl-guide.html it seems OpenFire uses whichever certificate has an alias that matches the XMPP domain.

The problem seems to be that

app-openfire/libraries/Openfire.php

Line 360 in ed43295

'-alias ' . $certificate . ' ' .

, for self signed certificates, the alias is set is sys-0-cert.pem , which appears to be the basename returned by the certificate manager.

Parsing get_secure_hostnames() in https://github.com/clearos/app-certificate-manager/blob/4633e0ef620d82072ef19c9f9dba7371f0f9c7ce/libraries/Certificate_Manager.php#L260 just doesn't seem like how it's meant to be used.

@pcbaldwin I could use some advice.

[benoitg]

Seems we need to implement a hook like here https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

Main issue is we don't want to pull all private ssl keys to openfire's user permissions, only those associated with an openfire domain.