Recreated a cert that covers alpha.chat.company.org (the openfire server’s FQDN) as well as company.org (the XMPP domain) and the certificate installed.
The workaround for me was to temporarily edit my Openfire server properties to set the value of xmpp.domain to the FQDN of the server AND THEN RESTART OPENFIRE (!).
Then import the cert. It will now pass validation and go live. Now change the value of xmpp.domain back and restart openfire again. All working now and my clients seem to connect securely. I do notice that s2s connections to some services i.e. gmail.com are not secured. And xabber.de seem to not talk to our server anymore. Maybe they don’t recognize letsencrypt yet.
Either way, this is cool. Now I need to think of ways to automate renewals with a bash script and keytool perhaps.
s2s