Skip navigation
Up to Discussions in Openfire Support
5339 Views 19 Replies Latest reply: Mar 21, 2010 8:57 PM by mokmok RSS
Adam Tauno Williams Bronze
Adam Tauno Williams
44 posts since
Jan 6, 2006
Currently Being Moderated

Nov 3, 2009 7:06 AM

*WORKING* SSL Setup Instructions?

I have spent hours fighting with installing certificates into OpenFire - IT DOES NOT WORK!  Does anyone have *WORKING* instructions for installing a CA certificate, and a key & cerificate into an OpenFire server?  I've been over the OpenFire SSL guide and numerous other sites and I always end up with OpenFire clients complaining about a self-signed cert (of which there is none) or the &*@^*&$*&@ useless "supplied key (null) is not a RSAPrivateKey instance" error when I click on Server / Server Settings / Server Certificates.

 

The procedure I had the most confidence in, but did not work, was:

--- verify keystore is empty ----
tun # jre/bin/keytool  -keystore ./resources/security/keystore -list
--- import CA certificate ----
tun # jre/bin/keytool  -keystore ./resources/security/keystore -import -alias cacert -file /tmp/cacert.pem 
--- Generate a key ----
tun # jre/bin/keytool  -keystore ./resources/security/keystore -genkey -alias mormail-rsa -keyalg RSA
--- Export the key ----
tun # jre/bin/keytool  -keystore ./resources/security/keystore -alias mormail-rsa -certreq -file mormail-rsa.csr
--- Move the CSR to the signing machine ---
tun # scp mormail-rsa.csr awilliam@192.168.1.122:Documents/Organizations/MI/SSL/
---- Sign the cerification ----
$ openssl ca -policy policy_anything -days 730 -in mormail-rsa.csr -out mormail-rsa.cert
---- Convert to DER ----
$ openssl x509 -in mormail-rsa.cert -inform PEM -out mormail-rsa.cert.der -outform DER
---- Move the certificate back to the openfire server ----
$ scp mormail-rsa.cert.der root@tun.mormail.com:/tmp
---- Import the certificate  ---
tun # /gre/bin/keytool -import -keystore ./resources/security/keystore \
              -alias mormail-rsa -file /tmp/mormail-rsa.cert.der \
              -keyalg RSA
And I'm right back to the &*@^*&$*&@ "supplied key (null) is not a RSAPrivateKey instance" error message.
Tags: certificate, ssl, tls, keystore, keytool, self-signed, openssl
  • Adam Tauno Williams Bronze
    Adam Tauno Williams
    44 posts since
    Jan 6, 2006
    Currently Being Moderated
    Nov 3, 2009 7:24 AM (in response to Adam Tauno Williams)
    Re: *WORKING* SSL Setup Instructions?

    What I end up with, in the keystore is:

    [root@tun openfire]# jre/bin/keytool  -keystore ./resources/security/keystore -list
    Enter keystore password: 
    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 2 entries
    mormail-rsa, Nov 3, 2009, PrivateKeyEntry,
    Certificate fingerprint (MD5): 41:81:1E:AF:42:F7:B8:17:97:80:79:91:9F:5C:6F:0B
    cacert, Nov 3, 2009, trustedCertEntry,
    Certificate fingerprint (MD5): 36:4F:13:D4:A0:4F:25:D2:EF:60:37:B5:12:5B:07:FB


    This is produced using the aforementioned procedure.


    Properties are:

    xmpp.socket.ssl.truststore = resources/security/truststore
    xmpp.socket.ssl.keystore = resources/security/keystore
    xmpp.socket.ssl.active = true
    xmpp.server.tls.enabled  = true
    xmpp.fqdn = mormail.com

     

    The server name in the "Server Information" page does not feature the yellow explamation point.  I've also tried adding the cacert.pem to the truststore.

    • jawbrkr Bronze
      jawbrkr
      1 posts since
      Nov 3, 2009
      Currently Being Moderated
      Nov 3, 2009 7:39 AM (in response to Adam Tauno Williams)
      Re: *WORKING* SSL Setup Instructions?

      I followed these instructions and it partially worked for me. The website certificate for SSL works fine, no issues, using our local CA in the truststore, the website does not say it has a bad certificate. However the clients when connecting, you have to click accept once and you'll good to go.I hope this helps.

       

      http://www.lovelysystems.com/importing-an-existing-ssl-certificate-to-openfire/

    • Adam Tauno Williams Bronze
      Adam Tauno Williams
      44 posts since
      Jan 6, 2006
      Currently Being Moderated
      Nov 3, 2009 7:54 AM (in response to Adam Tauno Williams)
      Re: *WORKING* SSL Setup Instructions?

      Tried again:

      --- verify keystore is empty ----
      tun # jre/bin/keytool  -keystore ./resources/security/keystore -list
      --- import CA certificate ----
      tun # jre/bin/keytool  -keystore ./resources/security/keystore -import \
                             -alias cacert -file /tmp/cacert.pem
      --- Generate a key ----
      tun # jre/bin/keytool  -keystore ./resources/security/keystore \
                             -genkey -alias mormail.com -keyalg RSA
      --- Export the key ----
      tun # jre/bin/keytool  -keystore ./resources/security/keystore \
                             -alias mormail.com -certreq -file mormail.com.csr \
                              -keyalg RSA
      --- Move the CSR to the signing machine ---
      tun # scp mormail.com.csr \
                awilliam@192.168.1.122:Documents/Organizations/MI/SSL/
      ---- Sign the cerification ----
      $ openssl ca -policy policy_anything -days 730 \
                   -in mormail.com.csr -out mormail.com.cert
      ---- Convert to DER ----
      $ openssl x509 -in mormail.com.cert -inform PEM \
                     -out mormail.com.cert.der -outform DER
      ---- Move the certificate back to the openfire server ----
      $ scp mormail.com.cert.der root@tun.mormail.com:/tmp
      ---- Import the certificate  ---
      tun # jre/bin/keytool -import -keystore ./resources/security/keystore \
                    -alias mormail.com -file /tmp/mormail.com.cert.der \
                    -keyalg RSA

       

      Same result.  Clients think certificate is self-signed and server certificates page just results in Java stack trace.  Sigh.

       

      Looking around, at posts likehttp://www.igniterealtime.org/community/message/131083#131083 I'm starting to think that this doesn't actually work for anybody.

      • Adam Tauno Williams Bronze
        Adam Tauno Williams
        44 posts since
        Jan 6, 2006
        Currently Being Moderated
        Nov 3, 2009 8:39 AM (in response to Adam Tauno Williams)
        Re: *WORKING* SSL Setup Instructions?

        If I execute:

        openssl s_client -connect tun.mormail.com:5223 -CApath /etc/ssl/certs

        - it returns and seems to think my SSL session is OK -

        New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
        Server public key is 1024 bit
        Compression: NONE
        Expansion: NONE
        SSL-Session:
            Protocol  : TLSv1
            Cipher    : EDH-RSA-DES-CBC3-SHA
            Session-ID: 4AF05C49470075ED2F5134B84770D2D761E195C1D958C0D1F9DD00B40EED15D9
            Session-ID-ctx:
            Master-Key: E74147E1B1E844E1BC1FC94A812B7CA00987306366E01D5EDA857A38423265FE09377DDEB3BF442 F446ED413A603B786
            Key-Arg   : None
            Start Time: 1257266180
            Timeout   : 300 (sec)
            Verify return code: 0 (ok)

        • wes Bronze
          wes
          20 posts since
          Feb 13, 2006
          Currently Being Moderated
          Nov 4, 2009 4:50 AM (in response to Adam Tauno Williams)
          Re: *WORKING* SSL Setup Instructions?

          dumb question, have you tried setting up connectivity over port 5222 instead of the "old" SSL port of 5223?  IE, change the security settings to disable any of the old SSL auths and just use the SSLv3/TLSv1 cert process.

           

          This is a complete shot in the dark - the only other thing I can think of is that you may not have all the root certs installed in your cert path.  I know our godaddy certs required the installation of their root cert before our path was complete.  When I test our self signed cert, I receive return code 18 indicating it's self signed but nothing about the certification path being invalid...just a though.

           

          BTW, this is all based on testing on CentOS 5.2 - YMMV.

           

          Sorry I can't be more help.

          • Adam Tauno Williams Bronze
            Adam Tauno Williams
            44 posts since
            Jan 6, 2006
            Currently Being Moderated
            Nov 5, 2009 7:41 AM (in response to wes)
            Re: *WORKING* SSL Setup Instructions?

            dumb question, have you tried setting up connectivity over port 5222 instead of the "old" SSL port of 5223?  IE, change the security settings to disable any of the old SSL auths and just use the SSLv3/TLSv1 cert process.

             

            Yes, clients are using TLS.  But I use the openssl command to test to see if there are any actual SSL errors,  to do that I use the "old" SSL port as the openssl s_client can only test TLS for IMAP & SMTP,  not for XMPP.

             

            When I test our self signed cert, I receive return code 18 indicating it's self signed but nothing about the certification path being invalid

            Yea, SSL errors have habitually unhelpful, even misleading, error messages.  I'd suspect the CA cert wasn't in my cert path, but I don't have to specify a CAfile or CApath for openssl s_client to not have an error.  Which doesn't make sense.

            BTW, this is all based on testing on CentOS 5.2 - YMMV.

            Same here, possibly a bit newer.  But OpenFire is pretty self-contained either way.

  • Adam Tauno Williams Bronze
    Adam Tauno Williams
    44 posts since
    Jan 6, 2006
    Currently Being Moderated
    Nov 5, 2009 8:54 AM (in response to Adam Tauno Williams)
    Re: *WORKING* SSL Setup Instructions?

    Updated to 3.6.4 just for kicks; no difference.  (But I do like how easy upgrades are with OpenFire).

  • hosdes Silver
    hosdes
    144 posts since
    Jul 29, 2008
    Currently Being Moderated
    Dec 4, 2009 4:49 PM (in response to Adam Tauno Williams)
    Re: *WORKING* SSL Setup Instructions?

    Did you solve this?  I am having the same problem and know in the past had the same headache but somehow, somehow got it to work.  Now my certificate has expired and I am back having struggles.

     

    Here is my discussion http://www.igniterealtime.org/community/message/198613#198613.

     

    Does anyone how to do it?  It looks like it is a common problem.

  • ballayji Bronze
    ballayji
    1 posts since
    Jan 5, 2010
    Currently Being Moderated
    Jan 5, 2010 10:59 AM (in response to Adam Tauno Williams)
    Re: *WORKING* SSL Setup Instructions?

    Hi there,


    I am having the exact same issue.  I have gone through, and tried all the suggestions in the various posts in Openfire Support.  Still no luck.  Using keytool, I am able to list/delete/import certs in my keystore.  But when I click on "Server Certificates" using the browser UI, I get the following java exception:


                      java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance

    Has anyone found a solution for this?  Does anyone know the cause for this error?

    Any help/guidance appreciated.

    Bal


  • Rob Corell Bronze
    Rob Corell
    4 posts since
    Jan 7, 2010
    Currently Being Moderated
    Jan 7, 2010 2:52 PM (in response to Adam Tauno Williams)
    Re: *WORKING* SSL Setup Instructions?

    I'm having the exact same problem and have found numerous forum posts about it.  But nothing has helped.

    • John Bronze
      John
      4 posts since
      Jan 16, 2010
      Currently Being Moderated
      Jan 16, 2010 10:52 AM (in response to Rob Corell)
      Re: *WORKING* SSL Setup Instructions?

      Me too.  I'm looking at server-to-server connections though.

       

      Viewing the Server Certificates page in the admin consoles shows that I have a "CA Signed RSA" and a "CA Signed DSA" certificate. 

       

      The log files show the TLS connection is established, but no authentication mechanism is offered.

      2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Plain connection to <hostname deleted>:5269 successful
      2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Indicating we want TLS to <hostname deleted>
      2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Negotiating TLS with <hostname deleted>
      2010.01.16 13:16:57 LocalOutgoingServerSession: OS - TLS negotiation with <hostname deleted> was successful
      2010.01.16 13:19:27 LocalOutgoingServerSession: OS - Error, EXTERNAL SASL and SERVER DIALBACK were not offered by <hostname deleted>

       

      Looking at SASLAuthentication.java, I can see that for me it is walking the certificate chain and tries to find the CA certificate in my keystore.  If I don't import the CA certificate in my keystore (it is in my truststore, didn't think it was needed in the keystore too) it throws an exception and the certificate is marked as self signed.  If I import the CA certificate to my keystore too, my certificate still gets marked as self signed because the CA certificate is self signed.  When the CA cert is in my keystore, I can no longer view the "Server Certificates" page in the admin console as I get a java exception.

       

      Does anyone have this working?  If I run it in a debugger and force my cert to be considered not self signed everything does work.  Not sure if it's a problem with my certificates or the logic in openfire to determine if a cert is self signed or not.

       

      Thanks.

  • Rob Corell Bronze
    Rob Corell
    4 posts since
    Jan 7, 2010
    Currently Being Moderated
    Jan 16, 2010 5:39 PM (in response to Adam Tauno Williams)
    Re: *WORKING* SSL Setup Instructions?

    I gave up and used ejabberd which worked perfectly.  I too haven't heard of anyone successfully getting this working.

  • zackrspv Bronze
    zackrspv
    2 posts since
    Mar 12, 2010
    Currently Being Moderated
    Mar 19, 2010 1:26 AM (in response to Adam Tauno Williams)
    Re: *WORKING* SSL Setup Instructions?

    Perhaps an adapatation of the resolve i had on this post:  http://www.igniterealtime.org/community/thread/41081 will help you?

     

    I use StartSSL for my OpenFIRE ssl and it's working w/o issue.  The instructions i posted on that proceedure may help you.

  • mokmok Bronze
    mokmok
    4 posts since
    Mar 15, 2010
    Currently Being Moderated
    Mar 21, 2010 8:57 PM (in response to Adam Tauno Williams)
    Re: *WORKING* SSL Setup Instructions?

    I also experienced this and it is really frustrating. After many weeks and days, I was able to make our wild card certificate to work by importing the rootCA chain one at a time. I did not import it as a chain, instead I imported it like two certificates on the truststore and it worked like a charm.

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points