Spark can't verify certificate

Hi,

i’ve imported a CA Signed Certificate into the XMPP Client Stores - Identity Store in Openfire.

When i try to connect with Spark 2.8.2 i get the error “Unable to verify certificate”

error log:

Nov 29, 2016 9:03:54 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPC onnection.java:1029)

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPCon nection.java:956)

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnecti on.java:971)

at java.lang.Thread.run(Thread.java:745)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)

at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnecti on.java:768)

at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1000(XMPPTCPConnection.java :139)

at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPC onnection.java:1022)

… 3 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

at sun.security.validator.Validator.validate(Validator.java:260)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:22 9)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.j ava:124)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)

… 13 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java :141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilde r.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

… 19 more

Any Ideas?

Best Regards

For some reason Java can’t check if your certificate is valid. If this is your internal CA i suppose this is still treated as a self-signed certificate. You can go to advanced menu on the login screen and check Accept all certificates option.

Thank you for your quick response. My Company wants me to use it while checking the certificates. However, I got it to work by using this script i found:

Be sure to actually fill out “Common Name” (your domain name) and your email address. You will end up with a yourdomain.csr. Send the contents of this file to your ca –be sure to not send your key-file contents-, and they in return should send you a yourdomain.crt file, your certificate and a ca-certificate (needed to trust the chain of signage). Place all files in, say /etc/ssl on your jabber-server:

yourdomain.key
yourdomain.crt
certificate-authority.crt
The yourdomain.csr file can now be discarded. I made this little bash script to whack everything together, this works in Debian:

#! /bin/bash
JavaDir="/usr/share/openfire/resources/security"
PASS=“changeit"
cert=“yourdomain"
certdir=”/etc/ssl"
tmp=”/root"
ca="/etc/ssl/certificate-authority.crt"

test -e “${JavaDir}/truststore” && rm -f "${JavaDir}/truststore"
test -e “${JavaDir}/keystore” && rm -f “${JavaDir}/keystore”

/etc/init.d/openfire stop
cat “${certdir}/${cert}.crt” “${ca}” > ${tmp}/"combined.crt"
keytool -import -trustcacerts -storepass $PASS -alias “StartSSL Class 2” -file “${ca}” -keystore “${JavaDir}/truststore"
openssl pkcs12 -export -in “${tmp}/combined.crt” -inkey “${certdir}/${cert}.key” -out “${tmp}/${cert}.p12” -name “${cert}” -CAfile “${ca}” -passout pass:”${PASS}"
keytool -importkeystore -deststorepass “$PASS” -srcstorepass “$PASS” -destkeystore “${JavaDir}/keystore” -srckeystore “${tmp}/${cert}.p12” -srcstoretype PKCS12 -alias "${cert}"
chmod 640 “${JavaDir}/truststore” "${JavaDir}/keystore"
chown openfire:openfire “${JavaDir}/truststore” "${JavaDir}/keystore"
ls -lha “${JavaDir}” store
/etc/init.d/openfire start

This script deletes your current keystore and truststore (java containers for certificates) and imports your certificate-authorities ca file as well as your own certificate and private key.

Thanks again for your help