Did you solve this? I am having the same problem and know in the past had the same headache but somehow, somehow got it to work. Now my certificate has expired and I am back having struggles.
I am having the exact same issue. I have gone through, and tried all the suggestions in the various posts in Openfire Support. Still no luck. Using keytool, I am able to list/delete/import certs in my keystore. But when I click on “Server Certificates” using the browser UI, I get the following java exception:
java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance
Has anyone found a solution for this? Does anyone know the cause for this error?
Any help/guidance appreciated.
Bal
Me too. I’m looking at server-to-server connections though.
Viewing the Server Certificates page in the admin consoles shows that I have a “CA Signed RSA” and a “CA Signed DSA” certificate.
The log files show the TLS connection is established, but no authentication mechanism is offered.
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Plain connection to :5269 successful
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Indicating we want TLS to
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Negotiating TLS with
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - TLS negotiation with was successful
2010.01.16 13:19:27 LocalOutgoingServerSession: OS - Error, EXTERNAL SASL and SERVER DIALBACK were not offered by
Looking at SASLAuthentication.java, I can see that for me it is walking the certificate chain and tries to find the CA certificate in my keystore. If I don’t import the CA certificate in my keystore (it is in my truststore, didn’t think it was needed in the keystore too) it throws an exception and the certificate is marked as self signed. If I import the CA certificate to my keystore too, my certificate still gets marked as self signed because the CA certificate is self signed. When the CA cert is in my keystore, I can no longer view the “Server Certificates” page in the admin console as I get a java exception.
Does anyone have this working? If I run it in a debugger and force my cert to be considered not self signed everything does work. Not sure if it’s a problem with my certificates or the logic in openfire to determine if a cert is self signed or not.
I’m not sure i have understood all the technical stuff, but i will try to file John’s message as a bug report. OF-331. It will be pushed to 3.6.6, as we want to finalize 3.6.5 sooner.
With a small modification to the check for a self signed local certificate in method SASLAuthentication.getSASLMechanisms, I have this working.
The call to session.getConnection().getLocalCertificates() returns the certificate chain used in the TLS handshake. The return value is an ordered array with the local certificate first, followed by the certificate authorities (see javax.net.ssl.SSLSession.getLocalCertificates). Instead of iterating of the entire array, just check the first certificate to see if it’s self signed or not.
I also experienced this and it is really frustrating. After many weeks and days, I was able to make our wild card certificate to work by importing the rootCA chain one at a time. I did not import it as a chain, instead I imported it like two certificates on the truststore and it worked like a charm.
I am leaving this in case it is useful to anyone but please try the method in my reply first. It is much easier.
I have been having this same issue and it took me all day to finally get it working. I have a digicert wildcard certificate and it has been a huge pain to get it into Openfire. I know this is old so it may not even be relevant anymore but here is how I did it on 3.7.0:
Drop to the command prompt and use keytool to import ALL the intermediate certificates in the chain needed to validate your certificate. In my case there was my certificate, 2 DigiCert certificates then an Entrust Root CA. I had to to import the two DigiCert ones into the keystore.
Don’t try to go to the certificates page since it will just throw an error that one of the keys isn’t a private key. That is why you have to go to the bookmarked import page. Enter your passphrase, existing key and certificate. Mine were the text I used in an Apache install.
If it didn’t work when you submit you should get the red text with the error like couldn’t verify the chain, bad passphrase, etc. If it did work then you will go back to the certificates page which has the private key error. No need to worry, you should see import=success in the URL.
Now that it is there you can clean things up by going back to the command prompt and deleting the intermediate certificates and the default self-signed ones
Restart Openfire again and now the certificates screen should work properly and you will see your CA signed cert.
Massive PITA but I finally got it working. Of course my client of choice is Pidgin which doesn’t use the system root CAs so even though I verified it was getting the correct cert it is still prompting the user to accept since because the stupid Digicert intermediate cert isn’t in Pidgin. I tried leaving the digicert certs in the keystore in the hopes that they would get passed down like my web servers do but it didn’t work.
Hopefully those of you who aren’t using pidgin or have the intermediate certs in your clients will find some value in this.
Wouldn’t you know that I would find the EASY way to do it after I go through all that hassle then write it up for the forums. Here is the link so credit can be given where it is due:
The jist of it is that all you have to do is put the text of you intermediate certs in the cert import box along with the text of your cert. Doesn’t solve my pidgin issue but it makes the process SO much easier.
I found Pidgin works fine on Windows 7, but complains about not trusting a cert with Windows XP - Microsoft have an updated root CA bundle available for XP which seems to solve the issues.
In my case it complains for both XP and 7. We are using the most current root certs bundle as well. I think it is because my cert is from Digicert. Entrust signs Digicert and is trusted by Windows, but there is an intermediate Digicert CA as well. I had to add that to my web servers as well so clients wouldn’t have prompts when browsing the web. Apparently with that there is some facility to send the intermediate certs as well that doesn’t exist in XMPP, Openfire and/or Pidgin.
Workaround: Put your CA certificate in truststore, remove it from keystore. Openfire throws an exception in the web interface if keystore contains anything that does not have a private key associated.
Openfire web server and XMPP SSL/TLS services work fine, only the web interface complains.
Hi Guys-- I was fighting with this like you all have been for a weekend.
I WAS ABLE TO GET IT TO WORK AS IT SHOULD.
From what I can tell, this isn’t an Openfire problem- this is a “Java Feature” as the more I looked around the world, people experience this keystore/ truststore issue on many Java based platforms. -This also might explain why some people have it work great til they renew their cert, or various fixes work for one admin or not the other… Different Java JDK/SDK/JRE over the years.
I saw in some article recomending the use of “IBM KeyMan”. It’s a small program that reads and rewrites keystores.
Within 20 minutes I had my wildcard cert running on openfire.
Basic steps involved
get Keyman running well… (install, fix a bat startup)
rename the old keystore file to something else. (…\openfile\resources\security\keystore.sucks)
create a new keystore file in …\openfile\resources\security\keystore (keep same password “changeit”) using your good cert , PFX or whatever.
save out and test. Openfire may complain, but the cleanup was minimal compared to all the garbage I went through all weekend to go nowhere with keytool.