Did you solve this? I am having the same problem and know in the past had the same headache but somehow, somehow got it to work. Now my certificate has expired and I am back having struggles.
Here is my discussion http://www.igniterealtime.org/community/message/198613#198613.
Does anyone how to do it? It looks like it is a common problem.
Hi there,
I am having the exact same issue. I have gone through, and tried all the suggestions in the various posts in Openfire Support. Still no luck. Using keytool, I am able to list/delete/import certs in my keystore. But when I click on “Server Certificates” using the browser UI, I get the following java exception:
java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance
Has anyone found a solution for this? Does anyone know the cause for this error?
Any help/guidance appreciated.
Bal
I’m having the exact same problem and have found numerous forum posts about it. But nothing has helped.
Me too. I’m looking at server-to-server connections though.
Viewing the Server Certificates page in the admin consoles shows that I have a “CA Signed RSA” and a “CA Signed DSA” certificate.
The log files show the TLS connection is established, but no authentication mechanism is offered.
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Plain connection to :5269 successful
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Indicating we want TLS to
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Negotiating TLS with
2010.01.16 13:16:57 LocalOutgoingServerSession: OS - TLS negotiation with was successful
2010.01.16 13:19:27 LocalOutgoingServerSession: OS - Error, EXTERNAL SASL and SERVER DIALBACK were not offered by
Looking at SASLAuthentication.java, I can see that for me it is walking the certificate chain and tries to find the CA certificate in my keystore. If I don’t import the CA certificate in my keystore (it is in my truststore, didn’t think it was needed in the keystore too) it throws an exception and the certificate is marked as self signed. If I import the CA certificate to my keystore too, my certificate still gets marked as self signed because the CA certificate is self signed. When the CA cert is in my keystore, I can no longer view the “Server Certificates” page in the admin console as I get a java exception.
Does anyone have this working? If I run it in a debugger and force my cert to be considered not self signed everything does work. Not sure if it’s a problem with my certificates or the logic in openfire to determine if a cert is self signed or not.
Thanks.
An awesome bit of debugging; maybe with that kind of info you should proceed to file a bug and reference this thread.
I haven’t heard for anyone who has this working (hard to believe, I know).
I gave up and used ejabberd which worked perfectly. I too haven’t heard of anyone successfully getting this working.
I’m not sure i have understood all the technical stuff, but i will try to file John’s message as a bug report. OF-331. It will be pushed to 3.6.6, as we want to finalize 3.6.5 sooner.
With a small modification to the check for a self signed local certificate in method SASLAuthentication.getSASLMechanisms, I have this working.
The call to session.getConnection().getLocalCertificates() returns the certificate chain used in the TLS handshake. The return value is an ordered array with the local certificate first, followed by the certificate authorities (see javax.net.ssl.SSLSession.getLocalCertificates). Instead of iterating of the entire array, just check the first certificate to see if it’s self signed or not.
Thanks, this is excellent news. We’ll be looking forward to 3.6.6
Perhaps an adapatation of the resolve i had on this post: http://www.igniterealtime.org/community/thread/41081 will help you?
I use StartSSL for my OpenFIRE ssl and it’s working w/o issue. The instructions i posted on that proceedure may help you.
I also experienced this and it is really frustrating. After many weeks and days, I was able to make our wild card certificate to work by importing the rootCA chain one at a time. I did not import it as a chain, instead I imported it like two certificates on the truststore and it worked like a charm.
I am leaving this in case it is useful to anyone but please try the method in my reply first. It is much easier.
I have been having this same issue and it took me all day to finally get it working. I have a digicert wildcard certificate and it has been a huge pain to get it into Openfire. I know this is old so it may not even be relevant anymore but here is how I did it on 3.7.0:
Go the import page and bookmark the URL, the reason will be important later. In my case it was http://localhost:9090/import-certificate.jsp
Drop to the command prompt and use keytool to import ALL the intermediate certificates in the chain needed to validate your certificate. In my case there was my certificate, 2 DigiCert certificates then an Entrust Root CA. I had to to import the two DigiCert ones into the keystore.
keytool -import -keystore keystore -alias digicert1 -file digicert1.cer
keytool -import -keystore keystore -alias digicert2 -file digicert2.cer
Restart OpenFire so it will re-read your keystore
Don’t try to go to the certificates page since it will just throw an error that one of the keys isn’t a private key. That is why you have to go to the bookmarked import page. Enter your passphrase, existing key and certificate. Mine were the text I used in an Apache install.
If it didn’t work when you submit you should get the red text with the error like couldn’t verify the chain, bad passphrase, etc. If it did work then you will go back to the certificates page which has the private key error. No need to worry, you should see import=success in the URL.
Now that it is there you can clean things up by going back to the command prompt and deleting the intermediate certificates and the default self-signed ones
keytool -delete -keystore keystore -alias digicert1
keytool -delete -keystore keystore -alias digicert2
keytool -delete -keystore keystore -alias domain.name_rsa
keytool -delete -keystore keystore -alias domain.name_dsa
Massive PITA but I finally got it working. Of course my client of choice is Pidgin which doesn’t use the system root CAs so even though I verified it was getting the correct cert it is still prompting the user to accept since because the stupid Digicert intermediate cert isn’t in Pidgin. I tried leaving the digicert certs in the keystore in the hopes that they would get passed down like my web servers do but it didn’t work.
Hopefully those of you who aren’t using pidgin or have the intermediate certs in your clients will find some value in this.
Message was edited by: Kelderek
Wouldn’t you know that I would find the EASY way to do it after I go through all that hassle then write it up for the forums. Here is the link so credit can be given where it is due:
The jist of it is that all you have to do is put the text of you intermediate certs in the cert import box along with the text of your cert. Doesn’t solve my pidgin issue but it makes the process SO much easier.
I found Pidgin works fine on Windows 7, but complains about not trusting a cert with Windows XP - Microsoft have an updated root CA bundle available for XP which seems to solve the issues.
In my case it complains for both XP and 7. We are using the most current root certs bundle as well. I think it is because my cert is from Digicert. Entrust signs Digicert and is trusted by Windows, but there is an intermediate Digicert CA as well. I had to add that to my web servers as well so clients wouldn’t have prompts when browsing the web. Apparently with that there is some facility to send the intermediate certs as well that doesn’t exist in XMPP, Openfire and/or Pidgin.
Workaround: Put your CA certificate in truststore, remove it from keystore. Openfire throws an exception in the web interface if keystore contains anything that does not have a private key associated.
Openfire web server and XMPP SSL/TLS services work fine, only the web interface complains.
I have put a quick fix for this in http://community.igniterealtime.org/message/218685
Im confused on this issue.
What does it take from start to finish to get this working?
I had this working before, not sure where i got the correct instructions.
Now my cert expired and I cannot get this to work no matter what I do.
I’ve followed several instructions in this forum, none seem to work.
Of all the instructions i followed, this worked the best. All the other ones were confusing at best
Thanks. I appreciate the credit.
Hi Guys-- I was fighting with this like you all have been for a weekend.
I WAS ABLE TO GET IT TO WORK AS IT SHOULD.
From what I can tell, this isn’t an Openfire problem- this is a “Java Feature” as the more I looked around the world, people experience this keystore/ truststore issue on many Java based platforms. -This also might explain why some people have it work great til they renew their cert, or various fixes work for one admin or not the other… Different Java JDK/SDK/JRE over the years.
I saw in some article recomending the use of “IBM KeyMan”. It’s a small program that reads and rewrites keystores.
Within 20 minutes I had my wildcard cert running on openfire.
Basic steps involved
get Keyman running well… (install, fix a bat startup)
rename the old keystore file to something else. (…\openfile\resources\security\keystore.sucks)
create a new keystore file in …\openfile\resources\security\keystore (keep same password “changeit”) using your good cert , PFX or whatever.
save out and test. Openfire may complain, but the cleanup was minimal compared to all the garbage I went through all weekend to go nowhere with keytool.
Like I said, 20 minutes.
Cheers!