Ignite Realtime

powered by Jive Software

Ignite Realtime Community Forums

Issues with Wildfire 3.2.0_rc2 and SSL

Openfire Openfire Support

Gustavo_Felisberto February 6, 2007, 12:41am 1

I had my server running with 3.1.1 and I was using the SSL certificates from startcom/xmpp . All was ok, but after upgrading to 3.2.0_rc2 I get the following when i try to access: http://jabber.felisberto.net:9090/ssl-certificates.jsp

Exception:

java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance

at org.bouncycastle.jce.provider.JDKDigestSignature.engineInitSign(Unknown Source)

at java.security.Signature.initSign(Signature.java:485)

at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)

at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)

at org.jivesoftware.util.CertificateManager.createSigningRequest(CertificateManage r.java:321)

at org.jivesoftware.wildfire.admin.ssl_002dcertificates_jsp._jspService(ssl_002dce rtificates_jsp.java:351)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1074)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)

at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:185)

at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)

at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:689)

at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:391)

at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:146)

at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)

at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)

at org.mortbay.jetty.Server.handle(Server.java:285)

at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:457)

at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:751)

at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:500)

at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:209)

at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:357)

at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:329)

at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475)

Also, altough the info page reports: All addresses 9091 Admin Console The port used for secured Admin Console access. If i try to acess the web interface with https on port 9091 nothing is listening there:

www ~ # netstat -na|grep 9090

tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN

www ~ # netstat -na|grep 9091

www ~ #

Gaston_Dombiak February 6, 2007, 1:13am 2

Hey Gustavo,

That error means that the certificate has no chain. The same certificate is used for TLS and the old SSL method. Are clients able to connect to the server using TLS or SSL? I’'m checking if this is a UI problem or if in fact Wildfire is not able to handle that certificate.

BTW, how have you imported that certificate? Two weeks ago I was trying to use a certificate signed by startcom and got the same error. I was not able to get to the bottom of it so I don’'t have a conclusive answer for you at this time.

Thanks,

– Gato

Gustavo_Felisberto February 6, 2007, 11:22pm 3

I dont remember the exact steps. But i know I used the command line tools. I think I used the steps on some thread here in the forums.

Clients using SSL are able to connect ok and receive the proper certificate: http://www.felisberto.net/~humpback/wildfire-ssl.png

Matthew_Strowbridge February 8, 2007, 2:01am 4

Sorry for a reply and not a new post, 1st time user on your forum was directed here by one of Jive tech support people with the same problem.

I installed Wildfire Enterprise 311 and had it working perfectly using self signed SSL cert. As soon as I imported 3rd party signed cert. received no socket errors and unknown cipher errors. I sent an email with errors copied and pasted to Jive tech support who replied and said to install 3.2 update, it would fix problem. I installed 3.2, got it up and running beautifully with self signed SSL cert., as soon as I import 3rd party signed cert get the same error as posted here. Cert is from Starfield Secure Certification Authority (godaddy.com) Imported using following command with no other certs stored:

keytool -import -keystore keystore -alias mydomain.com -file cert_file_name.cer

I hope having the name of another Authority being rejected and import method helps in some way.

Regards,

Matt S.

Matthew_Strowbridge February 8, 2007, 2:05am 5

2nd post was mistake…I got an internal error posting message when I tried to post this the 1st time and did not think it posted, after posting 2nd time it appeared twice.

Regards,

Matt S.

Message was edited by: eGeeX

Goldmann_Marek February 8, 2007, 10:28am 6

I have encountered same issue with startcom certificates as You, gato. I’'m using Wildfire 3.2.0.

akrherz February 9, 2007, 4:54am 7

Hi,

Anybody have a solution for this? I’'ve got the same problem with a cert signed by GeoTrust.

thanks,

daryl

Matthew2 February 9, 2007, 5:20am 8

I’‘ve also got a Geotrust cert and, while it imports, Wildfire doesn’'t seem to be recognizing it…

Andreas_Monitzer February 9, 2007, 5:47am 9

Try putting the root certificate (and any other certificate in the chain) right before your own certificate together into a single file, and import that one. That fixed it for me.

Matthew_Strowbridge February 9, 2007, 6:59am 10

I tried this method and get the following error on import.

keytool error: java.lang.Exception: Input not an X.509 Certificate

any ideas?

how are you creating the file?

Regards,

Matt S.

akrherz February 9, 2007, 5:00pm 11

thanks for the help. I tried this method and keytool only imported the root cert. As the previous poster asks, and example would be appreciated.

daryl

akrherz February 10, 2007, 5:57pm 12

I reverted to wildfire 3.1.1 this morning and the geotrust SSL cert worked as expected. Hopefully the

issue is fixed in 3.2.1

Matthew_Strowbridge February 11, 2007, 10:52pm 13

I have reverted back to 3.1.1 Enterprise due to other issues as well as this one. Still getting same error with SSL cert. error is:

Could not setup SSL socket

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.jivesoftware.wildfire.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread.j ava:146)

2007.02.11 17:38:02 [org.jivesoftware.wildfire.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread. java:168)

I have tried many things with the cert using openssl and keytool to try and get the keys to work with no luck.

Any ideas on this one?

Regards,

Matt S.

akrherz February 12, 2007, 10:56pm 14

bump

Any thoughts on this? a collegue of mine pointed me to this page:

http://www.agentbob.info/agentbob/79.html

which at least gave me a keystore that wildfire 3.2 wouldn’‘t complain about. Except it doesn’‘t think my RSA key is verified. I’'m perplexed

George_Bobeck February 13, 2007, 11:04am 15

I dunno if this would be any help for this thread…

This is how I got my wildcard cert to work with Wildfire 3.11:

http://www.igniterealtime.org/forum/thread.jspa?messageID=133457&#133457

Would this work for 3.2.0 also?

akrherz February 13, 2007, 4:20pm 16

Thanks! The process worked, but Wildfire 3.2 still thinks my RSA key is still pending verification.

Strange, but I’'m also a SSL newbie, so I am perhaps doing something silly.

Roland_Pope March 28, 2007, 5:19am 17

I am having this ‘‘Supplied key (null) is not a RSAPrivateKey instance’’ error with the all the releases greater than 3.2xxx.

I have 3.1 instance running fine with some certs signed out of my own CA Heirachy which doesn’'t have this problem.

I created a new install of the 3.3 Alpha and then used the keytool to import my CA certs and server cert/RSA private key pair from the old keystore and truststore files from the old working installation.

All my SSL clients connect fine and I can web browse to the Admin console using SSL without any complaints from the browser. Openfire however logs:

And when I go to the ‘‘Server Certificates’’ page in the admin console I get the ‘‘java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance’’ error