BUG/Enhancement: SSL / CaCert / CSR

numE · June 18, 2006, 10:09pm

The Wildfire Webinterface should provide the user directly with a CSR.

This would make certificate generation a lot easier.

Another point is CaCert compatibility.

I found a thread in this board which describes the necessary steps,

but i had no luck.

It would be nice if everything would work “out-of-the-box” with cacert.

The easier ssl-integration would be, the more user would use nice signed certificates.

Please add a bug/enhancement ticket to the bugtracker.

b.t.w. i got this error, when trying to import the CaCert certificate:

Keytool-Error: java.security.cert.CertificateException: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.

Greetings!

numE · September 9, 2006, 5:09pm

any news on this issue?

Daniel_Henninger · September 9, 2006, 9:59pm

How bizarre! I’‘m not sure why your cacert wouldn’‘t work if you went with the instructions I posted in … i assume … the thread you are referring to. =/ It almost sounds like an invalid certificate in general. =/ I can try to help you if you want to post the step by step instructions you went through and I’'ll see if I can figure out what happened.

Beyond that, it could be nice if the cacert.org CAs were included with the wildfire dist or something along those lines.

numE · September 11, 2006, 3:14pm

Hi,

as far as i know the root cert will be in 3.1.

my cert works like charm with ejabberd, but i cant get it working with wildfire.

i followed the steps you described, but still get ssl handshake errors.

numE · September 11, 2006, 3:40pm

I managed to import the certificate using keytool, but still getting those ssl handshake errors.

the built in certificates where rsa AND dsa. cacert issued just an rsa certificate.

maybe thats the problem?!

Daniel_Henninger · September 14, 2006, 10:24am

Just to make sure, are you certain that the -client- end also has the cacert.org ca trusted? Psi, for example, required me to install the certificate in a specific location before it was happen with my setup (in it’‘s case, it wanted me to install it in openssl’‘s certs location). In my case, I’‘m on a Mac, and some clients required it to be in my OS X keychain. I ran into a series of "oh crap, why isn’‘t this working?" when I wrote out those instructions until it dawned on me that my client didn’'t know about cacert.org either. =)

numE · September 14, 2006, 10:37am

i am on osx, too (client).

i am 100% sure that the client config is ok because i am using the same cacert certificate on the server all the time.

when i start ejabberd on the server everything works fine…

when i start wildfire (of course i stopped the ejabberd daemon before) i cant connect (ssl-handshake errors).

even the webinterface is not reachable via ssl (port 9091).