This bug effects OpenFire 3.6.4
- Go to Server -> Server Settings -> Server Certificates
- Click to have OpenFire create self-signed certs for you.
- Click link and enter info to add needed information (name, organization, etc) before generating CSR. Submit the form.
- Get confused.
You are now brought to a page for the CSRs at the top of the page. There are spaces to enter the signatures for your RSA and DSA certs after you receive them from your CA. At the bottom of the page are the CSRs for you to give to your CA – in the opposite order compared to the entry blanks above. This makes it very easy to accidentally reverse the two, so that the RSA cert is offered up when asked for DSA and vice versa.
Symptoms include inability for some but not all clients to connect (gajim is affected, psi is not), inability to establish s2s connection to some but not all servers, and an OpenFire admin who has been tearing her hair out for the last couple of hours in frustration.
The workaround is to pay extra attention when setting up certs so they go in the right place. However, a significant amount of new OpenFire admin sanity would be saved by always presenting RSA and DSA in the same order.