powered by Jive Software

Cannot start Openfire after SSL cert renewal

Lots of details here, but the basic run down is this…

Our SSL cert from GoDaddy was expiring and we decided to switch to Thawte for the renewal. Got the certs and attempted to follow the steps to get the new cert into place. When we tried to restart the service, we discovered that the listening port for the admin page was changed from what we had it set to back to the default. We also noticed that the setup was reset to back to new install. All of our account data and seetings appeared to be fine in the database, but things were not right.

At this point we have tried to rebuild the keystore and truststore, but cannot seem to get the service back up again. Below is the error we are getting in the error.log. No other entries are showing up in the warn or info logs.

Note that we tried to rebuild the keystore/truststore as JKS and changed keystore.type setting in /opt/openfire/jre/lib/security/java.security to match, which gave us the below error.

2014.05.16 14:36:01 SSLConfig startup problem.

storeType: [PKCS12]

keyStoreLocation: [/opt/openfire/resources/security/keystore]

keypass: [changeit]

java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

at sun.security.util.DerInputStream.getLength(Unknown Source)

at sun.security.util.DerValue.init(Unknown Source)

at sun.security.util.DerValue.(Unknown Source)

at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)

at java.security.KeyStore.load(Unknown Source)

at org.jivesoftware.openfire.net.SSLConfig.(SSLConfig.java:108)

at org.jivesoftware.openfire.spi.ConnectionManagerImpl.isClientSSLListenerEnabled( ConnectionManagerImpl.java:617)

at org.jivesoftware.openfire.spi.ConnectionManagerImpl.createClientSSLListeners(Co nnectionManagerImpl.java:411)

at org.jivesoftware.openfire.spi.ConnectionManagerImpl.createListeners(ConnectionM anagerImpl.java:124)

at org.jivesoftware.openfire.spi.ConnectionManagerImpl.start(ConnectionManagerImpl .java:860)

at org.jivesoftware.openfire.XMPPServer.startModules(XMPPServer.java:622)

at org.jivesoftware.openfire.XMPPServer.start(XMPPServer.java:487)

at org.jivesoftware.openfire.XMPPServer.(XMPPServer.java:212)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance0(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.openfire.starter.ServerStarter.start(ServerStarter.java:113)

at org.jivesoftware.openfire.starter.ServerStarter.main(ServerStarter.java:58)

2014.05.16 14:36:01 SSLConfig startup problem.

storeType: [PKCS12]

s2sTrustStoreLocation: [/opt/openfire/resources/security/truststore]

s2sTrustpass: [changeit]

java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

at sun.security.util.DerInputStream.getLength(Unknown Source)

at sun.security.util.DerValue.init(Unknown Source)

at sun.security.util.DerValue.(Unknown Source)

at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)

at java.security.KeyStore.load(Unknown Source)

at org.jivesoftware.openfire.net.SSLConfig.(SSLConfig.java:121)

at org.jivesoftware.openfire.spi.ConnectionManagerImpl.isClientSSLListenerEnabled( ConnectionManagerImpl.java:617)

at org.jivesoftware.openfire.spi.ConnectionManagerImpl.createClientSSLListeners(Co nnectionManagerImpl.java:411)

at org.jivesoftware.openfire.spi.ConnectionManagerImpl.createListeners(ConnectionM anagerImpl.java:124)

at org.jivesoftware.openfire.spi.ConnectionManagerImpl.start(ConnectionManagerImpl .java:860)

at org.jivesoftware.openfire.XMPPServer.startModules(XMPPServer.java:622)

at org.jivesoftware.openfire.XMPPServer.start(XMPPServer.java:487)

at org.jivesoftware.openfire.XMPPServer.(XMPPServer.java:212)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance0(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.openfire.starter.ServerStarter.start(ServerStarter.java:113)

at org.jivesoftware.openfire.starter.ServerStarter.main(ServerStarter.java:58)

2014.05.16 14:36:01

java.io.IOException

at org.jivesoftware.openfire.net.SSLConfig.getKeyStore(SSLConfig.java:284)

at org.jivesoftware.openfire.container.AdminConsolePlugin.startup(AdminConsolePlug in.java:123)

at org.jivesoftware.openfire.container.AdminConsolePlugin.initializePlugin(AdminCo nsolePlugin.java:201)

at org.jivesoftware.openfire.container.PluginManager.loadPlugin(PluginManager.java :483)

at org.jivesoftware.openfire.container.PluginManager.access$300(PluginManager.java :80)

at org.jivesoftware.openfire.container.PluginManager$PluginMonitor.run(PluginManag er.java:1067)

at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)

at java.util.concurrent.FutureTask.runAndReset(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2014.05.16 14:36:01 Could not setup a server socket

java.net.BindException: Address already in use

at sun.nio.ch.Net.bind(Native Method)

at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source)

at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source)

at org.apache.mina.transport.socket.nio.SocketAcceptor.registerNew(SocketAcceptor. java:363)

at org.apache.mina.transport.socket.nio.SocketAcceptor.access$800(SocketAcceptor.j ava:55)

at org.apache.mina.transport.socket.nio.SocketAcceptor$Worker.run(SocketAcceptor.j ava:222)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

When everything is set for PKCS12, truststore fails to be read since it is not PKCS12 format and there does not appear to be a way to make it so.

Any help on this is appreciated, we are hitting a brick wall and about to do a reinstall unless someone has a good direction to take this.

If you have a newline or linr break at the end of your certificate remove it and recreate the keystore.