I updated our SSL cert on Openfire this morning, using a cert signed by an external CA - Same CA who signed the previous certificate. Everything worked fine with clients, but the connection manager instances had issues.
2012.09.09 08:34:30 Handshake error while connecting to server: blah.com(DNS lookup: null:5262)
javax.net.ssl.SSLHandshakeException: General SSLEngine problem=
Caused by: java.security.cert.CertificateException: root certificate not trusted of [*.blah.com]
at org.jivesoftware.multiplexer.net.ServerTrustManager.checkServerTrusted(ServerTr ustManager.java:134)
… 23 more
I ended up disabling certificate validation in the connection manager, which seems to at least make it work again. That said, I can’t figure out why it doesn’t trust the certificate - The root CA is in the truststore file in cmanager/resources/security, the intermediate cert is in there too, plus the Openfire instance has the intermediate CA in it’s keystore so clients get it when they connect. Both Chrome and openssl (s_client) correctly validate certificate trust/chaining.
Since the cert was issued by the same CA, I wasn’t expecting to have to do anything with the CMs. Is there an easy way to verify all the certificate chaining in the CM and make sure it’s validating the correct certs?