I am asking for help in implementing ssl for Spark clients (wildcard)

Hi

I cannot successfully apply the certificate to connect the client to the server. I’m like a child in a fog.

  1. I launched the Spark program > Advanced settings button > Certificates tab.
  2. I added public key (*.cer) - the following entry appeared on the list: *.domain.com
  3. I have logged in to openfire server > TLS/SSL Certificates tab
  4. What and where should I add?
    a) I tried to add to the section “XMPP Client Stores” > Trust store used for connections from clients > Manage Store Contents > import: alias *.domain.com and private key… and public key… and certificate chain… nothing worked for me
    b) I tried to add something to the Server Federation Stores section. I have it on my list *.domain.com (Pass Phrase used for creating Private Key: *.domain.com
    Content of Private Key file: -----BEGIN PRIVATE KEY----- … -----END PRIVATE KEY-----
    Content of Certificate file: chain -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----) -
    also doesn’t work

When trying to connect (domain field as: spark.domain.com), the following message appears:

No response received within reply timeout. Timeout was 12000ms (~12s). While waiting for establishing TLS

If in the file “spark.properties” I turn off the “sslEnabled=true” parameter (just set it as a comment) - then it connects immediately.

Openfire 4.7.1, build d7dfd04
Java Version: 14.0.1 Private Build – OpenJDK 64-Bit Server VM
OS / Hardware: Linux / amd64
Client: Spark 2.9.4

Two types of certificate stores are exposed by Openfire:

  1. Identity stores: these hold (typically one) certificate & private key combination that represents the identity of the Openfire server. Openfire will present this public key to peers (clients, other servers, etc) when it wants to identify itself. It is akin to certificates offered by a webserver, identifying a website to the browser of an end-user.
  2. Trust stores: these hold (typically multiple) certificates of (root) certificate authorities. Openfire will accept certificates offered by peers when their certificate is signed (directly or indirectly) by any of these.

You are writing that you have a certificate that identifies the Openfire server (as the certificate covers the XMPP domain that Openfire is servicing). That certificate therefor needs to be installed in an identity store.

Openfire offers the flexibility to use different identity stores for distinct types of functionality - but in practice, this is never used. In the default configuration, Openfire uses the same file for each identity store. You can easily verify this, as the file name is shown in the Openfire admin console.

What you likely need to do is press the “manage store contents” link that is next to any of the identity stores (as that will probably be the same store for each type of traffic anyway). If you use distinct identity store files, go with the identity store for “XMPP Client Stores”.

In the admin page for that store, there is a link in the description text that reads “imported here”. Use that link to import your certificate and private key. After you successfully added them, remove any other certificates (as some versions of Java will only use one of the certificates, which is not necessarily the one that you’d logically assume is being used). Obviously, do create backups before you do any of this.

With this, you should be good to go, especially if you have configured Spark to automatically trust the same certificate.

1 Like

Hi @guus, Thank you for your time.

I did it. I only have one certificate added here: *.domain.com. But it just doesn’t work for me. I cannot open the administration console by https and the client does not want to connect via ssl.

Edit.
I do not understand, but after another attempt to remove and add - it caught.
For https - I just tried the wrong port number.

Hi!

This is annoying. It worked. No changes on the server and again after a few days - TLS problem again (No response received within reply timeout).

  1. I have deleted the certificate
  2. Reset openfire
  3. name.domain.com:9090 - I was not able to log in with the domain password
  4. I had to change to ip:9090 - now I could log in with my domain password
  5. I have added a certificate
  6. The client can log in to the server.

But it will stop working again in a few days and I don’t know why.:frowning:

I am wondering if you have two different problems.

Not having a certificate installed will not cause problems when logging into the admin console. Your browser might show a warning (“unable to trust this site”, etc), but if you ignore that, authentication can still be done.

Hi @guus

Yes, there were two problems. For https, as I wrote earlier - I used the wrong port number.

Yesterday I added the certificate again - clients connected. Today timeout again.
After adding a certificate:

sudo systemctl restart openfire.service

Maybe the reset itself helps and not changing the certificate? I’ll check tomorrow because everyone is connecting today.

I see errors in the logs after the server reset (maybe one is related to this):

2022.05.31 07:58:41 ERROR [pool-6-thread-4]: org.jivesoftware.openfire.container.PluginManager - An exception occurred while loading plugin ‘loadstats’:

2022.05.31 07:58:50 ERROR [pool-6-thread-1]: org.jivesoftware.util.XMLProperties - Error reading XML properties

2022.05.31 07:58:50 ERROR [pool-6-thread-1]: org.jivesoftware.openfire.archive.ArchiveIndexer[CONVERSATION] - An exception occurred while initializing the Lucene index that is expected to exist in: /usr/share/openfire/monitoring/search

2022.05.31 07:58:50 ERROR [pool-6-thread-1]: org.jivesoftware.openfire.container.PluginManager - An exception occurred while loading plugin ‘monitoring’:

I found your message: https://discourse.igniterealtime.org/t/monitoring-plugin-openfire-4-6-2/90217
But he had too: “An exception occurred while unloading plugin ‘monitoring’”

My error:

2022.05.31 08:08:42 ERROR [pool-6-thread-1]: org.jivesoftware.openfire.container.PluginManager - An exception occurred while loading plugin 'monitoring':
    at java.lang.Thread.run(Thread.java:832) [?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
    at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
    at org.jivesoftware.openfire.container.PluginMonitor$MonitorTask$4.call(PluginMonitor.java:363) [xmppserver-4.7.1.jar:4.7.1]
    at org.jivesoftware.openfire.container.PluginMonitor$MonitorTask$4.call(PluginMonitor.java:375) [xmppserver-4.7.1.jar:4.7.1]
    at org.jivesoftware.openfire.container.PluginManager.loadPlugin(PluginManager.java:637) [xmppserver-4.7.1.jar:4.7.1]
    at org.jivesoftware.openfire.plugin.MonitoringPlugin.initializePlugin(MonitoringPlugin.java:208) [monitoring-2.3.0.jar:?]
    at org.jivesoftware.openfire.index.LuceneIndexer.start(LuceneIndexer.java:80) [monitoring-2.3.0.jar:?]
    at org.jivesoftware.openfire.index.LuceneIndexer.loadPropertiesFile(LuceneIndexer.java:453) ~[monitoring-2.3.0.jar:?]
    at org.jivesoftware.util.XMLProperties.<init>(XMLProperties.java:123) ~[xmppserver-4.7.1.jar:4.7.1]
    at org.jivesoftware.util.XMLProperties.<init>(XMLProperties.java:163) ~[xmppserver-4.7.1.jar:4.7.1]
    at org.jivesoftware.util.XMLProperties.buildDoc(XMLProperties.java:744) ~[xmppserver-4.7.1.jar:4.7.1]
java.io.IOException: Error on line 1 of document : Premature end of file.

I am wondering if there is a competing service running on port 9091 and 5222. If there are other services that are using these ports, the defaults in Open Fire can be change via the Admin Console, Server->Server Settings->Client Connections.

1 Like