powered by Jive Software

Internal server error: Unable to generate new self-signed RSA certificate. (generate)

Openfire 4.6.3 - 4.6.4
Hello. In the admin console (Identity store), I click on the link to generate a self-signed SSL certificate. But I get an error: “Internal server error: Unable to generate new self-signed RSA certificate. (generate)

In the log, I only see the INFO messages:

2021.07.01 08:32:31 org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias '[my_domain].com' is missing DNS identity 'pubsub.[my_domain].com'.
2021.07.01 08:32:31 org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias '[my_domain].com' is missing DNS identity 'search.[my_domain].com'.
2021.07.01 08:32:31 org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias '[my_domain].com' is missing DNS identity 'proxy.[my_domain].com'.
2021.07.01 08:32:31 org.jivesoftware.openfire.keystore.IdentityStore - Certificate with alias '[my_domain].com' is missing DNS identity 'conference.[my_domain].com'.
2021.07.01 08:32:31 org.jivesoftware.openfire.keystore.IdentityStore - Generating a new private key and corresponding self-signed certificate for domain name '[my_domain].com', using the RSA algorithm (sign-algorithm: SHA256WITHRSAENCRYPTION with a key size of 2048 bits). Certificate will be valid for 1825 days.
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s] - Reconfigured.
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.ConnectionListener[socket_c2s-legacyMode] - Reconfigured.
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s] - Reconfigured.
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.ConnectionListener[socket_s2s-legacyMode] - Reconfigured.
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.ConnectionListener[component] - Reconfigured.
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.ConnectionListener[component-legacyMode] - Reconfigured.
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.ConnectionListener[connection_manager] - Reconfigured.
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.ConnectionListener[connection_manager-legacyMode] - Reconfigured.
2021.07.01 08:32:31 org.jivesoftware.openfire.http.HttpSessionManager - Stopping instance
2021.07.01 08:32:31 org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service stopped
2021.07.01 08:32:31 org.jivesoftware.openfire.spi.EncryptionArtifactFactory - Creating new SslContextFactory instance
2021.07.01 08:32:31 org.jivesoftware.openfire.http.HttpSessionManager - Starting instance
2021.07.01 08:32:31 org.jivesoftware.openfire.http.HttpBindManager - HTTP bind service started

A regular certificate is also not imported through the web interface. I get the error: “There was an error while trying to import the private key and signed certificate. Internal server error: Unable to install a certificate into an identity store.

Importing the certificate through the keytool works, but the HTTP bind still does not work. Error: “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”.

But before that, about a year and earlier, everything worked. I get this error after updating Openfire to a new version.

How can I find out the cause of these errors?

Server Properties
Server Uptime:	21 hours, 20 minutes -- started Jun 30, 2021 11:23:12 AM
Version:	Openfire 4.6.3
Server Directory:	/usr/share/openfire
XMPP Domain Name:	[my_domain].com
 
Environment
Java Version:	1.8.0_292 Private Build -- OpenJDK 64-Bit Server VM
Appserver:	jetty/9.4.35.v20201120
Server Host Name (FQDN):	[my_domain].com
OS / Hardware:	Linux / amd64
Locale / Timezone:	en / Coordinated Universal Time (0 GMT)
OS Process Owner:	openfire
Java Memory: 370.06 MB of 27305.00 MB (1.4%) used

This is caused by a change in the browser that you are using when establishing the HTTP bind connection. Recently, browsers have become more ‘strict’ - they do no longer allow you to set up an encrypted connection using SSL/TLS versions that are older, or ciphers that are considered less secure.

The TLS versions and ciphers that are exposed by Openfire depend on the versions that are provided by the version of Java that you’re using to run Openfire (unless you’ve modified things manually, but that’s rarely the case). A simple solution might be to update Java.

1 Like

@guus
Thank you very much for your reply! I installed Java 11 (OpenJDK) and now everything is fine.

sudo apt install openjdk-11-jdk

Chgange used version:

sudo update-alternatives --config java