Issue with Spark and letsencrypt

Hi,

we are using ejabberd as a server and Spark as Client as our Windows Users are used to it. This worked perfectly fine since we have this in place for the last year.

Since today we have the issue that we can’t connect to ejabberd by Spark anymore and as we get an certificate path error. So it seems to be related to the letsencrypt root ca expiration DST Root CA X3 Expiration (September 2021) - Let's Encrypt

Anyhow we checked and the new root CA isrg x1 is already listed in Spark.

Still we get th following error when we try to connect. We don’t see this issue with other Jabber clients which verify the Certificate perfectly fine.

Anyone has an idea how to fix this, we already tried importing the intermediate R3 of letsencrypt to the keystore but also without success.

Disabling encryption is not an option as also our server does not allow unencrypted connections.

org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1176)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$1000(XMPPTCPConnection.java:1092)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1112)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:856)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$2000(XMPPTCPConnection.java:155)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1171)
	... 3 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:96)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
	... 14 more
Caused by: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:126)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:92)
	... 15 more
Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.validatePath(SparkTrustManager.java:270)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:122)
	... 16 more
Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
	at sun.security.provider.certpath.RevocationChecker.checkOCSP(Unknown Source)
	at sun.security.provider.certpath.RevocationChecker.check(Unknown Source)
	at sun.security.provider.certpath.RevocationChecker.check(Unknown Source)
	... 23 more

Curious. It’s working for me, connecting to an Openfire instance that’s using Let’s Encrypt certificates. I am using a development build of Spark though. Would you mind testing a nightly build, to see if that makes a difference? You can download them from Ignite Realtime: Spark Nightly Builds

I tried it just now with https://download.igniterealtime.org/spark/dailybuilds/spark_3_0_0-20211005-with-jre.exe

Still get the same error:

org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1176)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$1000(XMPPTCPConnection.java:1092)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1112)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:856)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$2000(XMPPTCPConnection.java:155)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1171)
	... 3 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:97)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
	... 14 more
Caused by: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:127)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:93)
	... 15 more
Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.validatePath(SparkTrustManager.java:270)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:123)
	... 16 more
Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
	at sun.security.provider.certpath.RevocationChecker.checkOCSP(Unknown Source)
	at sun.security.provider.certpath.RevocationChecker.check(Unknown Source)
	at sun.security.provider.certpath.RevocationChecker.check(Unknown Source)
	... 23 more

Just verified once again, if I use Gajim or Adium it works like a charm. Only seeing this with Spark out of a sudden.

Can I have an account on the affected server to test things out?

Checking this. In the meantime could this be the issue?

As in the error message we get this?

Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
1 Like

Ah, I skipped over that, but that does seem relevant. In newer versions of Spark, you can explicitly disable OCSP in the ‘advanced’ connection settings.

You could also try to set checkOCSP=false in the .Spark/spark.properties file that is in the home directory of every user (make sure to check for duplicate entries if you add one).

1 Like

Ok, this is weird. Out of nothing the issue stopped and clients can connect again. We did not change anything since then. If you want we can still get you an account, maybe you can see something. For me this all seems like there is something going on with the new root CA of LE.

Thank you for the hint to disable the OSCP check, we will keep an eye on that and try this if the issue comes up again.

This is all really weird as we have never seen an issue like that before and it worked with the other clients all the time. I would like to keep that post up for some more days till we see if the issue is really gone.

Gremlins.

Let me know if you learn anything new!

1 Like

Sure thing, sorry to bother you. I’ll get back the next days we will keep monitoring that.

No worries. If anything, you’ve taught me that we probably should prefer CRL over OCSP - we’re currently doing it the other way around.

1 Like

We had this exact problem this morning. Seems a little strange that it took this long to start, since the Lets Encrypt change took place on the 30th. Regardless, unchecking “Check OCSP”, resolved the issue for all of my users.

Thanks!

3 Likes

Thanks for this tip
I dont know what is OCSP, disabled it and it’s working !

Thanks

using Kerio Connect 9.2.x with Instant Messaging as IM Server, Spark 2.9.x for Windows and very happy.
Today NO user coneccted.

Disabling OCSP did the trick

Thanks again, Regards

Hi all, it’s me again
I did this, i hope this is helpfull

I have found this is related to Cetificate Expirated issue
DST Root CA X3 Expired, Mark Exempted
Captura de pantalla 2021-10-05 153038

I have downloaded new Letsncrypt Certificate from
https://letsencrypt.org/certs/isrgrootx1.der

Add Cetificate to Trusted . . . Choose File
From Downloads, isrgrootx1.der

ISRG Root X1 Valid

Now it is working normal

Sorry cant post pics

As the issue appeared again this morning, we tried this one in the properties file and it worked so it obvious is the OSCP issue. Is there a way to set this globally for the client or is this a user only setting?

I don’t think that you can set this globally through Openfire. Maybe you can find a way to globally provision things in your network (not specific to to Openfire/Spark), but that’s outside of my realm of expertise.

I’ve created a tracker for the issue in [SPARK-2235] Stop requiring OCSP - Ignite Realtime Jira

2 Likes

Perfect. Thank you for your assistance on this. Looking forward to a new release. So far we will roll out the solution with the properties file.

Hi all

I’ve benn working with 25 work stations today,
Spark 2.9.4 error solved.
Just Mark “DST Root CA X3 Expired” as Exempted and that’s it

All certifactes are validated as usual

Letsncrypt in my case, Kerio Connect server

Regards