we are using ejabberd as a server and Spark as Client as our Windows Users are used to it. This worked perfectly fine since we have this in place for the last year.
Since today we have the issue that we can’t connect to ejabberd by Spark anymore and as we get an certificate path error. So it seems to be related to the letsencrypt root ca expiration DST Root CA X3 Expiration (September 2021) - Let's Encrypt
Anyhow we checked and the new root CA isrg x1 is already listed in Spark.
Still we get th following error when we try to connect. We don’t see this issue with other Jabber clients which verify the Certificate perfectly fine.
Anyone has an idea how to fix this, we already tried importing the intermediate R3 of letsencrypt to the keystore but also without success.
Disabling encryption is not an option as also our server does not allow unencrypted connections.
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1176)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$1000(XMPPTCPConnection.java:1092)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1112)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:856)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$2000(XMPPTCPConnection.java:155)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1171)
... 3 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:96)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
... 14 more
Caused by: java.security.cert.CertPathValidatorException: Certificate path validation failed
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:126)
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:92)
... 15 more
Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.validatePath(SparkTrustManager.java:270)
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:122)
... 16 more
Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
at sun.security.provider.certpath.RevocationChecker.checkOCSP(Unknown Source)
at sun.security.provider.certpath.RevocationChecker.check(Unknown Source)
at sun.security.provider.certpath.RevocationChecker.check(Unknown Source)
... 23 more
Curious. It’s working for me, connecting to an Openfire instance that’s using Let’s Encrypt certificates. I am using a development build of Spark though. Would you mind testing a nightly build, to see if that makes a difference? You can download them from Ignite Realtime: Spark Nightly Builds
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1176)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$1000(XMPPTCPConnection.java:1092)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1112)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:856)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$2000(XMPPTCPConnection.java:155)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1171)
... 3 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:97)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
... 14 more
Caused by: java.security.cert.CertPathValidatorException: Certificate path validation failed
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:127)
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:93)
... 15 more
Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.validatePath(SparkTrustManager.java:270)
at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:123)
... 16 more
Caused by: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
at sun.security.provider.certpath.RevocationChecker.checkOCSP(Unknown Source)
at sun.security.provider.certpath.RevocationChecker.check(Unknown Source)
at sun.security.provider.certpath.RevocationChecker.check(Unknown Source)
... 23 more
Just verified once again, if I use Gajim or Adium it works like a charm. Only seeing this with Spark out of a sudden.
Ah, I skipped over that, but that does seem relevant. In newer versions of Spark, you can explicitly disable OCSP in the ‘advanced’ connection settings.
You could also try to set checkOCSP=false in the .Spark/spark.properties file that is in the home directory of every user (make sure to check for duplicate entries if you add one).
Ok, this is weird. Out of nothing the issue stopped and clients can connect again. We did not change anything since then. If you want we can still get you an account, maybe you can see something. For me this all seems like there is something going on with the new root CA of LE.
Thank you for the hint to disable the OSCP check, we will keep an eye on that and try this if the issue comes up again.
This is all really weird as we have never seen an issue like that before and it worked with the other clients all the time. I would like to keep that post up for some more days till we see if the issue is really gone.
We had this exact problem this morning. Seems a little strange that it took this long to start, since the Lets Encrypt change took place on the 30th. Regardless, unchecking “Check OCSP”, resolved the issue for all of my users.
As the issue appeared again this morning, we tried this one in the properties file and it worked so it obvious is the OSCP issue. Is there a way to set this globally for the client or is this a user only setting?
I don’t think that you can set this globally through Openfire. Maybe you can find a way to globally provision things in your network (not specific to to Openfire/Spark), but that’s outside of my realm of expertise.