powered by Jive Software

Issues with Wildfire 3.2.0_rc2 and SSL

I had my server running with 3.1.1 and I was using the SSL certificates from startcom/xmpp . All was ok, but after upgrading to 3.2.0_rc2 I get the following when i try to access: http://jabber.felisberto.net:9090/ssl-certificates.jsp

Exception:

java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance

at org.bouncycastle.jce.provider.JDKDigestSignature.engineInitSign(Unknown Source)

at java.security.Signature.initSign(Signature.java:485)

at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)

at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)

at org.jivesoftware.util.CertificateManager.createSigningRequest(CertificateManage r.java:321)

at org.jivesoftware.wildfire.admin.ssl_002dcertificates_jsp._jspService(ssl_002dce rtificates_jsp.java:351)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1074)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)

at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:185)

at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)

at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:689)

at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:391)

at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:146)

at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)

at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)

at org.mortbay.jetty.Server.handle(Server.java:285)

at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:457)

at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:751)

at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:500)

at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:209)

at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:357)

at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:329)

at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475)

Also, altough the info page reports: All addresses 9091 Admin Console The port used for secured Admin Console access. If i try to acess the web interface with https on port 9091 nothing is listening there:

www ~ # netstat -na|grep 9090

tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN

www ~ # netstat -na|grep 9091

www ~ #

Hey Gustavo,

That error means that the certificate has no chain. The same certificate is used for TLS and the old SSL method. Are clients able to connect to the server using TLS or SSL? I’'m checking if this is a UI problem or if in fact Wildfire is not able to handle that certificate.

BTW, how have you imported that certificate? Two weeks ago I was trying to use a certificate signed by startcom and got the same error. I was not able to get to the bottom of it so I don’'t have a conclusive answer for you at this time.

Thanks,

– Gato

I dont remember the exact steps. But i know I used the command line tools. I think I used the steps on some thread here in the forums.

Clients using SSL are able to connect ok and receive the proper certificate: http://www.felisberto.net/~humpback/wildfire-ssl.png

Sorry for a reply and not a new post, 1st time user on your forum was directed here by one of Jive tech support people with the same problem.

I installed Wildfire Enterprise 311 and had it working perfectly using self signed SSL cert. As soon as I imported 3rd party signed cert. received no socket errors and unknown cipher errors. I sent an email with errors copied and pasted to Jive tech support who replied and said to install 3.2 update, it would fix problem. I installed 3.2, got it up and running beautifully with self signed SSL cert., as soon as I import 3rd party signed cert get the same error as posted here. Cert is from Starfield Secure Certification Authority (godaddy.com) Imported using following command with no other certs stored:

keytool -import -keystore keystore -alias mydomain.com -file cert_file_name.cer

I hope having the name of another Authority being rejected and import method helps in some way.

Regards,

Matt S.

2nd post was mistake…I got an internal error posting message when I tried to post this the 1st time and did not think it posted, after posting 2nd time it appeared twice.

Regards,

Matt S.

Message was edited by: eGeeX

I have encountered same issue with startcom certificates as You, gato. I’'m using Wildfire 3.2.0.

Hi,

Anybody have a solution for this? I’'ve got the same problem with a cert signed by GeoTrust.

thanks,

daryl

I’‘ve also got a Geotrust cert and, while it imports, Wildfire doesn’'t seem to be recognizing it…

Try putting the root certificate (and any other certificate in the chain) right before your own certificate together into a single file, and import that one. That fixed it for me.

I tried this method and get the following error on import.

keytool error: java.lang.Exception: Input not an X.509 Certificate

any ideas?

how are you creating the file?

Regards,

Matt S.

thanks for the help. I tried this method and keytool only imported the root cert. As the previous poster asks, and example would be appreciated.

daryl

I reverted to wildfire 3.1.1 this morning and the geotrust SSL cert worked as expected. Hopefully the

issue is fixed in 3.2.1

I have reverted back to 3.1.1 Enterprise due to other issues as well as this one. Still getting same error with SSL cert. error is:

Could not setup SSL socket

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.jivesoftware.wildfire.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread.j ava:146)

2007.02.11 17:38:02 [org.jivesoftware.wildfire.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread. java:168)

I have tried many things with the cert using openssl and keytool to try and get the keys to work with no luck.

Any ideas on this one?

Regards,

Matt S.

bump

Any thoughts on this? a collegue of mine pointed me to this page:

http://www.agentbob.info/agentbob/79.html

which at least gave me a keystore that wildfire 3.2 wouldn’‘t complain about. Except it doesn’‘t think my RSA key is verified. I’'m perplexed

I dunno if this would be any help for this thread…

This is how I got my wildcard cert to work with Wildfire 3.11:

http://www.igniterealtime.org/forum/thread.jspa?messageID=133457&#133457

Would this work for 3.2.0 also?

Thanks! The process worked, but Wildfire 3.2 still thinks my RSA key is still pending verification.

Strange, but I’'m also a SSL newbie, so I am perhaps doing something silly.

I am having this ‘‘Supplied key (null) is not a RSAPrivateKey instance’’ error with the all the releases greater than 3.2xxx.

I have 3.1 instance running fine with some certs signed out of my own CA Heirachy which doesn’'t have this problem.

I created a new install of the 3.3 Alpha and then used the keytool to import my CA certs and server cert/RSA private key pair from the old keystore and truststore files from the old working installation.

All my SSL clients connect fine and I can web browse to the Admin console using SSL without any complaints from the browser. Openfire however logs:

And when I go to the ‘‘Server Certificates’’ page in the admin console I get the ‘‘java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance’’ error