Definately something wierd going on here, started getting PKI path validation errors on the LDAPS connections to my (samba) AD authentication server. I shoved my ca, and even host cert in both truststore and keystore in /etc/openfire/security and also the ca-certificates.pem file in there in appropriate format.
I thought for a while I’d nailed it to me calling the server “localhost” and thus violating the CN on the certificate, but even with me fixing this via database editing it just doesn’t seem to validate…
And the error is fairly explicit, its not a timezone or CN mismatch but the path failing to validate…
I can, however, connect just fine to said LDAPS server with validation from the CLI
/etc/openfire/security# openssl s_client -connect (fullhostname):636 -CAfile ./ca-certificates.crt
SSL handshake has read 4487 bytes and written 501 bytes
Verify return code: 0 (ok)
But openfire logs are spammed with
==> openfire/error.log <==
2015.06.26 17:39:19 org.jivesoftware.openfire.ldap.LdapAuthProvider - Error connecting to LDAP server
javax.naming.CommunicationException: simple bind failed: (fullhostname):636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Downgrading to 3.10.1 immediately solves the problem.