powered by Jive Software

No Love with GeoTrust SSL Cert

Greetings,

My ignorance is probably to blame here, but I can not seem to get my GeoTrust signed SSL cert to work with Openfire 3.4.4 . I have two files in my possesion, one that is topped with ‘–-BEGIN CERTIFICATE-’ and the other with ‘-BEGIN PRIVATE KEY—’. (I got this cert from my web hoster).

So, if I import this cert via the admin console, Openfire takes it, but then firefox can’t connect to the console complaining about corrupt cert or no supported algorithms found. Hmmmm.

So then I try the manual keytool method and get tracebacks.

When I try to import the private key and cert via the console, I get tracebacks

java.lang.NullPointerException

at org.jivesoftware.util.CertificateManager.installCert(CertificateManager.java:50 1)

The key and cert work as expected with Apache. I must be missing some step.

(Looking my post last year about this problem, I see I was able to do a hack with keytool, but this never resulted in a cert that openfire thought was valid).

thanks,

daryl

first obvious question is does the cert match the Fully Qualified Domain Name of the openfire server?

Hi,

It matches

xmpp.domain property. The FQDN of the box itself is something different.

You can connect to https://jabber1.iemchat.com via firefox to inspect the cert if you wish.

daryl

When I go to the address specified I get an error that implies that the cert does not match the FQDN of the server. See attached picture.

Yes, I have a cheap Linux IPVS failover setup with iemchat.com rotated between jabber1 and jabber2 real servers.

The cert should only need to match the xmpp.domain Openfire property, no?

daryl

Hey daryl,

XMPP clients and HTTP clients (aka browsers) use different type of certificates. XMPP certificates use a extension field in the certificate for the XMPP domain. Standard web certificates do not use that extension field but just the CN (I think). All this means that, browsers will verify that the CN (or may be the subjectDN) field match the web domain. On the other hand, XMPP clients will read the XMPP extension field and verify that it matches the XMPP domain.

Hope that helps,

– Gato

Hi,

I am happy to report that the SSL cert issue fix that went into Openfire 3.6.3 fixed this issue for me, oh happy day!

daryl

Hello

I am very new to the list and to openfire. I was wondering what was resolved with this issue. I have the latest version of openfire I have my ssl certificate from geotrust, I added the geotrust global root to truststore using keytool, restarted openfire, went to admin and attempted to add my key and certificate and go the following error:

There was an error one importing private key and signed certificate. Error message: org.bouncycastle.jce.provider.X509CertificateObject cannot be cast to java.security.KeyPair

Can anyone help me on this issue?

Thanks