powered by Jive Software

Openfire 3.6.4 corrupts keystore after reboot

hi there

I have Openfire 3.6.4. running on a OpenVZ (ubuntu 8.04) VE (with postgresql).

Whenever I reboot the VE, the certificates (generated self-signed certificates in the openfire webadmin interface

get corrupted. In the webinterface ist says

‘Unable to access certificate store. The keystore may be corrupt.’

The /var/log/openfire/error.log says:

2009.08.11 15:01:28 [org.jivesoftware.openfire.net.SSLConfig.(SSLConfig.java:105)] SSLConfig startup problem.
storeType: [jks]
keyStoreLocation: [/usr/share/openfire/resources/security/keystore]
keypass: [changeit]
s2sTrustStoreLocation: [/usr/share/openfire/resources/security/truststore]
s2sTrustpass: [changeit]

java.io.EOFException
at java.io.DataInputStream.readInt(DataInputStream.java:375)
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:628)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.jivesoftware.openfire.net.SSLConfig.(SSLConfig.java:100)
at org.jivesoftware.openfire.spi.ConnectionManagerImpl.isClientSSLListenerEnabled( ConnectionManagerImpl.java:584)
at org.jivesoftware.openfire.spi.ConnectionManagerImpl.createClientSSLListeners(Co nnectionManagerImpl.java:379)
at org.jivesoftware.openfire.spi.ConnectionManagerImpl.createListeners(ConnectionM anagerImpl.java:92)
at org.jivesoftware.openfire.spi.ConnectionManagerImpl.start(ConnectionManagerImpl .java:826)
at org.jivesoftware.openfire.XMPPServer.startModules(XMPPServer.java:569)
at org.jivesoftware.openfire.XMPPServer.start(XMPPServer.java:434)
at org.jivesoftware.openfire.XMPPServer.(XMPPServer.java:161)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessor Impl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructor AccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at org.jivesoftware.openfire.starter.ServerStarter.start(ServerStarter.java:106)
at org.jivesoftware.openfire.starter.ServerStarter.main(ServerStarter.java:51)
2009.08.11 15:01:28 [org.jivesoftware.openfire.container.AdminConsolePlugin.startup(AdminConsolePlu gin.java:125)]
java.io.IOException
at org.jivesoftware.openfire.net.SSLConfig.getKeyStore(SSLConfig.java:268)
at org.jivesoftware.openfire.container.AdminConsolePlugin.startup(AdminConsolePlug in.java:98)
at org.jivesoftware.openfire.container.AdminConsolePlugin.initializePlugin(AdminCo nsolePlugin.java:174)
at org.jivesoftware.openfire.container.PluginManager.loadPlugin(PluginManager.java :448)
at org.jivesoftware.openfire.container.PluginManager.access$300(PluginManager.java :47)
at org.jivesoftware.openfire.container.PluginManager$PluginMonitor.run(PluginManag er.java:1032)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (ScheduledThreadPoolExecutor.java:98)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(ScheduledThreadPoolExecutor.java:181) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Schedu ledThreadPoolExecutor.java:205)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)

I’ve seen similar problem reports, but so far no real solutions (‘remove the keystore file, restart openfire and generate new certificates’ is no real solution).

I compared the keystore file before and after the reboot and it’s the same (i.e. same size, same md5sum, same timestamps, same permissions).

any hint or solution is welcomed.

andi

I have filed something related a while ago - http://www.igniterealtime.org/issues/browse/OF-30. You can try extracting /resources/security folder from the installation package (zip or tar.gz) and put it instead of yours. But this default keystore won’t match your server’s name and probably won’t work. I was able to solve this with my testing server by recompiling the server and going through the setup again. So, another way to try is to repeat the setup process. Maybe it will generate new self signed certs which won’t get “corrupted” after the restart. To repeat the setup stop Openfire, edit /conf/openfire.xml and change the last tag true to false. Run Openfire again. This shouldnt harm your current installation, you will just repeat all the steps, though you can do a backup first.

Hello,

I had this same issue with 3.6.4 running on debian lenny and postgres.

I think it reared its ugly head while I was attempting to get an encrypted connection between openfire and postgres to work though I am not sure as I never set “require secure connection between server and client” before this.

permissions on keystore were 644 and owned by openfire

I tried the following to no avail.

Stop openfire.

manually delete keystore

start openfire

create new self signed certs through webGUI.

restart openfire

same issue

stop openfire

manually delete keystore

manually create new self signed certs using keytool along with new keystore

start openfire

stop openfire

same issue

deleted self signed certs using webGUI

recreated new self signed certsusing webGUI

restarted

same issue

created new cert in truststore since the error is actually an eofException pointing to the truststore (line 100 SSLConfig.java).

same issue

vim openfire.xml and change the parameter to false which requires me to run back through setup.

still same issue

The way I finally resolved this was to copy keystore and truststore from my development machine(of course hostname was different)

start openfire

loginto the webGUI

I got a “hostname mismatch” so I deleted self signed certs through the webGUI and recreated them the same way.

restart 2 times

works good so far.

Hope this helps!

Problem is in truststore. This is how I fixed problem:

  • Changed openfire to 3.6.3 (try without this, I don’t know now if problem is in 3.6.4, but I reverted version before doing this)

  • Restart server

  • Recreate new self signed certs using webGUI

  • Stop server

  • Overwrite truststore file with some file of 32 bytes in size (empty cert). I copied client.truststore file

  • Start server

No problems after that

just a short status update: none of mentioned solutions work.

I still get the same error and I still have to manually generate the certificates after any restart

of the jabber server ;-(