powered by Jive Software

Openfire IOException after touching SSL Certificates

Hello All,

I have a domain name, which also has a SSL Certificate provided by Comodo Positive SSL, in conjunction with OpenSSL. Provided with it, were the following files.:

  • AddTrustExternalCARoot.crt
  • domainname_org.crt
  • COMODORSAddTrustCA.crt
  • COMODORSADomailValidationSecureServerCA.crt

I personally, have also created a private key .pem file via openssl. I currently am trying to get these certificates to somehow work with openfire. I have been googling for about 5 hours now, and cannot seem to find a working tutorial. I have followed quite a few of them which walk through manually using keystore commands. The only issue with these tutorials, is that they completely kill my Openfire installation.

Whenever a keystore command, or rather, and truststore or keystore tampering occurs, my admin panel turns into this.

HTTP ERROR 500

Problem accessing /index.jsp. Reason:

java.io.IOException

Caused by:

org.apache.commons.httpclient.HttpClientError: java.io.IOException at org.jivesoftware.openfire.clearspace.SSLProtocolSocketFactory.createSSLContext( SSLProtocolSocketFactory.java:73) at org.jivesoftware.openfire.clearspace.SSLProtocolSocketFactory.getSSLContext(SSL ProtocolSocketFactory.java:79) at org.jivesoftware.openfire.clearspace.SSLProtocolSocketFactory.createSocket(SSLP rotocolSocketFactory.java:132) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDir ector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirect or.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at org.jivesoftware.util.HttpClientWithTimeoutFeedFetcher.retrieveFeed(HttpClientW ithTimeoutFeedFetcher.java:169)

(etc… I cut off the rest for the sake of avoiding a wall of text)

This is kind of annoying to find myself at since this error really, tells me nothing usefull. Perhaps someone else may find information from it, but a basic java.io.IOExeption is a pretty basic, non detailed error.

I have tried adding the certificates through the ‘web interface’ but have never had any luck with the 15 times I tried. It seems it either said it was a invalid private key (so I made a private key .pem) or that the certificate is wrong (which aparently was fixed by copying it from a different editor), to now saying that it could not read from the chain, or get a reply, (or something similar).

I am really really hoping to get Openfire to work well because ejabberd plain up, wont even start on my server.

Anywho, I am open to all input, ideas, and questions.

P.S.

Openfire does run properly prior to any SSL certificate activity. It just has lesser security.

Server Information:

OS:…Linux (Ubuntu Server 12.10)

Install Setup:…Apache2, MySQL, OpenSSL, Java 1.7.0 55 via Open JDK 2.4.7

Openfire Version:…3.9.3, installed via .deb

Certificate Authority:COMODO Positive SSL

Your private key (pem) must match your certificate. You need the PEM file which was used to create the CSR.

I have tried that, but it says that it found a info key, or something of that order, and cannot use it.

I have attempted to re create a CSR and I have recieved a new certificate.

I created the new CSR using the key.pem file.

I put the new domainname_org.crt and privateKey.pem into Openfire, and get this.

. Error message: Failed to establish chain from reply

I created the new CSR using the following command:

openssl req -out CSR.csr -key privateKey.pem -new

EDIT

I was now able to get it to accept the certificate by doing the following:

1, Providing the correct key pass phrase, and privateKey.pem

2, Copying the domain_org.crt

3, Copying the SecureServerCA.crt under the domain_org.crt

  1. Pressing submit

I was told ‘Certificate Authority reply was imported successfully.’. However, it did not show up on anything. After restarting Openfire, I am now told that my keystore is currupt. …What happened?

Upon further investication, my error log has shown me this line

2014.05.12 12:03:25 org.jivesoftware.util.CertificateManager - Error decoding subjectAltName

java.lang.ClassCastException: org.bouncycastle.asn1.DERTaggedObject cannot be cast to org.bouncycastle.asn1.ASN1Sequence

So where do I go from here?

EDIT

And now I just restarted Openfire, guess what?

HTTP ERROR 500

Problem accessing /index.jsp. Reason:

> java.io.IOException

Caused by:

org.apache.commons.httpclient.HttpClientError: java.io.IOException at org.jivesoftware.openfire.clearspace.SSLProtocolSocketFactory.createSSLContext( SSLProtocolSocketFactory.java:73) at org.jivesoftware.openfire.clearspace.SSLProtocolSocketFactory.getSSLContext(SSL ProtocolSocketFactory.java:79) at org.jivesoftware.openfire.clearspace.SSLProtocolSocketFactory.createSocket(SSLP rotocolSocketFactory.java:132) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDir ector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirect or.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at org.jivesoftware.util.HttpClientWithTimeoutFeedFetcher.retrieveFeed(HttpClientW ithTimeoutFeedFetcher.java:169) at org.jivesoftware.openfire.admin.index_jsp._jspService(index_jsp.java:432) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:547) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1359) at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8) at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:74) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:50) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:78) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:164) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:478) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:22 7) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:94 1) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186 ) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:875 ) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandler Collection.java:250) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:149) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110) at org.eclipse.jetty.server.Server.handle(Server.java:349) at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441) at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConne ction.java:919) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:582) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:218) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:51 ) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.jav a:586) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java :44) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598 ) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533) at java.lang.Thread.run(Thread.java:744)

So it looks like I get to reinstall this, again, for the 5th time.

EDIT

I was able to get back into it again by refreshing the page (seems random but it worked).

My certificate page now tells me

Unable to access certificate store. The keystore may be corrupt.

One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key.

Neither buttons really result in anything useful. They just seem to refresh the page.

Just tried this tutorial, no luck, tells me the keystore is currupt.

:confused:

I have found a solution, here is how to install Comodo Positive SSL via openssl, and Openfire.

This is assuming you retrieved your key, as not an info key, and as an actual .pem, then you requested certificates based on openssl + apache.

Convert the following certificates to a .PEM format.

  • domainname_org.crt
  • COMODORSAddTrustCA.crt
  • COMODORSADomailValidationSecureServerCA.crt

Add them all to a .cert file like this

“cat domainname_org.pem COMODORSAddTrustCA.pem COMODORSADomailValidationSecureServerCA.pem >> certs.cert”

This order of certificates is recommended by the CA.

After this, copy the contents of certs.cert to the third field in the ssl certificate import page in openfire, the, put the contents of your privatekey.key into the second feild, the first field you will put the password in for your key file.

Hit import, and hopefully it all works.

If you need help converting your DER .crt files to PEM .pem, just google how to convert .crt to .pem with openssl. Should be one of the first results.

Then remove the original certificates on the certificate page.

Openfire will complain about a missing certificate because there is no dsa, this is not really important and can be ignored.

1 Like

What type of Certificate did you request in Comodo Adminpanel “Select the server software used to generate the CSR” ? Openfire isn’t listed there. Should i choose “Java Web Server”?

Tell comodo you need it for openssl + apache

How to setup comodo positive SSL with Openfire 3.9.x From START TO FINISH (this took over 24 hours to gather and solve)

Here are the commands you will eventually need:

**Generate your privatekey.pem **

openssl genrsa -des3 -out privatekey.pem 2048

**Generate your CSR to send to COMODO **

openssl req -out CSR.csr -key privatekey.pem -new

Send COMODO the CSR (its the contents of your CSR.csr)

Eventually comodo will send you a zip with a few files, just transfer the zip to the server (or use ftp)

At this point the .zip is on the server in your home directory.

unzip YOURDOMAIN_ext.zip

Now we need to convert your certificates so openfire can use them

**
**

penssl x509 -in YOURDOMAIN_ext.crt -out domain_cert.der -outform DER

penssl x509 -in COMODORSAAddTrustCA.crt -out inter1.der -outform DER

penssl x509 -in COMODORSADomainValidationSecureServerCA.crt -out inter2.der -outform DER

Now we convert the DER to PEM for openssl

openssl x509 -in domain_cert.der -inform DER -out domain_cert.pem -outform PEM

openssl x509 -in inter1.der -inform DER -out inter1.pem -outform PEM

openssl x509 -in inter2.der -inform DER -out inter2.pem -outform PEM

Now that our certificate and intermediate files are setup, we can concatnate them all onto one file for Openfire

cat domain_cert.pem inter1.pem inter2.pem >> openfire_bundle.pem

Now, copy the contents of openfire_bundle.pem into the certificate section of the admin panel. Copy the contents of your primarykey.pem to the key section of the import page in the admin panel. Put the password for your key into the paraphrase box in the import page in the admin panel.

Remember to REMOVE the old self signed dsa and rsa certficates!

**Hit submit, and it should work, let me know if it doesn’t and what it says.
**

1 Like

thank you for your ssl guide. I will try it within the next days and give feedback.

I can only choose from “Apache-ModSSL” and "Apache-SSL(Ben-SSL, not Stronghold). Which one is the right?

I guess it is “Apache SSL”

http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate -mod_ssl.html

Thanks

Sorry I was not aware of your edit to your reply.

I’m not sure, I purches my comodo Positive SSL certificate from NameCheap, who then offered me the option of ‘Apache - openssl’

Thank you Travis. Everything workes fine with your guide!!

This will save a lot of people’s time.

I only have two files from COMODO,named YOURDOMAIN_ext.crt andYOURDOMAIN_ext.ca-bundle.Could you tell me where are COMODORSAAddTrustCA.crt and COMODORSADomainValidationSecureServerCA.crt. Thx.
``

I would believe that the ca-bundle houses the other two certificates in the same file. I think thats why they refer to it as a bundle.

Let me know if you need anything else!

Thank you.I think the certificate is ok because it shown me this:

Oct 10, 2014
The certificate has been signed by a Certificate Authority. Clients and servers should accept the certificate unless they not trust on the Certificate Authority that signed the certificate.
CA Signed
RSA

However,I can’t login with the third anroid project,such as beem.The error logcat is:

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): Error while connecting

**08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): SASL authentication failed using mechanism DIGEST-MD5: **

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 259)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:207)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at com.beem.project.beem.service.XmppConnectionAdapter.login(XmppConnectionAdapter .java:251)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at com.beem.project.beem.service.LoginAsyncTask.doInBackground(LoginAsyncTask.java :100)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at com.beem.project.beem.service.LoginAsyncTask.doInBackground(LoginAsyncTask.java :1)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at android.os.AsyncTask$2.call(AsyncTask.java:288)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at java.util.concurrent.FutureTask.run(FutureTask.java:237)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)

08-05 11:26:28.191: E/XMPPConnectionAdapter(30354): at java.lang.Thread.run(Thread.java:811)

Is the openfire server domain must match the CA certificates domain?Because my CA certificates domain is my company‘s website but the openfire server is used in LAN.