Openfire - Spark unable to verify certificate

First time user of Openfire. Not real strong in linux…

I have openfire configured, and everything seems really straight forward, a great simple project. Where I am getting hung up, is the certificates. In spark, I have been able to get the hostname to validate. but the cert is still “unable to verify.”

I used openssl to create a new cert request and had it self-signed by a domain CA. The web page is trusted on the local domain. No problems there.

I was able to get a new key generated, and a cert request made, using keytool, the same domain CA issued it, and after importing, it seems that the host name is no longer an issue, but the cert is still unable to verify, per spark.

I know I can just accept all certificates in spark, but after going through all this work, it doesn’t sit well that I settle for accepting all certs.

I have not been able to find any instructions specific to self-signing with a windows CA, which should be a viable solution when openfire is not used outside the office domain. …Because the hostname issue seems to have gone away, the CN must be correct, and because I have a trusted site, when accessing the webpage, with a cert issued by the same doamin CA, i would think the cert used for openfire/spark should also be trusted, by the client.

One clue I have is that when I import the issued cert into keystore, it tells me that it is “not trusted, reply anyway?”

Your time is appreciated.

Spark doesn’t have an option to trust only a selected certificate (yet). It is planned for 2.9.0, but i can’t say when it will be released as development is stalled. You can try the latest build to see how it works (with some bugs still). Your users would still have to manually trust your self-signed cert once. Spark is using Java keystore, not Windows built-in keystore. http://www.igniterealtime.org/downloads/nightly_spark.jsp

Is it spark that is the problem? I think the certificate is already trusted by the computer I am testing with. I know that the common name is correct, I know that a cert self-signed by the same domain CA is trusted.

When I import the cert
keytool -import -keystore keystore -alias im.domain.com_rsa -file /opt/bitnami/apache2/conf/im.domain.com-derchain.p7b

I get this prompt: “…is not trusted. Install reply anyway?” [no]

I am not sure if this is part of the problem or not.

The problem is with Java keystore not knowing that your self-signed certificate should be trusted. Java’s keystore is self contained and not related to Windows. So, if you Windows trust this certificate, this doesn’t mean Java will. I’m not sure what this command does (not so familiar with keytool either). But are you trying to import it to your website’s Apache server? It should be imported into Java’s keystore. If you use Spark with a built-in Java, then that Java is stored in /Spark/jre folder. I don’t know exactly how to import it manually into that keystore. Maybe @Alameyo can help with that as he is the one who created the GUI for 2.9.0.

Are you using Spark 2.8.3 or that nightly build provided by @wroot? TLS validation of certificates was pretty much broken in Spark 2.8.3 and I have done some work towards Spark 2.9.0 in this area (but still it require a bit of polishing, mostly in terms of user friendlies before official release). If you are using this nightly build then you have a GUI in which you can add or remove certificates (so no need to use Keytool) as well as choose some of the rules which certificates you are accepting or not.

Oh yeah, i didn’t emphasize that importing cert to keystore will only work for 2.9.0 branch. I suspect he wants to make it so all the clients would trust it automatically and that’s why he is trying to import it with keytool. Not sure if you can import it and then distribute the updated keystore to the clients with some script.

Then I guess he can do it. He can add this certificate to the truststore (important that’s how is named file with trusted certificates as there are few others keystores) with Spark’s GUI and then distribute copies of this to the security folder.