Problem Installing XMPP.ORG Cert

Openfire Openfire Support
1

Guys,

I’ve spent the last few days trying to get an XMPP.ORG cert installed on my Openfire 3.6.3 server, to no avail. I’ve tried with both a wildcard cert and a cert specific for my server, to no avail. I’ve followed all the steps on the XMPP site and in the Wildfire SSL cert guide. It’s hard to recall everything I’ve done up to this point, but here are the key things that I have done:

  • Installed the 1.6 Unlimited Strength Java CryptographyExtension (JCE)

  • Used the JSK keytool to create a private key

  • Used keytool to create a CSR

  • Used the CSR to generate a cert on the XMPP.ORG site

  • Used the keytool to import the Startcom CA cert

  • Used the keytool to import the sub.class1.xmpp.ca cert

  • Used the keytool to import my issued cert

After doing all of this, and of course deleting the default self-signed certs, I receive the following exception in the Openfire console:

java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance
at org.bouncycastle.jce.provider.JDKDigestSignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Unknown Source)
at java.security.Signature.initSign(Unknown Source)
at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)
at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)
at org.jivesoftware.util.CertificateManager.createSigningRequest(CertificateManage r.java:392)
at org.jivesoftware.openfire.admin.ssl_002dcertificates_jsp._jspService(ssl_002dce rtificates_jsp.java:548)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1093)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:66)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:42)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:70)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:146)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:206)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:829)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)

I’ve found quite a few posts with users complaining of the same error, including these posts:

http://www.igniterealtime.org/community/message/179743#179743But after reading through all the posts, it’s clear there’s no definitive solution. I’ve also exchanged emails with Peter over at XMPP.ORG and he’s not sure what the issue is. But he did mention that he’s heard of quite a few issues getting certs installed in Openfire. Any ideas folks? If I cannot get this working I’ll need to revert back to a self signed cert, which I don’t want to do unless I have to. Thanks for any help.

-Ryan

2

Anyone have any suggestions?

3

Hey Ryan,

Any reason why you are not using the UI from the admin console to import the certs? BTW, we just released Openfire 3.6.4 that includes a fix to work with latest security algorithms used by the XMPP CA. Give it a try and let us know how it works.

Regards,

– Gato

4

Gato,

Thanks for the response. I’ve upgraded to 3.6.4 to no avail. At this point, I cannot try importing the cert via the GUI because all I get is the Exception error everytime I browse to the /ssl-certificates.jsp page. I’ve tried deleting my keystore and creating a new one, to no avail. I’m also confused as to which keystore is actually used by Openfire. Is it the keystore in \Openfire\resources\security or is it the one in \Openfire\jre\bin? At this point, can you point me in the wrong direction to get rid of the exception and it at least get back to a working state with self-signed certs?

Thanks.