S2S: 404 Not Found after Upgrade to OF 3.7.0

S2S to two friends - one using gmx.net and the other one using unixboard.de - worked fine with OF 3.6.7. Now after the upgrade to 3.7.0, Pidgin shows them as offline and also shows: “Error: 404: Remote Server Not Found”. S2S to gmail.com works fine and I can see the session in the admin interface.

Both hosts can be pinged fine from my OF server and I can also connect to their port 5269 via telnet. The warning.log shows the following:

2011.03.07 12:02:55 Error returning error to sender. Original packet:

org.jivesoftware.openfire.PacketException: Cannot route packet of type IQ or Presence to bare JID:

at org.jivesoftware.openfire.spi.RoutingTableImpl.routeToLocalDomain(RoutingTableI mpl.java:286)

at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.jav a:233)

at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.return ErrorToSender(OutgoingSessionPromise.java:299)

at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:241)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 886)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

at java.lang.Thread.run(Thread.java:662)

Can anybody point me into some direction to fix this?

Try playing around a little with the security (certificate) settings. See if you specifically allow self-signed certs, things like that. Something changed in that area, although I don’t remember from the top of my head what. Let me know if you keep running into issues, and I’ll look further.

I have the same issue.

Also when I select “Server Certificates” in the admin web interface i get the following java exception:

java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance

at org.bouncycastle.jce.provider.JDKDigestSignature.engineInitSign(Unknown Source)

at java.security.Signature$Delegate.engineInitSign(Signature.java:1095)

at java.security.Signature.initSign(Signature.java:480)

at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)

at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)

at org.jivesoftware.util.CertificateManager.createSigningRequest(CertificateManage r.java:432)

at org.jivesoftware.openfire.admin.ssl_002dcertificates_jsp._jspService(ssl_002dce rtificates_jsp.java:549)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:530)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1216)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1187)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:74)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1187)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:50)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1187)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:78)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1187)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:164)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1187)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:425)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:494)

at org.eclipse.jetty.server.session.SessionHandler.handle(SessionHandler.java:182)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:93 3)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:362)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:867 )

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandler Collection.java:245)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:126)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)

at org.eclipse.jetty.server.Server.handle(Server.java:334)

at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559)

at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConne ction.java:992)

at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:541)

at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:203)

at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406)

at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:4 62)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)

at java.lang.Thread.run(Thread.java:662)

I re-created my self-signed certificates and checked the checkbox “Accept self-signed certificates. Server dialback over TLS is now available.” (under Security Settings). And after a restart of OpenFire, my one buddy @unixboard.de was Online again. The other one is really offline ATM so I can’t check. But it looks good for now.

Update: Just found this old thread mentioning the exact same problem. Looks like ignite realtime should work on that error message … so that one can easier pinpoint the source of the problem.

I still have the same problem with 3.7.0. Allow self-signed certs is set to true and I’ve created new certificates.

2011.03.08 20:39:40 LocalOutgoingServerSession: OS - Trying to connect to draugr.de:5269(DNS lookup: s2s.jabberd.draugr.de:5269)
2011.03.08 20:39:40 LocalOutgoingServerSession: OS - Plain connection to draugr.de:5269 successful
2011.03.08 20:39:40 LocalOutgoingServerSession: OS - Indicating we want TLS to draugr.de
2011.03.08 20:39:40 LocalOutgoingServerSession: OS - Negotiating TLS with draugr.de
2011.03.08 20:39:40 LocalOutgoingServerSession: OS - TLS negotiation with draugr.de was successful
2011.03.08 20:39:40 LocalOutgoingServerSession: OS - Error, no SASL mechanisms or SERVER DIALBACK were offered by draugr.de
2011.03.08 20:39:40 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: draugr.de
2011.03.08 20:39:40 ServerDialback: OS - Trying to connect to draugr.de:5269(DNS lookup: s2s.jabberd.draugr.de:5269)
2011.03.08 20:39:40 ServerDialback: OS - Connection to draugr.de:5269 successful
2011.03.08 20:39:40 ServerDialback: OS - Sent dialback key to host: draugr.de id: 990188208 from domain: reucon.com
2011.03.08 20:39:40 ServerDialback: OS - Unexpected answer in validation from: draugr.de id: 990188208 for domain: reucon.com answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="AxFG3uvIZfHAbBjOUb9t3klmoos="/></stream:features>

I’ve also got the same issue which started recently.

I’ve generated new externally signed certs, removed all plugins, allowed self-signed certs, and the server is still showing 404 errors for anything S2S.

Has anyone managed to resolve this rather serious issue yet?

XMPP Console shows:


<x xmlns='http://jabber.org/protocol/muc’/>

Thanks & regards,


For me it’s also still there for the domain gmx.net. The other one - unixboard.de - now works fine.

After switching of TLS for s2s connection the server can set up a connection to the other server again:

xmpp.server.tls.enabled = false

This shouldn’t be the final solution…

Does anybody send a bug report about this issue to issue tracker?

Hi Michael,

Thanks for the tip, I’ve tried this on my server however it did not resolve the errors…anyone else got Michael’s method working?

Kind regards,


I just downgraded to 3.6.4 by importing the db dump from before the upgrade.

Same here. S2S is not functional, with or without TLS. Paradoxically we can communicate with ICQ users thanks to Kraken gateway (1.1.3 beta - who use it too? is it possible to be problem here?) but not with other jabber users.

Looks like the same OF-443

Oh, btw. I have added the changes of Wilhelm posted in http://community.igniterealtime.org/message/206943 to my server.

After reverting the changes I still can connect to the server. Maybe you can try the following to options:

xmpp.server.certificate.accept-selfsigned = true

xmpp.server.certificate.verify.root = false

Any news here … this is pretty annoying … when will there be a bug fix release ?

This is very annoying that we do not yet have a fix for this problem …

Yeah, this problem is very annoying. Version 3.7.0 is not useable if you want to talk to people on other servers, I downgraded to 3.6.4. I really wonder why it takes so damn long for this to be fixed.

Because there are no developers to fix this.


thanks for the answer. What happened to the developers? I thought this was a half commercial software with a company supporting it? Is there any chance that there will be developers working again on this some day?