Server Name Warning?

So I recently got a certificate for my openfire server but there are a few issues I think I am having that are keeping the certificate from working properly.

  1. I get a warning image next to my server name. See attached image for what it looks like. Now, the domain points to the server ok so I am not sure why the warning is there nor do I know how to fix it. Can anyone shed some light on this?

  2. On the server certificates page I get. “Found RSA certificate that is not valid for the server domain.” The certificate is for the value set on the “Server Name”.

Any help would be greatly appreciated. Thanks.

What certificates are you using? Generated by Openfire? Maybe you have changed server’s name afte you have generated or added those certificates. So maybe you should delete them and generate/add again. Just guessing.

I got the cert through the jabber foundation. It seems though I may need to go back to them as the cert was generated for mydomain.com instead of jabber.mydomain.com. I think that is the problem.

I ran into the same problem, and have been talking to the CA people about it; what seems to be the problem is that the XMPP certificates are issued with 2 CN’s, the first being the second level domain (domain.com), the second being the actual hostname (sub.domain.com).

It seems the certs work fine (I just tested it on mine, the “old” SSL works and the web admin interface over SSL works too), but Openfire complains about it being the wrong hostname. So it seems the CertManager doesn’t know how to deal with the issued certificates here. The problem stemming from a double CN in the subject/SubjectAltName of the certificate (e.g.: E=, CN=domain.com, CN=sub.domain.com, OU=, O=, etc.)

Since the certificates check out and are validated, it seems to me that it is strictly an Openfire problem. Something to look at by the devs.

Hey Wolf,

Openfire will use the value defined in the SubjectAlternativeName extension and if no extension was found the it will rely on the SubjectDN. XMPP certificates MUST have a SubjectAlternativeName extension to be valid. Could you verify that extension in your certificate? Using the SubjectDN is just a fail over method that is not XMPP compliant.

Thanks,

– Gato

Hey Gato,

dombiak_gaston wrote:

XMPP certificates MUST have a SubjectAlternativeName extension to be valid. Could you verify that extension in your certificate?

Yes, it’s there, unfortunately it’s considered an invalid type by Openfire (I looked at the debug log):

2008.05.11 19:35:41 CertificateManager: SubjectAltName of invalid type found: EMAILADDRESS={{email}}, CN=domain.com, CN=jabber.domain.com, OU=Domain validated only, O={{name}}, L={{location}}, C=SE

I’m not sure how openfire would or should deal with this kind of line, but that is what it complains about. I guess if it would know how to deal with more than one CN there as well, it might fix the issue.