Server to Server Test failed

Hi,

my Openfire 4.2.1 can’t connect to jabber.ccc.de. The result of the server to server test is below. Connection test to e.g. jabber.de works well. Is there something I can do?

Jürgen

Mon Dec 11 21:11:59 CET 2017: INFO: Sending server to server ping request to jabber.ccc.de
Mon Dec 11 21:11:59 CET 2017: INFO: STARTTLS negotiation failed. Closing connection (without sending any data such as <failure/> or </stream>).
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)
	at javax.net.ssl.SSLEngine.wrap(Unknown Source)
	at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:289)
	at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:174)
	at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:194)
	at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthenticate(LocalOutgoingServerSession.java:407)
	at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:297)
	at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:206)
	at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:260)
	at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:238)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker$1.run(Unknown Source)
	at sun.security.ssl.Handshaker$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
	at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:340)
	at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:250)
	... 10 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
	at org.jivesoftware.openfire.keystore.OpenfireX509TrustManager.checkServerTrusted(OpenfireX509TrustManager.java:108)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
	... 19 more
Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
	at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	at org.jivesoftware.openfire.keystore.OpenfireX509TrustManager.checkChainTrusted(OpenfireX509TrustManager.java:261)
	at org.jivesoftware.openfire.keystore.OpenfireX509TrustManager.checkServerTrusted(OpenfireX509TrustManager.java:104)
	... 20 more
Mon Dec 11 21:11:59 CET 2017: WARN: Unable to create a new session: exhausted all options (not trying dialback as a fallback, as server dialback is disabled by configuration.
Mon Dec 11 21:11:59 CET 2017: WARN: Unable to authenticate: Fail to create new session.
Mon Dec 11 21:11:59 CET 2017: INFO: Successful server to server response received.
Mon Dec 11 21:11:59 CET 2017: ERROR: Primary packet routing failed
org.jivesoftware.openfire.PacketException: Cannot route packet of type IQ or Presence to bare JID: <iq type="error" id="63-2022" to="jabber.jloh.de" from="jabber.ccc.de"><ping xmlns="urn:xmpp:ping"/><error code="404" type="cancel"><remote-server-not-found xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/></error></iq>
	at org.jivesoftware.openfire.spi.RoutingTableImpl.routeToLocalDomain(RoutingTableImpl.java:309)
	at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.java:242)
	at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.returnErrorToSender(OutgoingSessionPromise.java:342)
	at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:241)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Mon Dec 11 21:11:59 CET 2017: INFO: Failed to establish server to server session.

Have you tried testing things at the XMPP Observatory ?

Yes, I did, jabber.ccc.de has grade “A”:

https://xmpp.net/result.php?domain=jabber.ccc.de&type=server

I did the same with my server (at messaging.one):

https://check.messaging.one/result.php?domain=jabber.jloh.de&type=server

Openfire does not appear to properly detect the issuer of the jabber.ccc.de domain. This appears to be Let’s Encrypt. Try adding the root- and intermediate certificates from Let’s Encrypt to your Openfire truststore. This can be needed if you upgraded Openfire from an earlier version (fresh installs of Openfire should already contain the required certificates).

Importing Let’s Encrypt certificates helped, now I can connect with jabber.ccc.de and others.

Thanks!