Spark 2.8 and newer - unable to verify certificate

Hello,

Why does Spark 2.8 and newer snapshot builds not work with a complete SSL cert installed OpenFire server?

I’ve tried BOTH “Letsencrypt” certificate. Along with a completely paid SSL cert by Comodo (multidomain) to match my FQDN “xmpp.example.com

Cert installed just fine… “service openfire restart”. etc… Server properties and environment show correctly configured server.

However - every time I connect to the Openfire XMPP Server with Spark I receive message “Unable to verify certificate”

I do NOT deem a solution of “checking accept all certificates” a valid work-around or solution.

There any fix for this?

xmpp.socket.ssl.active = true

xmpp.socket.ssl.client.certificate.accept-selfsigned = false

Your openfire cert should match your xmpp.domain, not necessarily your xmpp.fqdn

This could be that the root ca that signed your cert is not in the java store used by spark.

  • edit

Actually, I just hit this issue. I imported a new wildcard in openfire, and spark gave me fits. Turned out that I didn’t import the full chain with my cert. Once I did that, all was good.

I’ve imported the root CA that signed my cert (Comodo)

As far as the cert matching my 'xmpp.domain" it 100% matches my domain name.

My FQDN and domain name are the same on this server, as its not being tied into Active Directory or LDAP. Running seprate

HOWEVER – now suddenly, appears my Openfire server has lost its FQDN hostname setting?!

reverted back to ‘localhost’. I’ve tried to rename this setting within server properties, also within the DNS settings area… no dice. goes back to ‘localhost’

also made sure my /etc/hosts file was proper along with my hostname /etc/hostname

Do I need to re-run installer?

but did you import the whole chain…to include the intermediate certs?

Yes I did…

Spark 2.7.7 works beautifully without issue or complaint. Tried using latest version of Trillian client as well; works – however throws erronous warning how server certificate does not directly match. Even though within warning it says / shows the hostname/server being same exact FQDN

2.7.7 works because it doesn’t care what certificate you use. Is it expired, forged, no matter. So, another client tells you that your certificate doesn’t match. Try another one. Say Pidgin.

Understood, but its EFFing annoying!

Had Trillian XMPP Server (trial) used a corp wild card cert. works beautifully without any issue. Then migrated to Openfire and tried using same exact wildcard SSL cert… issues. Even following various guides and even re-creating cert store and rebuilding.

I have a separate hosted openfire server that I’m now using with my Asterisk Servers with Asterisk-IM. However this cert issue is making me grind my gears and really pissing me off.

I just paid for a separate SSL cert to explicitly match the FQDN, and still issue…

Just tried Pidgin same shit.

Certificate Information

Common name: xxxxx.ajavoicetech.com

Issued By: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Activation date: Wed Mar 15 20:00:00 2017

Expiration date: Fri Mar 16 19:59:59 201

Accept certificate for xxxxx.ajavoicetech.com?

The certificate for xxxxx.ajavoicetech.com could not be validated.

The certificate is not trusted because no certificate that can verify it is currently trusted.

this issue is with the certificate import.

try the following

in the “Content of Certificate file” box

make sure you copy the whole chain. so your cert will have multiple parts something like

-----BEGIN CERTIFICATE-----

blah blah blah

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

blah blah blah

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

blah blah blah

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

blah blah blah

-----END CERTIFICATE-----

Understood. I thought I already combined the certs (ca-bundle + issued crt)

I will try this again and report back.

Argh, I had this same exact freaking problem and was getting this error as well on my wildcard certificate. As speedy mentions, you have to include both your certificate and all of your certicate authority’s certificates in the chain in the same field to make it work.