powered by Jive Software

SSL problems

I tried importing a new SSL cert according to the SSL Guide, and ran into a few problems. I dont seem to be able to change the keystore password. The keytool command succeeds (and I can verify with other keytool commands that the password I change it to is correct), but wildfire dosnt seem to be able to open the keystore. Here is the error:

2006.01.19 09:55:18 [org.jivesoftware.wildfire.net.SSLConfig.(SSLConfig.java:76)] SSLConfig startup problem.

storeType:

keyStoreLocation: /opt/wildfire/resources/security/keystore

keypass:

trustStoreLocation: /opt/wildfire/resources/security/truststore

trustpass:

java.io.IOException: Cannot recover key

at org.jivesoftware.wildfire.net.SSLJiveServerSocketFactory.getInstance(SSLJiveSer verSocketFactory.java:54)

at org.jivesoftware.wildfire.net.SSLConfig.(XMPPServer.java:134)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance0(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.wildfire.starter.ServerStarter.start(ServerStarter.java:88)

at org.jivesoftware.wildfire.starter.ServerStarter.main(ServerStarter.java:49)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at com.exe4j.runtime.LauncherEngine.launch(Unknown Source)

at com.install4j.runtime.Launcher.main(Unknown Source)

2006.01.19 09:55:18 org.jivesoftware.wildfire.spi.ConnectionManagerImpl.startClientSSLListeners(Conn ectionManagerImpl.java:209) Could not setup SSL socket

java.io.IOException

at org.jivesoftware.wildfire.net.SSLConfig.createServerSocket(SSLConfig.java:148)

at org.jivesoftware.wildfire.net.SSLSocketAcceptThread.(XMPPServer.java:134)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance0(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.wildfire.starter.ServerStarter.start(ServerStarter.java:88)

at org.jivesoftware.wildfire.starter.ServerStarter.main(ServerStarter.java:49)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at com.exe4j.runtime.LauncherEngine.launch(Unknown Source)

at com.install4j.runtime.Launcher.main(Unknown Source)

2006.01.19 09:55:20 org.jivesoftware.wildfire.container.AdminConsolePlugin.initializePlugin(AdminCon solePlugin.java:170) Trouble initializing admin console

org.mortbay.util.MultiException[java.io.IOException: Could not create JsseListener: java.security.UnrecoverableKeyException: Cannot recover key]

at org.mortbay.http.HttpServer.doStart(HttpServer.java:673)

at org.mortbay.util.Container.start(Container.java:72)

at org.jivesoftware.wildfire.container.AdminConsolePlugin.initializePlugin(AdminCo nsolePlugin.java:164)

at org.jivesoftware.wildfire.container.PluginManager.loadPlugin(PluginManager.java :281)

at org.jivesoftware.wildfire.container.PluginManager.access$200(PluginManager.java :48)

at org.jivesoftware.wildfire.container.PluginManager$PluginMonitor.run(PluginManag er.java:658)

at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)

at java.util.concurrent.FutureTask.runAndReset(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

java.io.IOException: Could not create JsseListener: java.security.UnrecoverableKeyException: Cannot recover key

at org.mortbay.http.JsseListener.newServerSocket(JsseListener.java:218)

at org.mortbay.util.ThreadedServer.open(ThreadedServer.java:466)

at org.mortbay.util.ThreadedServer.start(ThreadedServer.java:495)

at org.mortbay.http.SocketListener.start(SocketListener.java:203)

at org.mortbay.http.HttpServer.doStart(HttpServer.java:703)

at org.mortbay.util.Container.start(Container.java:72)

at org.jivesoftware.wildfire.container.AdminConsolePlugin.initializePlugin(AdminCo nsolePlugin.java:164)

at org.jivesoftware.wildfire.container.PluginManager.loadPlugin(PluginManager.java :281)

at org.jivesoftware.wildfire.container.PluginManager.access$200(PluginManager.java :48)

at org.jivesoftware.wildfire.container.PluginManager$PluginMonitor.run(PluginManag er.java:658)

at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)

at java.util.concurrent.FutureTask.runAndReset(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2006.01.19 10:00:51 org.jivesoftware.wildfire.net.SSLJiveServerSocketFactory.getInstance(SSLJiveServ erSocketFactory.java:53)

java.security.UnrecoverableKeyException: Cannot recover key

at sun.security.provider.KeyProtector.recover(Unknown Source)

at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)

at java.security.KeyStore.getKey(Unknown Source)

at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl. EXCEPTION

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.mortbay.util.ThreadedServer.acceptSocket(ThreadedServer.java:423)

at org.mortbay.util.ThreadedServer$Acceptor.run(ThreadedServer.java:608)

Only by changing the password back to changeit and putting the original certs back can I get back into the admin console. What went wrong?

I should also note that it was not obvious in the documentation where or how to set the new keystore password in wildfire. I ended up manually setting it in the database since I cant log into the admin interface without SSL (as per previous configs) and I cant set the password in the xml config.

I’'m having this problem right now with 2.5.1 and a cert I got from Thawte.

When I import the cert (-alias machine.full.name), it works.

When I remove the rsa cert, it works.

When I remove the dsa cert, it breaks.

I’'ve tried the import with and without the -trustcacerts option.

I’'d really, really like some guidance on how this should work.

I just had a flash of brililance. (or is that realization of stupidity?)

When importing the new signed cert, is the self-signed cert supposed to still be in the keystore file?

Once you’'ve imported the CA cert and removed the default “rsa” and “dsa” certs, should there be one entry or two?

Message was edited by: atlauren

I’‘m getting closer. Using the Thawte instructions for Tomcat, I created a new keystore, generated a CSR and received the certificate. I then had to use the OpenSSL tools to convert the x.509 cert to PKCS#7 format. Now Wildfire seems to like the cert. I have other errors, but I think they’'re due to other issues.

Generate key:

http://www.thawte.com/ssl-digital-certificates/technical-support/keygen/tomcat_k eygen.html

Install key:

http://www.thawte.com/ssl-digital-certificates/technical-support/keygen/tomcat_i nstall.html

Convert cert (if needed):

http://www.claushc.dk/ssl/

Message was edited by: atlauren

Message was edited by: atlauren