SSL signed cert with RapidSSL broke Openfire

Openfire Openfire Support
1

Hello and thx in advance for your help,

after successfully testing openfire functionalities we decided to sign the self-signed certificated automatically generated by Openfire.

We generated teh csr from the web interface (http://xxx.offsec.com:9090/ssl-certificates.jsp), obtained the answers ( INSTALL CERTIFICATE and INTERMEDIATE CA) from the RapidSSL and put them back inside the two text filed in the same page http://xxx.offsec.com:9090/ssl-certificates.jsp…restarted openfire and everything looks fine as we have two host alias entries in that page:

  1. RapidSSL CA (xxx.mydomain.com_rsa) Feb 18, 2020 CA Signed RSA

  2. xxx.mydomain.com (xxx.mydomain.com_dsa) Nov 24, 2014 CA Signed RSA

The problem is whenever we try to login now, first of all we are prompted with an untrusted certificate (signed by the RapidSSL CA) whining about a host mismatch even if the host in the certificate is exactly the domain we are using to access Openfire (DNS name is setup correctly and it’s showing in the server properties too)… second, more important we can’t login anymore… even if we continue and accept the untrusted certificate the client hangs, we tried spark and ichat.

If I completelty disable SLL in both client and server I can login normally.

What am I missing?

2

Does the admin interface have the same problem? Connect to https://whatever:9091/

Is there an intermediate CA that goes with the RapidSSL Root CA? Never used RapidSSL, but pretty much every CA I deal with uses an intermediate CA for signing stuff.

Other thing would be to use openssl (if you are on a UNIX platform) and connect to the HTTPS admin port and see what it thinks of the certificate chaining.

openssl s_client -connect whatever:9091

Should spit out a bunch of stuff, including chain verification and certifiate details.

Did the clients work with SSL before you installed a signed certificate? In general, it’s easier just to build a new key from scratch, get that signed then import it all into Openfire, rather than signing what it generates.