powered by Jive Software

Trouble with SSL certificate


today I wanted to install our new CA-signed SSL certificate into Openfire Server. So after the first failed try&error way, I found the documentation that explains me how complicated SSL seems to be with Java. I changed the keystore password, imported the signed certificate (which must be alone in that file, it seems) and updated the Openfire settings. After a restart, port 5223 is closed and the Web interface is broken:



at org.jivesoftware.wildfire.net.SSLConfig.getKeyStore(SSLConfig.java:155)

at org.jivesoftware.wildfire.admin.index_jsp._jspService(index_jsp.java:291)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)


What can I do to make it work again? Currently, I’‘m offline from the XMPP server and the web interface. All that’'s left is SSH and MySQL.

PS: The certificate, together with the private key, work fine with Apache, Exim, Courier-IMAP and ProFTPd. There’‘s no intermediate certificate as I was told Java wouldn’'t support that.

Okay, I’‘m back online for now. It doesn’‘t seem to be a good idea to change the password of the keystore. I changed it back to the default password and removed the new property line from the database table. Now all services are back again and the web interface uses the new SSL certificate. (Still issues a warning, I guess because of the different port number. But Firefox can remember the “Yes, go ahead”…) I assume that XMPP uses it, too. I only can’'t view the SSL certificates page any more, from the web interface. When I try, I get this error message full-screen:

java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance

at org.bouncycastle.jce.provider.JDKDigestSignature.engineInitSign(Unknown Source)

at java.security.Signature.initSign(Unknown Source)

at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)

at org.bouncycastle.jce.PKCS10CertificationRequest.(Unknown Source)

at org.jivesoftware.util.CertificateManager.createSigningRequest(CertificateManage r.java:330)

at org.jivesoftware.wildfire.admin.ssl_002dcertificates_jsp._jspService(ssl_002dce rtificates_jsp.java:356)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)


But this is not important to me since that page doesn’'t seem to have a use anyway.

PS: Here’'s the document I was referring to: http://www.igniterealtime.org/builds/wildfire/docs/latest/documentation/ssl-guid e.html

Using Wildfire Server 3.2.2.

Oops, XMPP does use that certificate but Psi claims it is “self-signed” which it definitely wasn’'t before I imported it into the keystore. Hm, seems it has no use to take a signed certificate here. But at least it works again.

Maybe Psi doesn’'t know the root certificate?

Hm, that could be. Does anyone know how to teach Psi 0.9.3 (yeah, my good old customised Psi…) new root certificates? Otherwise, I don’'t have a problem with that actually. It was just a nice-to-have thing that the Jabber server uses the “official” certificate.