powered by Jive Software

*WORKING* SSL Setup Instructions?

I have spent hours fighting with installing certificates into OpenFire - IT DOES NOT WORK! Does anyone have__ WORKING__ instructions for installing a CA certificate, and a key & cerificate into an OpenFire server? I’ve been over the OpenFire SSL guide and numerous other sites and I always end up with OpenFire clients complaining about a self-signed cert (of which there is none) or the &@^&$*&@ useless “supplied key (null) is not a RSAPrivateKey instance” error when I click on Server / Server Settings / Server Certificates.

The procedure I had the most confidence in, but** did not work**, was:

--- verify keystore is empty ----
tun # jre/bin/keytool  -keystore ./resources/security/keystore -list
--- import CA certificate ----
tun # jre/bin/keytool  -keystore ./resources/security/keystore -import -alias cacert -file /tmp/cacert.pem
--- Generate a key ----
tun # jre/bin/keytool  -keystore ./resources/security/keystore -genkey -alias mormail-rsa -keyalg RSA
--- Export the key ----
tun # jre/bin/keytool  -keystore ./resources/security/keystore -alias mormail-rsa -certreq -file mormail-rsa.csr
--- Move the CSR to the signing machine ---
tun # scp mormail-rsa.csr awilliam@192.168.1.122:Documents/Organizations/MI/SSL/
---- Sign the cerification ----
$ openssl ca -policy policy_anything -days 730 -in mormail-rsa.csr -out mormail-rsa.cert
---- Convert to DER ----
$ openssl x509 -in mormail-rsa.cert -inform PEM -out mormail-rsa.cert.der -outform DER
---- Move the certificate back to the openfire server ----
$ scp mormail-rsa.cert.der root@tun.mormail.com:/tmp
---- Import the certificate  ---
tun # /gre/bin/keytool -import -keystore ./resources/security/keystore \
              -alias mormail-rsa -file /tmp/mormail-rsa.cert.der \
              -keyalg RSA
And I'm right back to the &*@^*&$*&@ "supplied key (null) is not a RSAPrivateKey instance" error message.

What I end up with, in the keystore is:

[root@tun openfire]# jre/bin/keytool -keystore ./resources/security/keystore -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
mormail-rsa, Nov 3, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): 41:81:1E:AF:42:F7:B8:17:97:80:79:91:9F:5C:6F:0B
cacert, Nov 3, 2009, trustedCertEntry,
Certificate fingerprint (MD5): 36:4F:13:D4:A0:4F:25:D2:EF:60:37:B5:12:5B:07:FB

This is produced using the aforementioned procedure.

Properties are:

xmpp.socket.ssl.truststore = resources/security/truststore
xmpp.socket.ssl.keystore = resources/security/keystore
xmpp.socket.ssl.active = true
xmpp.server.tls.enabled = true
xmpp.fqdn = mormail.com

The server name in the “Server Information” page does not feature the yellow explamation point. I’ve also tried adding the cacert.pem to the truststore.

I followed these instructions and it partially worked for me. The website certificate for SSL works fine, no issues, using our local CA in the truststore, the website does not say it has a bad certificate. However the clients when connecting, you have to click accept once and you’ll good to go.I hope this helps.

http://www.lovelysystems.com/importing-an-existing-ssl-certificate-to-openfire/

Tried again:

— verify keystore is empty ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -list
— import CA certificate ----
tun # jre/bin/keytool -keystore ./resources/security/keystore -import
-alias cacert -file /tmp/cacert.pem
— Generate a key ----
tun # jre/bin/keytool -keystore ./resources/security/keystore
-genkey -alias mormail.com -keyalg RSA
— Export the key ----
tun # jre/bin/keytool -keystore ./resources/security/keystore
-alias mormail.com -certreq -file mormail.com.csr
-keyalg RSA
— Move the CSR to the signing machine —
tun # scp mormail.com.csr
awilliam@192.168.1.122:Documents/Organizations/MI/SSL/
---- Sign the cerification ----
$ openssl ca -policy policy_anything -days 730
-in mormail.com.csr -out mormail.com.cert
---- Convert to DER ----
$ openssl x509 -in mormail.com.cert -inform PEM
-out mormail.com.cert.der -outform DER
---- Move the certificate back to the openfire server ----
$ scp mormail.com.cert.der root@tun.mormail.com:/tmp
---- Import the certificate —
tun # jre/bin/keytool -import -keystore ./resources/security/keystore
-alias mormail.com -file /tmp/mormail.com.cert.der
-keyalg RSA

Same result. Clients think certificate is self-signed and server certificates page just results in Java stack trace. Sigh.

Looking around, at posts likehttp://www.igniterealtime.org/community/message/131083#131083 I’m starting to think that this doesn’t actually work for anybody.

If I execute:

openssl s_client -connect tun.mormail.com:5223 -CApath /etc/ssl/certs

  • it returns and seems to think my SSL session is OK -

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 4AF05C49470075ED2F5134B84770D2D761E195C1D958C0D1F9DD00B40EED15D9
Session-ID-ctx:
Master-Key: E74147E1B1E844E1BC1FC94A812B7CA00987306366E01D5EDA857A38423265FE09377DDEB3BF442 F446ED413A603B786
Key-Arg : None
Start Time: 1257266180
Timeout : 300 (sec)
Verify return code: 0 (ok)

dumb question, have you tried setting up connectivity over port 5222 instead of the “old” SSL port of 5223? IE, change the security settings to disable any of the old SSL auths and just use the SSLv3/TLSv1 cert process.

This is a complete shot in the dark - the only other thing I can think of is that you may not have all the root certs installed in your cert path. I know our godaddy certs required the installation of their root cert before our path was complete. When I test our self signed cert, I receive return code 18 indicating it’s self signed but nothing about the certification path being invalid…just a though.

BTW, this is all based on testing on CentOS 5.2 - YMMV.

Sorry I can’t be more help.

dumb question, have you tried setting up connectivity over port 5222 instead of the “old” SSL port of 5223? IE, change the security settings to disable any of the old SSL auths and just use the SSLv3/TLSv1 cert process.

Yes, clients are using TLS. But I use the openssl command to test to see if there are any actual SSL errors, to do that I use the “old” SSL port as the openssl s_client can only test TLS for IMAP & SMTP, not for XMPP.

When I test our self signed cert, I receive return code 18 indicating it’s self signed but nothing about the certification path being invalid
Yea, SSL errors have habitually unhelpful, even misleading, error messages. I’d suspect the CA cert wasn’t in my cert path, but I don’t have to specify a CAfile or CApath for openssl s_client to not have an error. Which doesn’t make sense.

BTW, this is all based on testing on CentOS 5.2 - YMMV.
Same here, possibly a bit newer. But OpenFire is pretty self-contained either way.

However the clients when connecting, you have to click accept once and you’ll good to go.

I’d interpret this as it-did-not-work. If the client trust the certificate why would it prompt to accept it? That is the same as if using a self-signed certificate.

Updated to 3.6.4 just for kicks; no difference. (But I do like how easy upgrades are with OpenFire).

Did you solve this? I am having the same problem and know in the past had the same headache but somehow, somehow got it to work. Now my certificate has expired and I am back having struggles.

Here is my discussion http://www.igniterealtime.org/community/message/198613#198613.

Does anyone how to do it? It looks like it is a common problem.

Hi there,

I am having the exact same issue. I have gone through, and tried all the suggestions in the various posts in Openfire Support. Still no luck. Using keytool, I am able to list/delete/import certs in my keystore. But when I click on “Server Certificates” using the browser UI, I get the following java exception:

                  java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance

Has anyone found a solution for this?  Does anyone know the cause for this error?

Any help/guidance appreciated.

Bal

I’m having the exact same problem and have found numerous forum posts about it. But nothing has helped.

Me too. I’m looking at server-to-server connections though.

Viewing the Server Certificates page in the admin consoles shows that I have a “CA Signed RSA” and a “CA Signed DSA” certificate.

The log files show the TLS connection is established, but no authentication mechanism is offered.

2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Plain connection to :5269 successful

2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Indicating we want TLS to

2010.01.16 13:16:57 LocalOutgoingServerSession: OS - Negotiating TLS with

2010.01.16 13:16:57 LocalOutgoingServerSession: OS - TLS negotiation with was successful

2010.01.16 13:19:27 LocalOutgoingServerSession: OS - Error, EXTERNAL SASL and SERVER DIALBACK were not offered by

Looking at SASLAuthentication.java, I can see that for me it is walking the certificate chain and tries to find the CA certificate in my keystore. If I don’t import the CA certificate in my keystore (it is in my truststore, didn’t think it was needed in the keystore too) it throws an exception and the certificate is marked as self signed. If I import the CA certificate to my keystore too, my certificate still gets marked as self signed because the CA certificate is self signed. When the CA cert is in my keystore, I can no longer view the “Server Certificates” page in the admin console as I get a java exception.

Does anyone have this working? If I run it in a debugger and force my cert to be considered not self signed everything does work. Not sure if it’s a problem with my certificates or the logic in openfire to determine if a cert is self signed or not.

Thanks.

An awesome bit of debugging; maybe with that kind of info you should proceed to file a bug and reference this thread.

I haven’t heard for anyone who has this working (hard to believe, I know).

I gave up and used ejabberd which worked perfectly. I too haven’t heard of anyone successfully getting this working.

I’m not sure i have understood all the technical stuff, but i will try to file John’s message as a bug report. OF-331. It will be pushed to 3.6.6, as we want to finalize 3.6.5 sooner.

With a small modification to the check for a self signed local certificate in method SASLAuthentication.getSASLMechanisms, I have this working.

The call to session.getConnection().getLocalCertificates() returns the certificate chain used in the TLS handshake. The return value is an ordered array with the local certificate first, followed by the certificate authorities (see javax.net.ssl.SSLSession.getLocalCertificates). Instead of iterating of the entire array, just check the first certificate to see if it’s self signed or not.

Thanks, this is excellent news. We’ll be looking forward to 3.6.6

Perhaps an adapatation of the resolve i had on this post: http://www.igniterealtime.org/community/thread/41081 will help you?

I use StartSSL for my OpenFIRE ssl and it’s working w/o issue. The instructions i posted on that proceedure may help you.

I also experienced this and it is really frustrating. After many weeks and days, I was able to make our wild card certificate to work by importing the rootCA chain one at a time. I did not import it as a chain, instead I imported it like two certificates on the truststore and it worked like a charm.