Up to Discussions in Openfire Support

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (5 pts)
5 Replies Last post: Mar 4, 2008 9:26 PM by Gaston Dombiak  
Daryl Herzmann KeyContributor
Daryl Herzmann
422 posts since
Mar 12, 2005
Currently Being Moderated

Mar 4, 2008 3:12 PM

No Love with GeoTrust SSL Cert

 

Greetings,

 

 

My ignorance is probably to blame here, but I can not seem to get my GeoTrust signed SSL cert to work with Openfire 3.4.4 .  I have two files in my possesion, one that is topped with '---BEGIN CERTIFICATE-' and the other with '-BEGIN PRIVATE KEY---'.  (I got this cert from my web hoster).

 

 

So, if I import this cert via the admin console, Openfire takes it, but then firefox can't connect to the console complaining about corrupt cert or no supported algorithms found.  Hmmmm.

 

 

So then I try the manual keytool method and get tracebacks.

 

 

When I try to import the private key and cert via the console, I get tracebacks

 

 

java.lang.NullPointerException

at org.jivesoftware.util.CertificateManager.installCert(CertificateManager.java:50 1)

 

 

The key and cert work as expected with Apache.  I must be missing some step.

 

 

(Looking my post last year about this problem, I see I was able to do a hack with keytool, but this never resulted in a cert that openfire thought was valid).

 

 

thanks,

 

daryl

Tags: ssl, certificate
Todd Getz KeyContributor
Todd Getz
2,178 posts since
Apr 2, 2007
Currently Being Moderated
Mar 4, 2008 3:23 PM in response to: Daryl Herzmann
Re: No Love with GeoTrust SSL Cert

first obvious question is does the cert match the Fully Qualified Domain Name of the openfire server?

Report Abuse
Daryl Herzmann KeyContributor
Daryl Herzmann
422 posts since
Mar 12, 2005
Currently Being Moderated
Mar 4, 2008 7:12 PM in response to: Todd Getz
Re: No Love with GeoTrust SSL Cert

Hi,

 

It matches

xmpp.domain property.  The FQDN of the box itself is something different.

 

 

You can connect to https://jabber1.iemchat.com via firefox to inspect the cert if you wish.

 

 

 

 

daryl

Report Abuse
Todd Getz KeyContributor
Todd Getz
2,178 posts since
Apr 2, 2007
Currently Being Moderated
Mar 4, 2008 8:46 PM in response to: Daryl Herzmann
Re: No Love with GeoTrust SSL Cert

When I go to the address specified I get an error that implies that the cert does not match the FQDN of the server.  See attached picture.

Attachments:
Report Abuse
Daryl Herzmann KeyContributor
Daryl Herzmann
422 posts since
Mar 12, 2005
Currently Being Moderated
Mar 4, 2008 8:48 PM in response to: Todd Getz
Re: No Love with GeoTrust SSL Cert

 

Yes, I have a cheap Linux IPVS failover setup with iemchat.com rotated between jabber1 and jabber2 real servers. 

 

 

The cert should only need to match the xmpp.domain Openfire property, no?

 

 

daryl

 

 

Report Abuse
Gaston Dombiak Jiver
Gaston Dombiak
3,771 posts since
Sep 26, 2001
Currently Being Moderated
Mar 4, 2008 9:26 PM in response to: Daryl Herzmann
Re: No Love with GeoTrust SSL Cert

Hey daryl,

 

XMPP clients and HTTP clients (aka browsers) use different type of certificates. XMPP certificates use a extension field in the certificate for the XMPP domain. Standard web certificates do not use that extension field but just the CN (I think). All this means that, browsers will verify that the CN (or may be the subjectDN) field match the web domain. On the other hand, XMPP clients will read the XMPP extension field and verify that it matches the XMPP domain.

 

Hope that helps,

 

  -- Gato

Report Abuse

More Like This

  • Retrieving data ...