Project

General

Profile

Problems with certificate

Steffen Larsen
Added almost 5 years ago

Hi,

Ive created a signed certificate from startssl.com using your recipe http://www.tigase.org/content/creating-and-loading-server-certificate-pem-files (Also remember to update this page to use 2048bit when creating the CSR file!).

I've done it before a couple of year ago and that worked fine.

So using: openssl req -nodes -new -newkey rsa:2048 -keyout my domain.com.key -out my domain.com.csr

and then getting the intermediate cert from startssl and concatenating it into one file : domain.com.pem .

Then I put the certificate into the cert folder of tigase. But what happens is that tigase tries to overwrite this file into a self signed certificate.

I tried to set my certificate to read-only, but it still does not work.

Besides uploading my certificate into the cert, folder am I missing some options in init.properties or??

-Cheers!

/Steffen


Replies (11)

Added by Wojciech Kapcia TigaseTeam almost 5 years ago

Do you have full certificate chain? As the mentioned document states:

the order is following: your domain certificate, your private key, authority issuing your certificate, root certificate*. Note! Tigase requires *full certificate chain in PEM file (described above)!

Thanks for the tip - doc updated.

Added by Steffen Larsen almost 5 years ago

Hi Wojciech!,

I've created a full chain containing PEM containing: my certificate for my domain, my private key, startssl intermedia cert and root ca.

I can't see any debug or anything in the log. Is there anything that needs to be enabled?

/Steffen

Added by Wojciech Kapcia TigaseTeam almost 5 years ago

Is your certificate rejected even with full chain and root ca?

You can enable debugging for tigase.cert package (i.e. @--debug=cert@) however most of the output there should be already present in the logs (given the levels).

Added by Steffen Larsen almost 5 years ago

Yes it is.

I get this output:

2014-01-28 08:00:13.790 [main] SSLContextContainer.init() WARNING: Cannot load certficate from file: certs/domain.com.pem

java.lang.RuntimeException: Can't sort certificate chain!!!

at tigase.cert.CertificateUtil.sort(CertificateUtil.java:695)

at tigase.cert.CertificateUtil.sort(CertificateUtil.java:661)

at tigase.io.SSLContextContainer.addCertificateEntry(SSLContextContainer.java:199)

at tigase.io.SSLContextContainer.init(SSLContextContainer.java:410)

at tigase.io.TLSUtil.configureSSLContext(TLSUtil.java:89)

at tigase.conf.ConfiguratorAbstract.setProperties(ConfiguratorAbstract.java:815)

at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:550)

at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:182)

at tigase.conf.Configurator.componentAdded(Configurator.java:50)

at tigase.conf.Configurator.componentAdded(Configurator.java:33)

at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:115)

at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:141)

at tigase.server.MessageRouter.setConfig(MessageRouter.java:696)

at tigase.server.XMPPServer.start(XMPPServer.java:142)

at tigase.server.XMPPServer.main(XMPPServer.java:112)

What does it mean that it can't sort the cert? is it the root it can't get or?

/Steffen

Added by Wojciech Kapcia TigaseTeam almost 5 years ago

This is cause by incomplete certificate chain. Please verify that you have correct entries/intermediate/root certificates that match each other.

Can you verify your pem file with openssl and provide output/details of each item?

Added by Steffen Larsen almost 5 years ago

Hi W,

Here are my diff. certs:

my cert:

$ openssl x509 -in braintrust.dk.pem -noout -text

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number: 928229 (0xe29e5)

    Signature Algorithm: sha1WithRSAEncryption

    Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA

my private key (only header shown):

-----BEGIN RSA PRIVATE KEY-----

blah blah

-----END RSA PRIVATE KEY-----

Intermediate cert (pem):

$openssl x509 -in sub.class1.server.ca.pem -noout -text

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number: 24 (0x18)

    Signature Algorithm: sha1WithRSAEncryption

    Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority

    Validity

        Not Before: Oct 24 20:54:17 2007 GMT

        Not After : Oct 24 20:54:17 2017 GMT

    Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA

root cert:

$ openssl x509 -in ca.crt -noout -text

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number: 0 (0x0)

    Signature Algorithm: md5WithRSAEncryption

    Issuer: C=IL, ST=Israel, L=Eilat, O=StartCom Ltd., OU=CA Authority Dep., CN=Free SSL Certification Authority/emailAddress=admin@startcom.org

    Validity

        Not Before: Mar 17 17:37:48 2005 GMT

        Not After : Mar 10 17:37:48 2035 GMT

    Subject: C=IL, ST=Israel, L=Eilat, O=StartCom Ltd., OU=CA Authority Dep., CN=Free SSL Certification Authority/emailAddress=admin@startcom.org

    Subject Public Key Info:

Added by Wojciech Kapcia TigaseTeam almost 5 years ago

Issuer of sub.class1.server.ca.pem isn't equals to subject of ca.crt - please use correct certificate files.

Added by Steffen Larsen almost 5 years ago

Really?.. Uts StartCom Ltd. in both. Sorry I am not 100% into this cert. stuff, but what seems to be the problem?

I got the intermediate cert. from start com and afterwards I downloaded the root certificate there as well (ca.crt) as described on your recipe page.

/Steffen

Added by Steffen Larsen almost 5 years ago

I've found another root certificate on startssl page. They call it a ca-bundle.pem.

It looks like this:

$ openssl x509 -in ca-bundle.pem -noout -text

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number: 61 (0x3d)

    Signature Algorithm: sha256WithRSAEncryption

    Issuer: C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2

    Validity

        Not Before: Sep 17 19:46:37 2006 GMT

        Not After : Sep 17 19:46:37 2036 GMT

    Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority

    Subject Public Key Info:

        Public Key Algorithm: rsaEncryption

        RSA Public Key: (4096 bit)

            Modulus (4096 bit):

It seems to match better. Is that the one that should be used as root cert?

-Cheers!

/Steffen

Added by Wojciech Kapcia TigaseTeam almost 5 years ago

The root certificate is odd (and the subject line has to match exactly issuer line). Please try following files:

I'll update links in our documentation.

Added by Steffen Larsen almost 5 years ago

Super Wojciech!,

It seems to be working with the first link as root certificate (http://www.startssl.com/certs/ca.pem).

I would really opt for better handling in both of logging information and not trying to overwrite the certificates that the user put under cert/ folder.

I think that it would be better to fail early and tell the user in an ERROR statement that the cert is wrong and he/she should remove it. But thats my 5 cent. :-)

-Cheers and thanks for the help!

/Steffen

    (1-11/11)