Project

General

Profile

Exception while using self-signed certificates to start the tigase server

Pratap Patil
Added over 4 years ago

Hi,

I am trying to use a self signed certificate, generated using http://docs.tigase.org/tigase-server/5.3.0/adminguide/#_server_certificates, to start the XMPP server. However, the server does not start logging the below mentioned exception error in logs/tigase-console.log

SSLContextContainer.init()         WARNING:  Cannot load certficate from file: certs/tigase.mydomain.crt
java.security.KeyStoreException: Cannot store non-PrivateKeys
        at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:250)
        at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
        at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
        at tigase.io.SSLContextContainer.addCertificateEntry(SSLContextContainer.java:199)
        at tigase.io.SSLContextContainer.init(SSLContextContainer.java:421)
        at tigase.io.TLSUtil.configureSSLContext(TLSUtil.java:89)
        at tigase.conf.ConfiguratorAbstract.setProperties(ConfiguratorAbstract.java:815)
        at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:550)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:182)
        at tigase.conf.Configurator.componentAdded(Configurator.java:50)
        at tigase.conf.Configurator.componentAdded(Configurator.java:33)
        at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:115)
        at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:141)
        at tigase.server.MessageRouter.setConfig(MessageRouter.java:696)
        at tigase.server.XMPPServer.start(XMPPServer.java:142)
        at tigase.server.XMPPServer.main(XMPPServer.java:112)

What seems to have gone wrong here. I tried to generate the private key with and without password but I get this same exception.

Files placed in the certs/ directory are client_truststore, keystore, rsa-keystore, tigase.mydomain.crt, tigase.mydomain.csr, tigase.mydomain.key, tigase.mydomain.pem and truststore

I used

openssl req -nodes -new -newkey rsa:2048 -keyout tigase.mydomain.key -out tigase.mydomain.csr

to generate the key and csr

I used

openssl x509 -req -days 365 -in tigase.mydomain.csr -signkey tigase.mydomain.key -out tigase.mydomain.crt

to generate the crt

I used

cat tigase.mydomain.crt tigase.mydomain.key > tigase.mydomain.pem

to generate the pem

Am I doing something wrong in generating the key, certificate?

What I want to achieve is that use my self signed certificate because the client will also belong to me.

Your help is much appreciated.

PS:

  1. I am using the latest code from the master branch that I pulled from the git repository. Compiling this code give the version = 5.3.0.

  2. Using open JDK 7

Thanks,

Pratap


Replies (7)

Added by Wojciech Kapcia TigaseTeam over 4 years ago

With the latest versions of Tigase you do not need to generate self-signed certificates on your own as Tigase will create them for you.

As for the description - you shouldn't use any password in the key. I've also quickly checked and everything works (from the guide perspective):

2014-10-10 12:30:17.920 [main]             SSLContextContainer.init()         CONFIG:   Loaded server certificate for domain: yourdomain.com from file: certs/yourdomain.com.pem

The Exception would indicate, that you somehow use different key file that the one generated?!

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam over 4 years ago

I tried to reproduce your problem with steps you described.

No error (I used latest code from branch "devel').

Added by Pratap Patil over 4 years ago

I was using a self-signed certificate for testing purposes. On production server we will deploy the certificate issued by CA Authorities.

As far as the key being wrong I am using the key generated in the first step (tigase.mydomain.key) mentioned in the documentation:

The documentation does not mention of putting any other key over there

Added by Wojciech Kapcia TigaseTeam over 4 years ago

OK - in principle - I've followed the guide to the dot (actually copying it from the guide and adding example yourdomain.com to vhosts) and it was imply loaded.

Can you run following:

java -cp jars/tigase-server.jar tigase.cert.CertificateUtil --load-cert certs/tigase.mydomain.pem"

and share the results as well as the actual .pem file - it's self-signed after all.

Added by Pratap Patil over 4 years ago

I am using the domain as tigase.testdomin.com

Also the /etc/hosts points this to 127.0.0.1

Output of

is
<pre>
Private key: sun.security.rsa.RSAPrivateCrtKeyImpl@ffdadbfc
[
[
  Version: V1
  Subject: EMAILADDRESS=test.v200@gmail.com, CN=Self, OU=Self, O=Self, L=New Delhi, ST=Delhi, C=IN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 27778284794107119495398764002706125566508483821086011826526436792314187464005950997111278272454521038976190445194818877534268310442018726654121622202728103083275661010200880944858469361561807695139748879760510350257118727534162647893563005279501517255276389931857646651892664804272146327283006754793900148196439077731711674686650110477820779962893242454620652816518492082899769567874829609746098295234162306670148757622672772758402674171003069639997090374503558081235451113799792391160724093269041540164674618498711427923441531065833704483460386817662866790353245475858996185899771240949860914836034316488109991113323
  public exponent: 65537
  Validity: [From: Fri Oct 10 17:28:41 IST 2014,
               To: Sat Oct 10 17:28:41 IST 2015]
  Issuer: EMAILADDRESS=test.v200@gmail.com, CN=Self, OU=Self, O=Self, L=New Delhi, ST=Delhi, C=IN
  SerialNumber: [    cda4f241 3b7737db]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: B6 4A CC AC 57 1A 9E 5E   4B 0C 5E E1 95 44 3A 71  .J..W..^K.^..D:q
0010: 41 C7 B6 94 24 D6 5B AB   47 BB A0 92 EA 0A 1F 4C  A...$.[.G......L
0020: 9D 1B 26 4E 78 79 44 ED   61 7E 40 F9 9E F7 80 6B  ..&NxyD.a.@....k
0030: 5B C0 44 F5 AB 18 E5 F6   68 B0 3C 63 14 DC 71 E3  [.D.....h.<c..q.
0040: C2 D0 B9 0B 28 6E BF F2   95 18 4D EE AB F1 6B FD  ....(n....M...k.
0050: E9 9C 89 F8 96 B4 D3 0B   1B 39 BF 16 C1 20 CF 08  .........9... ..
0060: 1A BA 8B AC 00 F0 50 53   8E C7 A7 4F 8A 81 AC 98  ......PS...O....
0070: F7 E4 95 73 4F B5 AD 4F   A7 22 D0 58 1E 56 0D 41  ...sO..O.".X.V.A
0080: 07 DE F9 04 CA 86 78 47   45 A4 8B 84 E8 29 A8 FB  ......xGE....)..
0090: 76 1E 3D B5 BD 2E EE 76   3B EC 65 FE 88 09 04 6E  v.=....v;.e....n
00A0: E7 29 31 E6 63 EB B5 FE   BF 6E E8 4B 2F 7C E9 CB  .)1.c....n.K/...
00B0: 27 42 CE 3F 1C FE E0 23   5A FD DB F7 41 F0 10 59  'B.?...#Z...A..Y
00C0: 03 26 3B 16 C8 C7 0E 3C   A6 16 18 4F 9E 79 14 B5  .&;....<...O.y..
00D0: 10 2A C6 2E 80 90 CE 46   36 F4 7D A6 25 77 5C 6A  .*.....F6...%w\j
00E0: 61 8D 4C F6 60 60 92 1D   06 AB 78 2B 8E C8 1F B1  a.L.``....x+....
00F0: 5E 28 0B F4 FF 6F 6C 01   37 44 B1 7F 5C F3 77 72  ^(...ol.7D..\.wr

]

Added by Wojciech Kapcia TigaseTeam over 4 years ago

Do you have, by any chance, following in your configuration:

--ssl-container-class=tigase.extras.io.PEMSSLContextContainer

or any other configuration related t ssl container? Please try using defaults.

Added by Pratap Patil over 4 years ago

No actually I haven't configured any SSL container configuration.

Anyways, this is fixed now. It was a silly mistake from me. I had put all the files (tigase.mydomain.crt, tigase.mydomain.csr, tigase.mydomain.key, tigase.mydomain.pem) generated. And the "tigase.mydomain.crt" is the certificate without any private key also gets picked up for adding to the keystore and this is where the server throws the exception. This time I just put the tigase.mydomain.pem file which has the private key too. The server gladly accepted my certificate.

Sorry about the confusion.

    (1-7/7)