Project

General

Profile

Godaddy SSL certificate installation issue

Pratap Patil
Added over 4 years ago

Tigase server version I am using is: tigase-server-5.2.3-SNAPSHOT-b3465

I have a SSL certificate issued by GoDaddy "abcdefg.crt". I also received a bundle certificate from them "gd_bundle-g2-g1.crt".

The certificate covers the following Subject Alternative Names. I have replaced the actual domain with mydomain.com here:

  1. mydomain.com

  2. www.mydomain.com

  3. server.mydomain.com

  4. xmpp.mydomain.com

Tigase server is installed on CentOS Google Cloud Engine (GCE) and the subdomain xmpp.mydomain.com points to the IP of GCE.

JDK version installed on machine is Oracle JDK 1.7.0.75

To install the certificate I followed the steps mentioned here: http://docs.tigase.org/tigase-server/5.2.3/admin_guide/html/#_installing_loading_certificate_to_the_tigase_server

Pem file was creating by adding the certificate issued by godaddy plus certificate private key plus the godaddy bundle.

cat abcdefg.crt mydomain.com.key gd_bundle-g2-g1.crt > xmpp.mydomain.com.pem

the xmpp.mydomain.com.pem is placed in the certs/ directory of tigase.

Next I added the godaddy bundle in the rsa-keystore using:

keytool -import -keystore rsa-keystore -file gd_bundle-g2-g1.crt \
    -alias root

Then I joined the cerificate and key to create a .pfx

openssl pkcs12 -export -inkey mydomain.com.key -in abcdefg.crt \
    -out mydomain.pfx -name "default"

I then imported the above in

keytool -importkeystore -srckeystore mydomain.pfx \
    -srcstoretype pkcs12 -destkeystore rsa-keystore \
    -srcalias default -destalias mydomain.com \
    -destkeypass my_keystore_pass

I kept the certificate password and the key password the same.

Next I copied:


to certs/ folder in tigase installation

my init.properties file looks like this

config-type=--gen-config-def
--virt-hosts=xmpp.mydomain.com
--admins=admin@xmpp.mydomain.com
--user-db-uri = jdbc:mysql://localhost/tigasedatabase?user=tigasedbuser&password=dbpassword
--user-db = mysql
--cluster-mode = true
--debug = server
--comp-name-1 = muc
--comp-class-1 = tigase.muc.MUCComponent
--comp-name-2 = pubsub
--comp-class-2 = tigase.pubsub.PubSubComponent
--comp-name-4 = message-archive
--comp-class-4 = tigase.archive.MessageArchiveComponent
--comp-name-3 = proxy
--comp-class-3 = tigase.socks5.Socks5ProxyComponent
--comp-name-5 = rest
--comp-class-5 = tigase.http.rest.RestMessageReceiver
--api-keys[s]=4ec2edeawer32324fr3e4f324fde7acf6
--ssl-container-class=tigase.io.SSLContextContainer
--sm-plugins=+message-archive-xep-0136,my-SessionHandlerPlugin

With this configuration, and deleting the etc/config-dump.properties I run the server using

./scripts tigase.sh start ./etc/tigase.conf

I am not able to connect with both 5222 and 5223 ports but on 5222 I am able to proceed a but further than 5223. The Psi client on port 5223 disconnects instantaneously.

In case of port 5222 the logs show the XML stream like:

<?xml version="1.0"?>


<stream:stream xmlns:stream="http://etherx.jabber.org/streams" version="1.0" xmlns="jabber:client" to="xmpp.mydomain.com" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace">


<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='xmpp.mydomain.com' id='e9cdc73e-4914-4da2-a8fb-d33a735a7a0c' version='1.0' xml:lang='en'>


<stream:features>
<ver xmlns="urn:xmpp:features:rosterver"/>
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>PLAIN</mechanism>
<mechanism>ANONYMOUS</mechanism>
</mechanisms>
<register xmlns="http://jabber.org/features/iq-register"/>
<compression xmlns="http://jabber.org/features/compress">
<method>zlib</method>
</compression>
<auth xmlns="http://jabber.org/features/iq-auth"/>
</stream:features>


<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>


<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>


<?xml version="1.0"?>


<stream:stream xmlns:stream="http://etherx.jabber.org/streams" version="1.0" xmlns="jabber:client" to="xmpp.mydomain.com" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace">


<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='xmpp.mydomain.com' id='e9cdc73e-4914-4da2-a8fb-d33a735a7a0c' version='1.0' xml:lang='en'>


<stream:features>
<ver xmlns="urn:xmpp:features:rosterver"/>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>PLAIN</mechanism>
<mechanism>ANONYMOUS</mechanism>
</mechanisms>
<register xmlns="http://jabber.org/features/iq-register"/>
<compression xmlns="http://jabber.org/features/compress">
<method>zlib</method>
</compression>
<auth xmlns="http://jabber.org/features/iq-auth"/>
</stream:features>


<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AGFkbWluAGltcHJlc3NpY29AITIz</auth>


<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<not-authorized/>
</failure>

In case of port 5223 the client logs show that the XML stream was like this:

<?xml version="1.0"?>
<stream:stream xmlns:stream="http://etherx.jabber.org/streams" version="1.0" xmlns="jabber:client" to="xmpp.mydomain.com" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace">

Before making any of these SSL related changes the server worked fine on port 5222 with Tigase's own self signed certificate.

Please guide where I am going wrong.


Replies (10)

Added by Wojciech Kapcia TigaseTeam over 4 years ago

Pratap Patil wrote:

I kept the certificate password and the key password the same.

Please try using pass-less key.

Added by Pratap Patil over 4 years ago

I kept the certificate password and the key password the same.

Here I am referring to password that was used to create the rsa-keystore as per instructions here: http://docs.tigase.org/tigase-server/5.2.3/admin_guide/html/#_installing_loading_certificate_to_the_tigase_server

Note! Please note -destkeypass parametr. Your keys password must be the same as keystore password. Otherwise it won’t work.

password should be same as the one of the keystore. By the way the rsa-keystore forces me to have a password longer than 6 characters.

If you are referring to the private key used for generating the SSL certificate with Godaddy then I guess I have to generate another one.

Added by Wojciech Kapcia TigaseTeam over 4 years ago

Yes, I was referring to private key password.

Added by Pratap Patil over 4 years ago

I had my doubts about my key being encrypted so I checked it using:

head -3 mydomain.com.key

output shows

-----BEGIN PRIVATE KEY-----
<some characters here...>

This key is not ecrypted so it means that it is a pass-less key.

By the way how do I enable logs on server when communication is SSL? to check the errors. Apparently, I am only getting logs when client attempts connection on port 5222 but not on 5223

Added by Wojciech Kapcia TigaseTeam over 4 years ago

Pratap Patil wrote:

This key is not ecrypted so it means that it is a pass-less key.

OK.

By the way how do I enable logs on server when communication is SSL? to check the errors.

There is no extra distinction for TLS or SSL communication. The issue may stem from the fact that encryption with TLS happens later on, after opening the stream, while with SSL channel should be already encrypted, and if you have issues with your certificate then SSL will fail immediately. You can enable debugging for net and io packages for more details.

Apparently, I am only getting logs when client attempts connection on port 5222 but not on 5223

So once more, step by step:

For 5222:

<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

it means that the connection was established properly and switched to TLS (i.e. encrypted later on).

<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AGFkbWluAGltcHJlc3NpY29AITIz</auth>

<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<not-authorized/>
</failure>

This means, that provided username or password was wrong.

As for the 5223 port - please bare in mind, that for connections on SSL tigase uses certs/default.pem file as there is no way to find out domain name to which connection is being established henceforth using default certificate.

Added by Pratap Patil over 4 years ago

As for the 5223 port - please bare in mind, that for connections on SSL tigase uses certs/default.pem file as there is no way to find out domain name to which connection is being established henceforth using default certificate.

OK. So either I replace the default.pem file with my certificate or I should go with legacy SSL by using 5222 port and then use .

Thanks for the analysis. I'll start by enabling the logs.

Added by Wojciech Kapcia TigaseTeam over 4 years ago

Pratap Patil wrote:

As for the 5223 port - please bare in mind, that for connections on SSL tigase uses certs/default.pem file as there is no way to find out domain name to which connection is being established henceforth using default certificate.

OK. So either I replace the default.pem file with my certificate or I should go with legacy SSL by using 5222 port and then use .

Hm, 5222=TLS, 5223=legacy SSL.

Best option would be to simply symlink default.pem to your ceritificate (or at least to the certificate for the most popular VHost that you are going to host) therefore such certificate would be used both for 5223 connections and TLS on 5222.

Added by Pratap Patil about 4 years ago

Thanks for the help. The symlink idea worked. I was able to install and run tigase server fine on Saturday. I verified by loggin in using Psi client on desktop and smack client on Android device.

The server was running fine fine for two days but I ran into exceptions today which prevented Andorid clients from login.

java.io.IOException: Connection reset by peer
        at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
        at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
        at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
        at sun.nio.ch.IOUtil.read(IOUtil.java:192)
        at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:379)
        at tigase.io.SocketIO.read(SocketIO.java:307)
        at tigase.net.IOService.readData(IOService.java:1035)
        at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:650)
        at tigase.net.IOService.call(IOService.java:265)
        at tigase.net.IOService.call(IOService.java:104)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)

while on Android smack client I get this:

java.net.SocketException: sendto failed: EPIPE (Broken pipe)
    at libcore.io.IoBridge.maybeThrowAfterSendto(IoBridge.java:499)
    at libcore.io.IoBridge.sendto(IoBridge.java:468)
    at java.net.PlainSocketImpl.write(PlainSocketImpl.java:508)
    at java.net.PlainSocketImpl.access$100(PlainSocketImpl.java:46)
    at java.net.PlainSocketImpl$PlainSocketOutputStream.write(PlainSocketImpl.java:270)
    at java.io.OutputStreamWriter.flushBytes(OutputStreamWriter.java:167)
    at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:158)
    at java.io.BufferedWriter.flush(BufferedWriter.java:124)
    at org.jivesoftware.smack.util.ObservableWriter.flush(ObservableWriter.java:44)
    at org.jivesoftware.smack.tcp.PacketWriter.writePackets(PacketWriter.java:190)
    at org.jivesoftware.smack.tcp.PacketWriter.access$000(PacketWriter.java:40)
    at org.jivesoftware.smack.tcp.PacketWriter$1.run(PacketWriter.java:77)
Caused by: libcore.io.ErrnoException: sendto failed: EPIPE (Broken pipe)
    at libcore.io.Posix.sendtoBytes(Native Method)
    at libcore.io.Posix.sendto(Posix.java:156)
    at libcore.io.BlockGuardOs.sendto(BlockGuardOs.java:177)
    at libcore.io.IoBridge.sendto(IoBridge.java:466)

This happens when client attempts to make a connection i.e. before login. Could it still be an SSL issue?

Added by Wojciech Kapcia TigaseTeam about 4 years ago

No, it doesn't look as related to SSL, rather with connecting to the server altogether. Were there any other exceptions in the log?

Added by Pratap Patil about 4 years ago

Yes. There was an exception in my plugin.

tigase.xmpp.NotAuthorizedException: Session has not been yet authorised.
    at tigase.xmpp.XMPPResourceConnection.getJID(XMPPResourceConnection.java:673)
    at tigase.xmpp.impl.Presence.processOutInitial(Presence.java:1476)
    at tigase.xmpp.impl.Presence.process(Presence.java:415)
    at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2689)
    at tigase.util.WorkerThread.run(WorkerThread.java:132)

I have a plugin class which extends XMPPProcessor and implements XMPPProcessorIfc interface. This exception came becuase the plugin attempted to logout user.

Details about my plugin:


The job of this plugin is to allow only one user to remain logged in to a user account. It will logout other users which are already loggedin. I have modified the tig_users (MySQL) table to add a column (iid) installationID associated with each users. This is used as resource part in full JID. Plugin prevents users sending any other resource other than this iid as calls session.logout(). App server (not tigase) updates this column with data at the time of account creation and clients (android and iOS client apps) ensure that they send this value as resource while login. The plugin also ensures that only one user can have only one session and the previous session is logged out. Plugin code:

public class SessionHandlerPlugin extends XMPPProcessor implements XMPPProcessorIfc {

        public static final int THRESHOLD_LIMIT = 1;
        public static final String PLUGIN_ID = "my-SessionHandlerPlugin";

        @Override
    public String id() {
        return PLUGIN_ID;
    }

        @Override
    public void process(Packet packet, XMPPResourceConnection session, NonAuthUserRepository repo, Queue<Packet> results, Map<String, Object> settings) throws XMPPException {

        if (session == null || !session.isAuthorized()) {
            return;
        }
        try {
            String resource = session.getResource();

            log.log(Level.WARNING, "ppp resource = " + resource);

            try {
                if (session.getBareJID() == null) {
                    logout(session);
                } else {
                    String installationId = session.getAuthRepository().getIid(session.getBareJID());
                    if (installationId == null || "".equals(installationId)) {
                        logout(session);
                    } else if (installationId.equals(resource)) {
                        // continue normal login i.e. do nothing
                        long tempHigestLong = 0l;
                        int indexOfSessionNotToBeLoggedOut = -1;
                        List<XMPPResourceConnection> activeSessions = session.getActiveSessions();
                        if (activeSessions.size() > THRESHOLD_LIMIT) {

                            for (int i = 0; i < activeSessions.size(); i++) {
                                if (tempHigestLong < activeSessions.get(i).getCreationTime()) {
                                    tempHigestLong = activeSessions.get(i).getCreationTime();
                                    indexOfSessionNotToBeLoggedOut = i;
                                }
                            }

                            for (int i = 0; i < activeSessions.size(); i++) {
                                if (i != indexOfSessionNotToBeLoggedOut) {
                                    activeSessions.get(i).logout();
                                }
                            }
                        }
                    } else {
                        // iid and resrouce are not equal
                        logout(session);
                    }
                }
            } catch (TigaseDBException | SQLException e) {
                logout(session);
            }
        } catch (XMPPException eee) {

        }
    }

    private void logout(XMPPResourceConnection session) throws XMPPException {
        if (session.isAuthorized()) {
            session.logout();
        }
        throw new XMPPException("Sorry you cannot login");
    }
}

"session.getAuthRepository().getIid(session.getBareJID());"

I have made this new column added to the tig_users table availble in the AuthRepository

Also this code was working fine for 3 months before I moved to GCE (Google cloud engine)

    (1-10/10)