PositiveSSL(Comodo) certificate - client complains that it is self signed

Imre Agocs
Added about 3 years ago

The problem I am facing is that although Tigase accepts a certificate by Comodo, when connecting from clients to the server the client is complaining that the cert is self signed.

Tigase server version I am using is: tigase-server-7.0.2

Java: OpenJDK 1.7.0_91

The cert file is created based on the files received from PositiveSSL(Comodo:

Root CA Certificate - AddTrustExternalCARoot.crt

Intermediate CA Certificate - COMODORSAAddTrustCA.crt

Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt

Your PositiveSSL Certificate - mydomain.crt

The pem file to be used in Tigase created with the following command:

cat mydomain.crt mydomain.key COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > mydomain.pem

and placed in the certs folder.

2016-01-09 21:43:52.071 [main] SSLContextContainer.init() CONFIG: Loaded server certificate for domain: mydomain from file: certs/mydomain.pem

It is being successfully loaded by the server and it is not being replaced by Tigase, still the client software is complaining that it is self signed.

What could be the problem? How could I debug it?

Replies (2)

Added by Wojciech Kapcia TigaseTeam about 3 years ago

  • what certificate is presented to the client? is it the same certificate or not?

  • are you connecting to the mydomain domain/vhost?

  • what kind of connection are you utilising? regular socket connection with TLS over port 5222, legacy SSL connection over port 5223, bosh over 5280 or websocket from browser? I the cases except for the first one Tigase will utilise certs/default.pem certificate as it's not possible (by default) to determine the destination domain hence default certificate is being used.

Added by Imre Agocs about 3 years ago

Thank you for the reply, we were using TLS on 5222 and the correct

cert was presented. Probably only the client has some bug, we used

Kadu for initial testing.

Later we switched to Adium and Conference, and those accepted the cert.