Project

General

Profile

Can't install own certificate for SSL communication. Server uses its own generated certificate.

Ildar Zaripov
Added over 1 year ago

I run Tigase XMPP server at AWS EC2 (assume the domain name is ec2.us-west-2.compute.amazonaws.com).

I generate certificate using official documentation:

openssl genrsa -out private.key 4096
openssl req -new -key private.key -out ec2.us-west-2.compute.amazonaws.com.csr -sha256
openssl x509 -req -days 365 -in ec2.us-west-2.compute.amazonaws.com.csr -signkey private.key -out ec2.us-west-2.compute.amazonaws.com.crt
cat ec2.us-west-2.compute.amazonaws.com.crt private.key > ec2.us-west-2.compute.amazonaws.com.pem

Then I put this new .pem file into server/certs directory.

The config.tdsl file is the following:

'cluster-mode' = 'false'
'config-type' = 'default'
'basic-conf' {
  'virtual-hosts-cert-ec2.us-west-2.compute.amazonaws.com' = '/home/ubuntu/tigase-server/server/certs/ec2.us-west-2.compute.amazonaws.com.pem'  
}
c2s (class: tigase.server.xmppclient.ClientConnectionManager) {
    seeOtherHost {}
}
'certificate-container' (active = true) {
    ssl-certs-location='/home/ubuntu/tigase-server/server/certs/'
    ssl-container-class='tigase.io.SSLContextContainer'
}
rootSslContextContainer (class: tigase.io.SSLContextContainer, active = true) {}
...

When I connect to server using PSI, server suggests me the certificate that was generated by Tigase.

What should I fix to set up secured communication in Tigase?

Thanks!


Replies (1)

Added by Wojciech Kapcia TigaseTeam over 1 year ago

I run Tigase XMPP server at AWS EC2 (assume the domain name is ec2.us-west-2.compute.amazonaws.com).

I generate certificate using official documentation:

[...]

Then I put this new .pem file into server/certs directory.

The config.tdsl file is the following:

'cluster-mode' = 'false'

'config-type' = 'default'

'basic-conf' {

'virtual-hosts-cert-ec2.us-west-2.compute.amazonaws.com' =

'/home/ubuntu/tigase-server/server/certs/ec2.us-west-2.compute.amazonaws.com.pem'

}

c2s (class: tigase.server.xmppclient.ClientConnectionManager) {

seeOtherHost {}

}

'certificate-container' (active = true) {

ssl-certs-location='/home/ubuntu/tigase-server/server/certs/'

ssl-container-class='tigase.io.SSLContextContainer'

}

rootSslContextContainer (class: tigase.io.SSLContextContainer, active =

true) {}

...

When I connect to server using PSI, server suggests me the certificate that was generated by Tigase.

What should I fix to set up secured communication in Tigase?

Best initial step would be to analyse the logs. First thing that stands

out is that you have errors in your config, namely active = true is an

invalid declaration (should be @active: true@) which in itself can cause

problems.

As for the issue - you shouldn't have to explicitly configure the

certificate -- you only need to place it in a file which name matches

the VHost for which you generated it, i.e. in your case it would be

certs/ec2.us-west-2.compute.amazonaws.com.pem for

ec2.us-west-2.compute.amazonaws.com VHost.

I would also greatly simplify the configuration and avoid explicit

declaration of the class (unless really needed).

    (1-1/1)