Creating and loading the server certificate in pem files
Server certificate
Server certificate is needed when you use secure socket connections - SSL/TLS.
For secure socket connection proper certificate is needed. You can either generate your own, self-signed certificate or obtain certificate from trusted third party organization.
Here are steps how to obtain certificate from a trusted organization.
Certificate request
Before you can obtain/generate server certificate you need to have a private key and generate certificate request which contain essential information about you (the entity requesting certificate) and the domain for which you want the certificate.
- Generate the certificate request:
openssl req -nodes -new -keyout yourdomain.com.key -out yourdomain.com.csr
You will be asked series of questions:
Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:Somestate Locality Name (eg, city) []:Your city name Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company name Organizational Unit Name (eg, section) []:Department or any unit Common Name (eg, YOUR name) []:*.yourdomain.com Email Address []:your_email_address@somedomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- The command will generate 2 files for you:
yourdomain.com.csryourdomain.com.key
Certificate from XMPP federation
- Go to the xmpp.net website and follow instructions.
- You need to select Server Certificate (Without CSR generation) option and copy&paste content of
yourdomain.com.csrfile when you are asked to enter your certificate request.
Certificate from other providers
There is number of certificate providers offering certificates either for free or for money. You can use any of them, however you have to be aware that sometimes certificates might not be recognized by all other XMPP servers, especially if this is a new provider. Here is an example list of providers:
- CAcert - free certificates with an excellent Web GUI for managing generated certificates and identities.
- StartCom - both free and paid certificates, class 1, 2 and 3. Very good GUI for managing certificates and identities.
- Verisign - very expensive certificates comparing to above provides but the provider is recognized by everybody. If you have a certificate from Verisign you can be sure it is identified as a valid certificate.
- Comodo Certificate Authority offers different kind of commercial certificates
To obtain certificate from such a third party authority you have to go to its Website and request the certificate using certificate request generated above. I can not provide any instructions for this as each of above providers have a different offer and a different user interface.
Self-signed certificate
Another option, not recommended is to create self-signed certificate. Such a certificate won't be recognized by any entity on the Internet but your own. So if any other Jabber server allows for connections only with valid certificate your installation won't be able to connect. On the other hand self-signed certificate is a very good way for testing environment where you can create many artificial domains and you can test your service for supporting many virtual domains. You can generate as many certificates as you want and load them onto your server and play around.
To generate certificate on your own, just execute following command using the same as above openssl tool:
openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt
You can, of course put there any number of days you like.
Installing/loading certificate to the Tigase server
From the version 3.1.0-b802 of Tigase server installing/loading certificates is very easy. The server can load all certificates directly from pem files. You just need to create a separate pem file for each of your virtual domains and put the file in a directory accessible by the server. Tigase server can automatically load all pem files found in given directory.
PEM file
PEM file is a file containing server certificate, certificate private key and certificate chain if it exists. For self-signed certificates there is no certificate chain so creating pem file is very simple:
cat yourdomain.com.crt yourdomain.com.key > yourdomain.com.pem
If the certificate is issued by third-party authority you have also to attach certificate chain, that is certificate of the authority who has generated your certificate. You normally need to obtain certificates for your chain from the authority who has generated your certificate. For example, of you have a certificate from XMPP federation you need to download StartCom root certificate and ICA certificate. In such case pem file is created using following command:
cat yourdomain.com.crt yourdomain.com.key sub.class1.xmpp.ca.crt ca.crt > yourdomain.com.pem
Result file should looks similar to:
-----BEGIN CERTIFICATE----- MIIG/TCCBeWgAwIBAgIDAOwZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ . . . pSLqw/PmSLSmUNIr8yQnhy4= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- WW91J3JlIGtpZGRpbmchISEKSSBkb24ndCBzaG93IHlvdSBvdXIgcHJpdmF0ZSBr . . . ZXkhISEhCkNyZWF0ZSB5b3VyIG93biA7KSA7KSA7KQo= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW . . . xV/stleh -----END CERTIFICATE-----
For Tigase server and many other servers (Apache 2.x) the order is following: your domain certificate, your private key, authority issuing your certificate, root certificate.
Note! Different applications may require pem file with certificates and private key in different order. So the same file may not be necessarily used by other services like Web server or e-mail server. We are working now on code which will support elements in pem file inserted in any order to make it possible to share pem file with other services.
Tigase Server configuration
In order to be able to load server certificates directly from pem files you need to have tigase-extras package installed in your server libs/ directory in version at least 0.1.0. If you use Tigase server binary package other than mini this library is included by default. If you haven't changed manually anything in your XML configuration file put following line in your initial.properties file:
--ssl-container-class=tigase.extras.io.PEMSSLContextContainer
Copy all your pem files with certificates into certs/ subdirectory in Tigase server installation, stop the server, remove XML configuration file and start the server. XML configuration will be automatically regenerated with the new SSLContainer used by all components and all certificates will be automatically loaded.
If you have changed your XML configuration file manually and you can not lost those changes you have now to manually change the existing SSLContainer class with the new one. Just replace all occurrences of the default SSLContainer - tigase.io.SSLContextContainer with the new - tigase.extras.io.PEMSSLContextContainer, copy all your pem files with certificates into certs/ subdirectory in Tigase server installation and restart the server.
- Add new comment
- 4364 reads
What version of the Tigase
What version of the Tigase server do you use? The current development version from SVN supports pem files out of the box without extras.
For earlier version you need a correct extras version for your server, ideally the one provided with an installer.
In any case I am surprised that the server does not starts correctly if you put your add extras version. Especially the error displayed does not seem to be related to extras at all.
server starts up correctly if
server starts up correctly if tigase-extras are out of its way. Then I am back at square one with keytool managed certificates, which don't work.
Sorry for not explaining myself fully.
Matej, you are misleading me.
Matej, you are misleading me. In your first post you have sent the server log which displays problem with the server startup. So the server cannot start at all. My all comments above are related to the problem indicated in your first post.
Right now, it looks like your server is starting up and you only have some problems with SSL certificate. What the Tigase server do you use?
Have you installed the SSL certificate as in instruction?
Is the certificate loaded correctly?
And yes, I am a Catholic but I don't care how you call your servers.
[root@hus tigase]#
This computer recognizes both luther.ceplovi.cz and hus.ceplovi.cz (hopefully, you are not a bigot Catholic to undermine my server just because of its names ;)), luther.ceplovi.cz is then registered in DNS with the external IP address of my router as _xmpp-{client,server}._tcp.ceplovi.cz host.
Yet even with all that, when I try to connect to it with Empathy (empathy-2.32.0.1-2.fc14.x86_64 and telepathy-gabble-0.10.3-1.fc14.x86_64) and I have "Require TLS/SSL connection" and "Ignore bad certificates" checked, I get this error
mcd_connection_invalidated_cb: Proxy destroyed (WOCKY_CONNECTOR_ERROR_TLS_SESSION_FAILED (#7): TLS handshake error: -9: GNUTLS_E_UNEXPECTED_PACKET_LENGTH)!
and no connection happens. Gajim does connect but only in the insecure mode. Any ideas?
For a small installation
For a small installation these settings are absolutely fine. The script runs the checks for optimal settings for a very large installation, hence warnings.
As I mentioned in my previous comment, the error you experience is probably related to the 'hostname' setting on the machine you run the Tigase.
The 'hostname' command must return something sensible and the returned value must resolve to the own machine IP address.
If you have installed Tigase on the fresh Ubuntu machine then most likely you have hostname settings misconfigured. I do not know why they do it that way but the default configuration causes problems.
I forgot to add a system
I forgot to add a system check results and that blody anti-spam filter claims my output to be a spam, so it is at http://pastebin.com/2t4AU8zZ
[matej@luther ~]$ sh
[matej@luther ~]$ sh machine-check.sh ceplovi.cz root 2>&1|tee machine-check.log OK, DNS settings for ceplovi.cz OK, SRV record found _xmpp-server._tcp.ceplovi.cz OK, SRV record found _xmpp-client._tcp.ceplovi.cz OK, DNS settings for ceplovi.cz OK, SRV record found _xmpp-server._tcp.ceplovi.cz OK, SRV record found _xmpp-client._tcp.ceplovi.cz OK, The ceplovi.cz host accessible through the network OK, The ceplovi.cz host accessible through the network WARNING - you should not run the Tigase server from the root account. I am running not within root account, can't check limits for the root WARNING - system wide fs.file-max is too low: 24552 To fix this, add following line to file: /etc/sysctl.conf fs.file-max=1000000 ------- Add the line and adjust sysctl for running system? (yes/no) no WARNING - IP port range is not optimal: 32768 61000 Recommended: 1024 65530 To fix this, add following line to file: /etc/sysctl.conf net.ipv4.ip_local_port_range=1024 65530 ------- Add the line and adjust sysctl for running system? (yes/no) noThe server has exactly one user (me; may expand by two or three of more relatives), is really 25552 files too few?
The server is behind NAT with port forwarding from router to the server (no, I don't run the server on any fancy port, just default xmpp-client and xmpp-server).
Ejabberd runs in this configuration on the same server just without any problems.
Precompiled libraries can be
Precompiled libraries can be downloaded from the Tigase's maven repository. All the necessary libraries are also included in the installation package (the binary package ending with .jar) from our download page.
I recommend to use libraries included in the installation package as this way you avoid any possible version compatibility issues.
Are you able to start the Tigase without the error when you do not use extras library? I am asking because, this may seems strange as the error message is kind of misleading but I think the problem is related to network configuration on your machine.
More specifically hostname settings. The machine hostname probably does not point to a correct IP address. Please check it out or have a look at this article for some more help.
Hmm, I've tried to build my
Hmm, I've tried to build my own version of tigase-extras (I cannot find them anywhere for download) out of svn. Maven build went without a hickup, but when I run tigase-server, I've got this:
[root@luther tigase]# service tigase start ; tail -f * Starting tigase: No params-file.conf given. Using: '/etc/tigase/tigase.conf' Starting Tigase: Tigase running pid=7529 [ OK ] STARTED Tigase Thu Oct 21 16:25:49 CEST 2010 2010-10-21 16:25:50 DNSResolver.() WARNING: Resolving default host name took: 176 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Setting defaults: -c=/etc/tigase/tigase.xml 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Setting defaults: --property-file=/etc/tigase/init.properties 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Loading initial properties from property file: /etc/tigase/init.properties 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Added default config parameter: (--ssl-container-class=tigase.extras.io.PEMSSLContextContainer) 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Added default config parameter: (config-type=--gen-config-def) 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Added default config parameter: (--debug=server) 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Added default config parameter: (--user-db=mysql) 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Added default config parameter: (--admins=admin@ceplovi.cz) 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Added default config parameter: (--user-db-uri=jdbc:mysql://localhost/tigasedb?user=tigase_user&password=tigase&noAccessToProcedureBodies=true) 2010-10-21 16:25:51 ConfiguratorAbstract.parseArgs() CONFIG: Added default config parameter: (--virt-hosts=ceplovi.cz) -------------------------------------- ERROR! Terminating the server process. Problem initializing the server: java.lang.NullPointerException Please fix the problem and start the server again. java.lang.NullPointerException at tigase.util.XMPPStringPrepSimple.nameprep(XMPPStringPrepSimple.java:47) at tigase.xmpp.BareJID.bareJIDInstance(BareJID.java:129) at tigase.xmpp.JID.jidInstance(JID.java:152) at tigase.server.BasicComponent.setName(BasicComponent.java:552) at tigase.server.XMPPServer.main(XMPPServer.java:128)Any ideas, what's wrong? Is it possible to store the certs directory somewhere else (I would prefer again somewhere in /etc tree)?