trouble setting up certificate

12 posts / 0 new
Last post
Anonymous
trouble setting up certificate

Hi,

TLS was working out of the box but with a dummy certificate. So I tried to install a real certificate by following the instructions here:

http://www.tigase.org/content/creating-and-loading-server-certificate-pem-files

I'm using a startcom cert, and I created the concatenated PEM file in this order: domain cert, domain key, startcom intermediate cert, startcom root cert.

Now when I start the server, it no longer works (connection refused) and I see this in the log:

2010-01-24 21:35:58 ThreadExceptionHandler.uncaughtException() SEVERE: Uncaught thread: "main" exceptionjava.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider

I tried installing Bouncy Castle but then got different errors. I talked to another Tigase user and he said he did not have to install Bouncy Castle so I think something is fishy. Any idea of the problem?

Thanks

This is probably due to compatibility problems. I can't believe the library was not included in the installation package. I am sorry for this. The funny thing is that you are actually the first one to report it.

I will fix this in the next release but in the mean time please use the library attached to this post. Do not forget to remove the library you downloaded from the internet.

I hope this solves your problem, if not please contact me.

justin

Thanks. I've deleted the old jar and put yours in place of it.

Now I get this in the log when starttls occurs:

2010-01-26 05:36:22 PEMSSLContextContainer.getSSLContext() SEVERE: Error on creating SSLContext for host [...myhost...]java.security.KeyStoreException: Cannot store non-PrivateKeys
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:233)
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:38)
at java.security.KeyStore.setKeyEntry(KeyStore.java:880)
at tigase.extras.io.PEMSSLContextContainer.loadFromPEMFile(PEMSSLContextContainer.java:396)
at tigase.extras.io.PEMSSLContextContainer.getSSLContext(PEMSSLContextContainer.java:276)
at tigase.io.TLSUtil.getSSLContext(TLSUtil.java:77)
at tigase.net.IOService.startTLS(IOService.java:184)
at tigase.server.xmppclient.ClientConnectionManager.processCommand(ClientConnectionManager.java:211)
at tigase.server.xmppclient.ClientConnectionManager.processPacket(ClientConnectionManager.java:106)
at tigase.server.AbstractMessageReceiver$QueueListener.run(AbstractMessageReceiver.java:752)

Stupid question: maybe you put encrypted private key???

file with keys and certificates should looks like this:
-----BEGIN CERTIFICATE-----
MIIG/TCCBeWgAwIBAgIDAOwZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
.
.
.
pSLqw/PmSLSmUNIr8yQnhy4=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
WW91J3JlIGtpZGRpbmchISEKSSBkb24ndCBzaG93IHlvdSBvdXIgcHJpdmF0ZSBr
.
.
.
ZXkhISEhCkNyZWF0ZSB5b3VyIG93biA7KSA7KSA7KQo=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
.
.
.
xV/stleh
-----END CERTIFICATE-----

justin

Ah hah, it seems that Tigase does not support PKCS#8 keys. This is the universal container format for private keys that uses: "-----BEGIN PRIVATE KEY-----"

I've converted the key to the RSA-specific format which uses "-----BEGIN RSA PRIVATE KEY-----" and now it works!

By the way, here is how to convert with the 'openssl' tool:

openssl rsa -in private_key.pem > private_key_rsa.pem

Thank you very much for the hint. I will ask Bartek to update the doc. We have also started to work on a better/easier support for certificates with some UI for managing them. This should solve this kind of issues in the future.

justin

by the way, I should have mentioned: bcprov is still not provided even in the latest beta (2135). but if I use the file you attached here then the server works.

I have just installed the Tigase from the Tigase installer and the bcprov has been installed with default settings.

justin

Ah, I just used the .tar.gz

Ah, yes, indeed, there is not third-party libraries in the tar.gz but I think I can relax this restriction in next releases.

Hello,

I have tried to enable the TLSPem loader, using the latest release. I am getting the same error and I notice that there isn't a bouncycastle jar anywhere. Is this supposed to be this way? Is this setting no longer valid, if so what is the procedure to do this? I can just add the jar but want to do it the recommended way. Please advise.

Thanks!

Nick

The last version 5.1.x does not require bouncycastle library anymore. Pem files are enabled by default and they are actually a default way to store server certificates. No need for special settings.
If you start Tigase server and try to connect via TLS to one of the vhosts you should see automatically generated self-signed certificates in certs/ directory.