Tigase Forge
Dashboards
Projects
Pull Requests
Issues
Builds
Packages
Code Search
server-core
Code
Pull Requests
Issues
List
Boards
Iterations
Timesheets
Builds
Packages
Statistics
Child Projects
OneDev 10.9.4
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects tigase _server server-core Issues #1228
SSL certificates issue (#1228)
Closed
Andrzej Wójcik (Tigase) opened 4 years ago

After updating my installation hi-low.eu with latest build of Tigase XMPP Server (-dist-max currently latest), I've encountered an issue with SSL certificates.

  1. My certificates on disk were overwritten with newly generated certificates (self-signed)
  2. Tigase complained about missing method CertificateUtil::getCertificateFingerprint()
Andrzej Wójcik (Tigase) commented 4 years ago

After further analysis, I've ended up with manual updating of tigase-utils.jar with a manually built version from the latest commit in the repository.

After I've recreated certificates and placed them in the repository, Tigase XMPP Server once again overwritten them and become unusable. I could not connect to the installation with BeagleIM to upload new certificates manually as Tigase XMPP Server complained about "no cipher suites in common".

After turning of Tigase, removing self-signed certificates, removing tig_pair entries for certificate-manager, restoring certificates in the directory, Tigase finally started and I was able to connect with BeagleIM. However, my default certificate was overwritten once again and Tigase used new SSL certificates from the database (once again automatically generated and self-signed) even though there were valid SSL certificates in the certs directory.

Finally, after uploading the SSL certificate via ad-hoc command Tigase started to be usable once again.

I'm not sure what exactly caused this issue, however, SSL certificates which are disappearing and using autogenerating and using self-signed SSL certificates from the database instead of available certificates in the directory is just weird. It would be nice if Tigase XMPP Server would at least mention the issue and allow us to "set" (load from the file) this certificate into the database with some utility (not connecting via XMPP as this may not be available, ie. XMPP client cannot connect or VHost settings do not allow connection with invalid/missing SSL certificate).

Either way, that was a very weird behaviour and unexpected one while upgrading fully working and quite up-to-date (updated 3 months ago) installation.

@wojtek Please review if this behaviour is correct or "something" happens. It would be nice to have a solution for issues like that.

Moreover, how do we now update certificates from Let's Encrypt? Until now I was able to just "merge" SSL certificate files and restart Tigase. What is currently suggested approach now? I'm asking in the context of Kangaroo as it may be using Let's Encrypt certificates quite often...
Andrzej Wójcik (Tigase) commented 4 years ago

I've set this issue to priority Major is it may cause obstacles for anyone updating working Tigase XMPP Server installations or just trying to deploy Tigase for the first time.
Andrzej Wójcik (Tigase) commented 4 years ago

After restarting the server I've ended up once again with this error:

[1;92m[2021-01-10 18:21:39:753][0;36m [INFO    ][0m [  ConnectionOpenThread ][1;34m SSLContextContainer.getHardenedMode(): [0mUsing hardened-mode: secure for domain: null
[1;92m[2021-01-10 18:21:39:764][0;36m [INFO    ][0m [     pool-34-thread-16 ][1;34m IOService.readData()             : [0mException starting connection [TLS: SocketIO, ID: c2s@xmpp.hi-low.eu/172.16.1.8_5223_172.16.0.1_49563, connected Socket[addr=/172.16.0.1,port=49563,localport=5223]] javax.net.ssl.SSLHandshakeException: no cipher suites in common
Andrzej Wójcik (Tigase) commented 4 years ago

And why it is trying to use self-signed wildcard certificate:

[1;92m[2021-01-10 18:21:16:855][0;36m [INFO    ][0m [              in_1-c2s ][1;34m SSLContextContainer.getHardenedMode(): [0mUsing hardened-mode: relaxed for domain: hi-low.eu
[1;92m[2021-01-10 18:21:16:973][0;36m [INFO    ][0m [      pool-34-thread-8 ][1;34m CertificateUtil.isSelfSigned()   : [0mSelf-signed certificate for domain: CN=*.hi-low.eu, EMAILADDRESS=admin@tigase.org, OU=XMPP Service, O=Tigase.org

It should use the certificate for hi-low.eu and not for *.hi-low.eu.
Andrzej Wójcik (Tigase) commented 4 years ago

The issue appears after server restart.
Andrzej Wójcik (Tigase) commented 4 years ago

It looks like the issue appears (using a wrong SSL certificate, no common ciphers) after server restart and is solved by setting certificate via ad-hoc (ie. with admin web console).
Andrzej Wójcik (Tigase) commented 4 years ago

tig_pairs contains currently following entry:

<certificate fingerprint="01e3457c8aa69d6d4d7534b976a579e3e701fa4e" is-default="true" alias="*.default" pem-certificate="-----BEGIN CERTIFICATE----- MIICNDCCAZ0CBF/7Ji0wDQYJKoZIhvcNAQEFBQAwYTETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRIwEAYDVQQDDAkqLmRlZmF1bHQwHhcNMjEwMTEwMTYwNzA5WhcNMjIwMTEwMTYwNzA5WjBhMRMwEQYDVQQKEwpUaWdhc2Uub3JnMRUwEwYDVQQLEwxYTVBQIFNlcnZpY2UxHzAdBgkqhkiG9w0BCQEWEGFkbWluQHRpZ2FzZS5vcmcxEjAQBgNVBAMMCSouZGVmYXVsdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkImFV/useO2/3iOz/Aka84Yuu7MRx+3eBifkPDjY7Ja85vaupXuz4N/7g4Fcj6wOtzZhg8JcQTYkaRjxoEOApf+GgEkmJYWIpCeaiB8WXHBHB4Jp5vmCjQeEYbGxRX7Ls/cJKl2LVHCVQBo9OcsjGx7nAzMYNBz2NxKQxjPsv00CAwEAATANBgkqhkiG9w0BAQUFAAOBgQBp9oZCvsMElKhhRcK9vGn/tB+Zo04tLvpc8VdHPcTiqKCoNXlnVfckQ5i1gf4qedkWUKjjns0wZGSvZQN6jwPWNfpkeqiLafHTDBuqz6fwmi+EwoAeCk3c3GjC2Rx2ksfIjjNR2CCtUwJ9VomkoJPGW87J6SljQswXRZm4vTeSvQ== -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAJCJhVf7rHjtv94js/wJGvOGLruzEcft3gYn5Dw42OyWvOb2rqV7s+Df+4OBXI+sDrc2YYPCXEE2JGkY8aBDgKX/hoBJJiWFiKQnmogfFlxwRweCaeb5go0HhGGxsUV+y7P3CSpdi1RwlUAaPTnLIxse5wMzGDQc9jcSkMYz7L9NAgMBAAECgYEAixJ3pk+4BWemDQVHgkP0lctPnjVP75J15nBt0HBWcVcdDhLfusTLMJ3zsPZA7ND+G9WMgK37/Jcu850XqUAqQJzjETYHIBrFu7PPEuu4ex108zAnc+6DS7mIfcl2OJJXfb1+NJxbUEYoSZ6Ef4T005CRUm1ihBXQJ3o26fKOAMECQQDDhrK92XG3Q+CXFNYZ7hwcO1wn5WWh+Qxlka8Ll7WlLIsqRiMpP+FsOHCeFViNOdydMjl7n6WjhdORBsNz0oqdAkEAvT2iuehViDLytSAVGxgbR6KFUFl69MjDfxQXcF6sh44JB14j7rMjqyHgesmFM+gY41Jo1VekiZZl/TIX63bQcQJAb9iwjHtDWnNAmQv5QVH80IWAPO4zSgk99yfz+uyooritTtxaJrF9ELvkZ/mL8xVjRqTBTx9O0BCwqmg1DB8m3QJAYeYw+Nwo43z38pvWT135PuXk8dxYr6ns+SD7vzY7KyVfpmAdVq92FGJCL0NxlZjMx00qzrO4ezVDLelsVnPxAQJBAKMbCaNtoGimdctGEJdXU4FAcstElc3GkO5+XtpgiojATZUE6FK5DZ4fqPx4V6C9Oh5PemFQX4eEiT+ePj2iXjY= -----END PRIVATE KEY----- "/>
<certificate fingerprint="d3c8d7cdc95daf10e02d0fe07b9506d9033f743f" is-default="true" alias="hi-low.eu" pem-certificate="-----BEGIN CERTIFICATE----- MIIFgzCCBGugAwIBAgISA/MoapZ0TAS/2YDy8O7XM52GMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTAxMTAxNDI2NDRaFw0yMTA0MTAxNDI2NDRaMBQxEjAQBgNVBAMTCWhpLWxvdy5ldTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLh6yow+REyMGF63a7r/DrTa94EkWXubUfGdGYnH2eCobGFaLW5o8QxmfG92Ibsmo7C85plRWmwbJUQMMc88EzLJYg7iYWHItdjJRkzAbCI+aIkF4ekXH8rKc+NvHuqoJNDiFJVSFNzg0DWETuPiKIHf8kylcvrq/hvH9v2Elc5mv35ag38Q9WgVB0ORfrwWdU09VDBjNjXxRdrzzPnoHJ/5X9Mbx1HUgG3/YB4x/93zvEfTxdkwQ22NA/30MR9DFJIKj13Y5A+XWUky6SK7HJqFL0klJcqe9UYVWV3xlcfMD2REbDiZo3QtC3tfKVsOlOVzvc9xoQiDBXlUjagYFkCAwEAAaOCAq8wggKrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUsj5evss8mK8mY3XZQl0+UAEmQLkwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wgYAGA1UdEQR5MHeCCmFnaWxpZmUucGyCEmFnaWxpdHkuYWdpbGlmZS5wbIIWYmV0YS56YXdvZHkuYWdpbGlmZS5wbIIJaGktbG93LmV1gg5wdXNoLmhpLWxvdy5ldYISdHVubmVscy5hZ2lsaWZlLnBsgg53d3cuYWdpbGlmZS5wbDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABduzoImQAAAQDAEYwRAIgUlhTtA6N9f3Qu76xwk9FeemCjjTw9NKrvcKwIP3vqz0CIFlaRx/Y6jbrBqkHcbh0fjh5861vBEFKXfPasEkt/+NkAHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF27OgiqwAABAMARjBEAiAEGdqhb5R5PQ2PEWvm8x9RInsJZCxKIwfU7NziOG2D2gIgPLvZqjomRfVwtAsM3n2gq+6vwPYodzxolDS51dbnGbwwDQYJKoZIhvcNAQELBQADggEBADTzFm18rlWKWFBGbEVhX0i0gzhTAkhLh8rRKvVrPhRAfqK2Vb23FXnd+QpjhAi3EjFh8syIdULnCDhuind2+x78BHG5R0Ahj2H/FtlMvsbmsE1sJdKUWJNUW1/vmcT346uXVbqXzqyMEyZcc5jNEA8pyeHIdVxI1o+w/NRgTMbrwp+aoGlRUlMlckJBiA1BCchpYpSMS/BHh+xFoyI4TDjeyBImadR1FocDO+m9DsfYSsV/pz76ierB9tBAX94vR8GvNNRCeuKn9MbJVTO5qPSN51ENsX7Trp02Oi90814d+Uh+tshQa8ICuZSi0JjgldPzOcl3MNkt4JTr1v3rgps= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----------END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFowMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMTAlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1RoYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kHejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfLqjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9pO5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2TwUdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- "/>
<certificate fingerprint="12d98eb1725503f4da5e58644712b13cc1e3b48a" is-default="false" alias="muc.hi-low.eu" pem-certificate="-----BEGIN CERTIFICATE----- MIICQDCCAakCBF+dOlIwDQYJKoZIhvcNAQEFBQAwZzETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRgwFgYDVQQDDA8qLm11Yy5oaS1sb3cuZXUwHhcNMjAxMDMxMTAyMDAyWhcNMjExMDMxMTAyMDAyWjBnMRMwEQYDVQQKEwpUaWdhc2Uub3JnMRUwEwYDVQQLEwxYTVBQIFNlcnZpY2UxHzAdBgkqhkiG9w0BCQEWEGFkbWluQHRpZ2FzZS5vcmcxGDAWBgNVBAMMDyoubXVjLmhpLWxvdy5ldTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArp1ZUXdWYHNGCP1ungSrtK3Ir9A9mKNOd/xZrJAhA9Bvka0gzVvJU6KhMe443wgYMNLyVMsV264RZqC7n3Je0I5rNQi0nP0FKiZ4bumkFYZwnu5CU+aJGiYxtVZ7ma6a7yR5rdIGmXwflsg0RcL4V27csf7eq3nRHShpl5f06B0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQCE9M6OQc2Nlbg5FRyePL78MoqQz8uFbIaNS/HTWfXCF1fTRsULoe7oBho0/+OAy9WlDTaMF5k0SH8BMgNMJRAHzk2EavQjK8FM15/cPuTmDbFMCxmBHSAlGR0/t5dptglZA1cOPRz5qDlwW4R8Knagv+uVAjbPPHT9dI10F2PghQ== -----END CERTIFICATE----- "/>
<certificate fingerprint="d8bb96a7508a1f07f929de7429c36a99cea01748" is-default="false" alias="pubsub.hi-low.eu" pem-certificate="-----BEGIN CERTIFICATE----- MIICRjCCAa8CBF7qacswDQYJKoZIhvcNAQEFBQAwajETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRswGQYDVQQDDBIqLnB1YnN1Yi5oaS1sb3cuZXUwHhcNMjAwNjE3MTkwNjUxWhcNMjEwNjE3MTkwNjUxWjBqMRMwEQYDVQQKEwpUaWdhc2Uub3JnMRUwEwYDVQQLEwxYTVBQIFNlcnZpY2UxHzAdBgkqhkiG9w0BCQEWEGFkbWluQHRpZ2FzZS5vcmcxGzAZBgNVBAMMEioucHVic3ViLmhpLWxvdy5ldTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6c3CPF7TCJvUEsXvMp5evLZjT2xOyZ8wHpCN7uxgp8cYCjXraaM8z2UBjpl7TO8SWCKoeyApRWMGxpW+WXRfA/82ctNEisfUFoJz/LNDVqaTuDrqG+hM/f+FDOM8XeBpnaEuel7XVuwsaQmmlNroP+cWGjDOk7dCYZ+RosCXsH8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQCGFQHtRV+sE+Nd30pRpjKcjcxX0K2CrQGvifrLQvUEXiGjLxUYUg74jk1lx+bHwTZiKuipYIR4F87TER7QYecMaEJp1ldTTzuthN70mThFAfnyBoijXw7jj67CHaiRvhU9rr/5LBVDXR/K9K5IgwNaw/QdajXVxemgfb3xXkkzYg== -----END CERTIFICATE----- "/>
<certificate fingerprint="e3bc7f9849d14711bcabba9b7160f5685c668f55" is-default="false" alias="xmpp.hi-low.eu" pem-certificate="-----BEGIN CERTIFICATE----- MIICQjCCAasCBF19nVMwDQYJKoZIhvcNAQEFBQAwaDETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRkwFwYDVQQDDBAqLnhtcHAuaGktbG93LmV1MB4XDTE5MDkxNTAyMDkyM1oXDTIwMDkxNDAyMDkyM1owaDETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRkwFwYDVQQDDBAqLnhtcHAuaGktbG93LmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC82cLwDRfcxfyRCjIBfkq5cCyDpwMtgWudUWQuVDt5ka6OmWTzO2OiC4XM8KRhJkh60f3dYCM53vugyXHIUtD5fMnNjfogE9tIEhmW18PbkdMPBra9lf3cgXm5uERJIwajshRYoLHR5jbaHxqmy0K6mk2fbs4hnpy0vJ7iQFD9nwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAB80U+ctQKHwsYSfxpWipB37qMxv3RuhT5ril/TiCkpNgzzaB7NnJT7tFFirHVgfzmRSlQDzHppk+qgSGBRXPKQNKtB/7MTHpk59fPF58sEXEOm2of3mCozV1i+wJ8/ei1RhchSUIlbhckQND39egTltBsUWbL/5n9tAtt/zN56W -----END CERTIFICATE----- "/>
wojciech.kapcia@tigase.net commented 4 years ago

You are correct that there is something weird going on - I'll investigate.

Regarding:

Moreover, how do we now update certificates from Let's Encrypt? Until now I was able to just "merge" SSL certificate files and restart Tigase. What is currently suggested approach now? I'm asking in the context of Kangaroo as it may be using Let's Encrypt certificates quite often...

They would be updated either locally from the instance (#issue #817) or externally. In either case, having to "just merge" wouldn't work in how Kangaroo would be deployed and managed (EB could recreate the instance just like that) making filestore simply a no-go hence the whole idea to move certificate store to the database.

One question - when you updated the certificate using ad-hoc have you selected "use as default" by any chance?
Andrzej Wójcik (Tigase) commented 4 years ago

Yes, I did as I wanted hi-low.eu certificate to be default.
Andrzej Wójcik (Tigase) commented 4 years ago

I know, that having SSL certificates on disk is a no-go for Kangaroo but would be useful to have a utility to simply load SSL certificate from file to database (ie. certificate generated by Let’s Encrypt). As utility, I mean a command line tool.
Andrzej Wójcik (Tigase) commented 4 years ago

I'm actually quite irritated by current behaviour of Tigase XMPP Server: as it just decided to overwrite my SSL certificate ("valid one") in the database and use a new certificate disconnecting me.

It looks like it restarted after a JVM crash:

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007f631bddeb02, pid=60, tid=82
#
# JRE version: OpenJDK Runtime Environment 18.9 (11.0.8+10) (build 11.0.8+10)
# Java VM: OpenJDK 64-Bit Server VM 18.9 (11.0.8+10, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# V  [libjvm.so+0x789b02]  G1ParScanThreadState::copy_to_survivor_space(InCSetState, oopDesc*, markOopDesc*)+0x42
#
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /tmp/hs_err_pid60.log
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
#

After automatic restart I've found following lines:

[2021-01-12 11:43:20:635] [WARNING ] [  ConnectionOpenThread ] SocketThread.<clinit>()          : 17 socketReadThreads started.
[2021-01-12 11:43:20:684] [WARNING ] [  ConnectionOpenThread ] SocketThread.<clinit>()          : 17 socketWriteThreads started.
[2021-01-12 11:43:21:061] [WARNING ] [              in_1-c2s ] CertificateContainer.createCertificate(): Auto-generated certificate for domain: hi-low.eu

In the database I do have now following entries:

<certificate pem-certificate="-----BEGIN CERTIFICATE----- MIICNDCCAZ0CBF/9iv8wDQYJKoZIhvcNAQEFBQAwYTETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRIwEAYDVQQDDAkqLmRlZmF1bHQwHhcNMjEwMTEyMTE0MTUxWhcNMjIwMTEyMTE0MTUxWjBhMRMwEQYDVQQKEwpUaWdhc2Uub3JnMRUwEwYDVQQLEwxYTVBQIFNlcnZpY2UxHzAdBgkqhkiG9w0BCQEWEGFkbWluQHRpZ2FzZS5vcmcxEjAQBgNVBAMMCSouZGVmYXVsdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmsb3kSByB7uUBCXvxEShoksPQVxBk5jXCe0rnZ4kJcR7MBe/PPCp6w/cU9Usa4wjVnMgMFWAJU2g8BD4vLNA8cYeWXRPhL2nyRbOpuJMMck9H88TaMsHNdXrXQ8Z9Rn+E16ZwExKkavZkIFTotdbzxSjIPfJTGC6iCqfZbKLlm0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAnN1Dwc7w0UocvbGzleZqPEIlI4GhfbgK5LXWZ9ic/sBhxr9devSZw/QYEfsI6rX1KyKNstHhO0jInUUwJKc3k2t23K6RoHEQhn+H1OXIl/37yj11tYe+hNr8k1LMn7ssWP7BrIJmG0qV+0vEEJ10MVikt/b5u3JM8E55iXYHvEw== -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJrG95Egcge7lAQl78REoaJLD0FcQZOY1wntK52eJCXEezAXvzzwqesP3FPVLGuMI1ZzIDBVgCVNoPAQ+LyzQPHGHll0T4S9p8kWzqbiTDHJPR/PE2jLBzXV610PGfUZ/hNemcBMSpGr2ZCBU6LXW88UoyD3yUxguogqn2Wyi5ZtAgMBAAECgYBQb7S7VFxOjnpnCXwoyO4jVNTRx+tAlH605u/y0vvAMPNAVCcLuZrk0XJUkwWpwsOequgAln6pZEWOXZOXJaVK7BjlnUz0Q8rW/8oboVl9UTOBu/SmsJQdgsj6Pz6ry/UC4yu97XONtYLZvbyvy/oeJ4JH7epS4Wyflw9zbCBMtQJBAP1DiwfOpX2nzzLFzSTXesGjPJfbr3aj7gk5PHEXZOJUYolp04/pumhwbbQEm2JkcGoPiGVzuWz22qqhvINxNUMCQQCccwmbMsXS857sRY6eN4ycENWnFqHNOt1BfS6O9JFLiZ6cmWiiXErRyf9bntOPFCvpPLvIydilV6E8UhicHXKPAkAsl37cMgs7U5eMtf0HtpTbkTUy+7AqMHTR1O0KcHcHzpnG3gYs+ZcjmmAGaSU+rraIRhHa4wRL5i7cCjwZ3I3nAkB0lLSf1eHcJHZUkjCIbdR1p4XOEOtZR3gAiQvcsxpiM5biEt8JvcRzOBb1axEzGVDvaLZ2FRM/gmE/1d1I2Bi5AkBwPMMgV0zWgdPy5aiFnI1i5vHVWqj5styx5UnenDCZ2UQL62zeh2Sq9A6V2urIE0gyRHPuvvzyKa+ndlhDVu5I -----END PRIVATE KEY----- " fingerprint="ed6d62ff24efeef11fd0d414bc75bcb21271d049" alias="*.default" is-default="true"/>
<certificate pem-certificate="-----BEGIN CERTIFICATE----- MIICODCCAaECBF/9i1gwDQYJKoZIhvcNAQEFBQAwYzETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRQwEgYDVQQDDAsqLmhpLWxvdy5ldTAeFw0yMTAxMTIxMTQzMjBaFw0yMjAxMTIxMTQzMjBaMGMxEzARBgNVBAoTClRpZ2FzZS5vcmcxFTATBgNVBAsTDFhNUFAgU2VydmljZTEfMB0GCSqGSIb3DQEJARYQYWRtaW5AdGlnYXNlLm9yZzEUMBIGA1UEAwwLKi5oaS1sb3cuZXUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJaG3milAZl4PPdPN5J441ioRAJLUWea//BV02nZ7pBMxgdnMmgvrk9uN6And0tRzSYmrClgN5t/eObl1ORSM2wFKaL4z1zNF4obn8w3A3kRNx9uPlQ3mHUlqchiIF+rqsbc/cfr9htthJiUhqu0HHy/3Otk5NHdxbmcQRqtZ8TNAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAhckF3v+OC5NDGv6OZVN0pXTCOr6WyhH7sxNKp5n4N4SohpGVdWQli3S9o2gUwBh+9HgjcuOVJ18/9/Q4eYQ5z6SS5dG6QRXqrPIq7QpvSImUZTSa4b5gYGhqnRaiN1GOtR0Qyc9aO+3e+Slkkg86nTCgYpijISzm6A5HjPJW68Y= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJaG3milAZl4PPdPN5J441ioRAJLUWea//BV02nZ7pBMxgdnMmgvrk9uN6And0tRzSYmrClgN5t/eObl1ORSM2wFKaL4z1zNF4obn8w3A3kRNx9uPlQ3mHUlqchiIF+rqsbc/cfr9htthJiUhqu0HHy/3Otk5NHdxbmcQRqtZ8TNAgMBAAECgYAxWhCrgIYQujJK50cSF956H9kEY4tSC6ikNI93IgOsfe9jV/tX22IsGrfUI3xiTnSTcJR7kFdK/TU3ht0Q6r5+yEyR7yKGpZ+qAtgWz+xk+P1q5/vcMwKtRWQCe8ZaFClK9vEx+SpVske52K4pTx3MTUq60RCC4zygmWB7gzrE4QJBAMXwK8Vgad7EduV5K1eiRBYeLuZO6aZC3yA2wuEkZU+fInwkG9X2ONnnOOzFWMpzx/KICc45Ixj6VG+AU6VSpqUCQQDCrmyi9OD8hcMncpXdHRIsyWzyLT+qke2Q3Z6CIUhzbbfX4gl3CXEfWePl2g7O1sLxcW0hQKJklNSJX3a4tPUJAkB6TVHeXRpNaPtGAr6DIWIMgI3eBDheYMdZMjzru/9VWTCHoBAK/l5WVYZY1f9s6GlNND1KzQcgsdxmINaOOil5AkBDdtyQ0BmTiOsrJWtHt8ZPnPHTLtkMTAuukw5V/CC2V4RJHLy48p2wBp+STLGq/gOKVgtCZbqg7m6EuH9U3Oi5AkEApJTbwb9CUlhMLmvpvWeyjJn7yy4Zc4ReMALoOF9Z/2pIwqyMWrMD9wLwuOX3rfZ7GCoDy3/tOuFibVfdh91b9A== -----END PRIVATE KEY----- " fingerprint="22dcefa9a775a60044ee90626850e006bef8461f" alias="hi-low.eu" is-default="false"/>
<certificate pem-certificate="-----BEGIN CERTIFICATE----- MIICQDCCAakCBF+dOlIwDQYJKoZIhvcNAQEFBQAwZzETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRgwFgYDVQQDDA8qLm11Yy5oaS1sb3cuZXUwHhcNMjAxMDMxMTAyMDAyWhcNMjExMDMxMTAyMDAyWjBnMRMwEQYDVQQKEwpUaWdhc2Uub3JnMRUwEwYDVQQLEwxYTVBQIFNlcnZpY2UxHzAdBgkqhkiG9w0BCQEWEGFkbWluQHRpZ2FzZS5vcmcxGDAWBgNVBAMMDyoubXVjLmhpLWxvdy5ldTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArp1ZUXdWYHNGCP1ungSrtK3Ir9A9mKNOd/xZrJAhA9Bvka0gzVvJU6KhMe443wgYMNLyVMsV264RZqC7n3Je0I5rNQi0nP0FKiZ4bumkFYZwnu5CU+aJGiYxtVZ7ma6a7yR5rdIGmXwflsg0RcL4V27csf7eq3nRHShpl5f06B0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQCE9M6OQc2Nlbg5FRyePL78MoqQz8uFbIaNS/HTWfXCF1fTRsULoe7oBho0/+OAy9WlDTaMF5k0SH8BMgNMJRAHzk2EavQjK8FM15/cPuTmDbFMCxmBHSAlGR0/t5dptglZA1cOPRz5qDlwW4R8Knagv+uVAjbPPHT9dI10F2PghQ== -----END CERTIFICATE----- " fingerprint="12d98eb1725503f4da5e58644712b13cc1e3b48a" alias="muc.hi-low.eu" is-default="false"/>
<certificate pem-certificate="-----BEGIN CERTIFICATE----- MIICRjCCAa8CBF7qacswDQYJKoZIhvcNAQEFBQAwajETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRswGQYDVQQDDBIqLnB1YnN1Yi5oaS1sb3cuZXUwHhcNMjAwNjE3MTkwNjUxWhcNMjEwNjE3MTkwNjUxWjBqMRMwEQYDVQQKEwpUaWdhc2Uub3JnMRUwEwYDVQQLEwxYTVBQIFNlcnZpY2UxHzAdBgkqhkiG9w0BCQEWEGFkbWluQHRpZ2FzZS5vcmcxGzAZBgNVBAMMEioucHVic3ViLmhpLWxvdy5ldTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6c3CPF7TCJvUEsXvMp5evLZjT2xOyZ8wHpCN7uxgp8cYCjXraaM8z2UBjpl7TO8SWCKoeyApRWMGxpW+WXRfA/82ctNEisfUFoJz/LNDVqaTuDrqG+hM/f+FDOM8XeBpnaEuel7XVuwsaQmmlNroP+cWGjDOk7dCYZ+RosCXsH8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQCGFQHtRV+sE+Nd30pRpjKcjcxX0K2CrQGvifrLQvUEXiGjLxUYUg74jk1lx+bHwTZiKuipYIR4F87TER7QYecMaEJp1ldTTzuthN70mThFAfnyBoijXw7jj67CHaiRvhU9rr/5LBVDXR/K9K5IgwNaw/QdajXVxemgfb3xXkkzYg== -----END CERTIFICATE----- " fingerprint="d8bb96a7508a1f07f929de7429c36a99cea01748" alias="pubsub.hi-low.eu" is-default="false"/>
<certificate pem-certificate="-----BEGIN CERTIFICATE----- MIICQjCCAasCBF19nVMwDQYJKoZIhvcNAQEFBQAwaDETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRkwFwYDVQQDDBAqLnhtcHAuaGktbG93LmV1MB4XDTE5MDkxNTAyMDkyM1oXDTIwMDkxNDAyMDkyM1owaDETMBEGA1UEChMKVGlnYXNlLm9yZzEVMBMGA1UECxMMWE1QUCBTZXJ2aWNlMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB0aWdhc2Uub3JnMRkwFwYDVQQDDBAqLnhtcHAuaGktbG93LmV1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC82cLwDRfcxfyRCjIBfkq5cCyDpwMtgWudUWQuVDt5ka6OmWTzO2OiC4XM8KRhJkh60f3dYCM53vugyXHIUtD5fMnNjfogE9tIEhmW18PbkdMPBra9lf3cgXm5uERJIwajshRYoLHR5jbaHxqmy0K6mk2fbs4hnpy0vJ7iQFD9nwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAB80U+ctQKHwsYSfxpWipB37qMxv3RuhT5ril/TiCkpNgzzaB7NnJT7tFFirHVgfzmRSlQDzHppk+qgSGBRXPKQNKtB/7MTHpk59fPF58sEXEOm2of3mCozV1i+wJ8/ei1RhchSUIlbhckQND39egTltBsUWbL/5n9tAtt/zN56W -----END CERTIFICATE----- " fingerprint="e3bc7f9849d14711bcabba9b7160f5685c668f55" alias="xmpp.hi-low.eu" is-default="false"/>
wojciech.kapcia@tigase.net commented 4 years ago

Apologies for the inconvenience. I've pushed some improvements: made using repository optional (which requires explicit configuration) and made it 'either/or' (enabling repository disables filesystem usage) and added relevant documentation.

Please keep in mind that those are nightlies nevertheless and they can contain errors…
Andrzej Wójcik (Tigase) commented 4 years ago

Sorry about my latest comment

I'm actually quite irritated by current behaviour of Tigase XMPP Server:

I had a working and stable server and it stopped working after this upgrade while I considered this version quite stable at this point.

The current version still overrides files with a self-signed certificate. I've decided to rollback.
wojciech.kapcia@tigase.net commented 4 years ago

I checked it again and I think I know what happens. I changed one call from CertificateUtil.loadCertificate(File file) to CertificateUtil.loadCertificate(byte[] cert). It turns that the latter only loads single certificate and not complete chain and private key which caused the issue with overriding certificates.
Andrzej Wójcik (Tigase) commented 4 years ago

Just checked this new version and now it works without any issues (with the use of files as certificate storage).
issue 1 of 1
Type
Bug
Priority
Major
Assignee
Andrzej Wójcik (Tigase)
Version
tigase-server-8.2.0
Spent time
7h 45m
Related
Issue Votes (0)
Login to vote
Watchers (0)
Reference
tigase/_server/server-core#1228
Please wait...
Page is in error, reload to recover