Tigase Forge
Dashboards
Projects
Pull Requests
Issues
Builds
Packages
Code Search
server-core
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
OneDev 11.5.2
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects tigase _server server-core Issues #1440
Using LetsEncryption certification but tell me "certification is self-signed" in whatever application (#1440)
Unknown opened 4 years ago

Describe the bug I used certification of LetsEncryption but tell me "certification is self-signed" in whatever application.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Psi'
  2. Do 'Connect your private server'
  3. You can see the error report.

Impact It's not security

Expected behavior It is security

Additional context I store the pem file at certs/domain.pem(The pem file is created by LetsEncryption and I obtains all file at domain.pem).When I start tigase.sh,it always log 'Cannot load certficate from file: certs/im.thebd.xyz.pem' which level is warn.And sometime it will create a new certification under the certs/ dic.
Unknown commented 4 years ago

Addtional When I use the command ‘java -cp ./jars/tigase-utils.jar tigase.cert.CertificateUtil -lc certs/domian.pem -simple’ The log is:

Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName
FINE: Certificate DN: *.domain
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName
FINE: Certificate alternative names: [*.domain]
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName
FINE: Certificate DN: R3
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName
FINE: Certificate alternative names: []
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName
FINE: Certificate DN: Let's Encrypt Authority X3
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName
FINE: Certificate alternative names: []
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName
FINE: Certificate DN: ISRG Root X1
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName
FINE: Certificate alternative names: []
Private key: SunRsaSign RSA private CRT key, 2048 bits
  params: null
  modulus: 22331568478156696719327284107610696658750163071798959734805457951667308165364762090496590441358874483959520263155284318785402053422077793615949798361970942793794757576153138240493430030378577708395713300554006215269595993614873701672348614231568686123509863629881200539682435648263428922359587459851076818316217328177768944509493319022215502443535315240180259364670356893655771856899205646371614733322485360993237143763839072473078977050040217612946067381930656164685948238769692074127683331810019346170105062328905184624974334064928308834600570852944800733763042860897629809623916289292512360329156972384769608296021
  private exponent: 16860185975848655777229870418917211203975739945261646515375651303057790378293916844496563697429499511212247472739421519042704023732004962511515571706827017554007119716618967608215434302808063002752947100285521576079765777561742996456166889423959268648111266191716462497573689913729259244065983910057391717202063021624727365865814441179444595188679115539531597834474148967138217106159087522682902349966341059850633387154579963509084335321823043988336171939692620453466220331754000104038641476088761797509887297461559405152773110640200438121362703708354889669582854160732965596161580321484516945888389423819435251882753
CN: *.domain
	alt: [*.domain]
	Issuer: CN=R3, O=Let's Encrypt, C=US
	Not Before: Thu Apr 29 18:39:46 CST 2021
	Not After: Wed Jul 28 18:39:46 CST 2021

CN: R3
	Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
	Not Before: Thu Oct 08 03:21:40 CST 2020
	Not After: Thu Sep 30 03:21:40 CST 2021

CN: Let's Encrypt Authority X3
	Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
	Not Before: Thu Oct 06 23:43:55 CST 2016
	Not After: Wed Oct 06 23:43:55 CST 2021

CN: ISRG Root X1
	Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
	Not Before: Thu Jun 04 19:04:38 CST 2015
	Not After: Mon Jun 04 19:04:38 CST 2035

Exception in thread "main" java.lang.RuntimeException: Can't find certificate CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US in chain. Verify that all entries are correct and match against each other!
	at tigase.cert.CertificateUtil.sort(CertificateUtil.java:722)
	at tigase.cert.CertificateUtil.sort(CertificateUtil.java:693)
	at tigase.cert.CertificateUtil.main(CertificateUtil.java:471)
Unknown commented 4 years ago

Your chain is invalid: your certificate CN: *.domain was issued by: CN=R3 (Issuer: CN=R3). You have certificate for that issuer (CN: R3), which was issued by DST Root CA X3 (Issuer: CN=DST Root CA X3).

It should look like this (one of the variants, but you can see correct chain order):

CN: tigase.im
	alt: [*.tigase.im, tigase.im]
	Issuer: CN=R3, O=Let's Encrypt, C=US
	Not Before: Sun Mar 28 21:14:29 CEST 2021
	Not After: Sat Jun 26 21:14:29 CEST 2021
	Fingerprint: 7914a2b90dda852b3fc13f6215a679eb01912ffe

CN: R3
	Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
	Not Before: Wed Oct 07 21:21:40 CEST 2020
	Not After: Wed Sep 29 21:21:40 CEST 2021
	Fingerprint: 48504e974c0dac5b5cd476c8202274b24c8c7172

CN: DST Root CA X3
	Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
	Not Before: Sat Sep 30 23:12:19 CEST 2000
	Not After: Thu Sep 30 16:01:15 CEST 2021
	Fingerprint: dac9024f54d8f6df94935fb1732638ca6ad77c13

Relevant background information can be found here: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

In your case it seems that you used incorrect R3 certificate and the chain is incomplete (yours was issued by DST Root CA X3 while you should use one issued by ISRG Root X1)
Unknown commented 4 years ago

@woj-tek Thanks,I will try it
Unknown commented 4 years ago

@woj-tek Hello I see the last chain of ISRG Root X1 was downloaded from wget https://letsencrypt.org/certs/isrgrootx1.pem which is the guide of tigase (https://docs.tigase.net/tigase-server/master-snapshot/Administration_Guide/html/#ServerCertificates) image
Unknown commented 4 years ago

As I said - the chain with DST Root CA X3 is only an example.

Alternatively, and recommendable would be using ISRG Root X1 thus in your case the chain would look like this: *.domain -> R3 -> ISRG Root X1.

You must always consult Let's Encrypt website for correct certificate order:

In this case you should download following:

wget https://letsencrypt.org/certs/isrgrootx1.pem
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

And then merge them all:

cat ./cert.pem ./privkey.pem ./lets-encrypt-r3.pem ./isrgrootx1.pem > mydomain.com.pem
Unknown commented 4 years ago

@woj-tek Thanks,I success for this step and It's OK for Stork IM but failed at Conversation or Psi+ The error message say 'The certificate is NOT vaild!Reason: iNVALID CA certificate.'It's something wrong for my certification?
Unknown commented 4 years ago

Could you share the screenshot of the complete error?
Unknown commented 4 years ago

image Just this error for red words
Unknown commented 4 years ago

@woj-tek It's ok for change hostname and change the CA,Thanks a lot
Unknown commented 4 years ago

You shouldn't use wildcard hostname as your main host. Ideally you should use CN=domain.com and add wildcard as alternative CNs.
issue 1 of 1
Type
Bug
Issue Votes (0)
Login to vote
Watchers (0)
Reference
tigase/_server/server-core#1440
Please wait...
Page is in error, reload to recover