Unknown opened 4 years ago
-
Addtional When I use the command ‘java -cp ./jars/tigase-utils.jar tigase.cert.CertificateUtil -lc certs/domian.pem -simple’ The log is:
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName FINE: Certificate DN: *.domain Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName FINE: Certificate alternative names: [*.domain] Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName FINE: Certificate DN: R3 Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName FINE: Certificate alternative names: [] Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName FINE: Certificate DN: Let's Encrypt Authority X3 Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName FINE: Certificate alternative names: [] Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName FINE: Certificate DN: ISRG Root X1 Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName FINE: Certificate alternative names: [] Private key: SunRsaSign RSA private CRT key, 2048 bits params: null modulus: 22331568478156696719327284107610696658750163071798959734805457951667308165364762090496590441358874483959520263155284318785402053422077793615949798361970942793794757576153138240493430030378577708395713300554006215269595993614873701672348614231568686123509863629881200539682435648263428922359587459851076818316217328177768944509493319022215502443535315240180259364670356893655771856899205646371614733322485360993237143763839072473078977050040217612946067381930656164685948238769692074127683331810019346170105062328905184624974334064928308834600570852944800733763042860897629809623916289292512360329156972384769608296021 private exponent: 16860185975848655777229870418917211203975739945261646515375651303057790378293916844496563697429499511212247472739421519042704023732004962511515571706827017554007119716618967608215434302808063002752947100285521576079765777561742996456166889423959268648111266191716462497573689913729259244065983910057391717202063021624727365865814441179444595188679115539531597834474148967138217106159087522682902349966341059850633387154579963509084335321823043988336171939692620453466220331754000104038641476088761797509887297461559405152773110640200438121362703708354889669582854160732965596161580321484516945888389423819435251882753 CN: *.domain alt: [*.domain] Issuer: CN=R3, O=Let's Encrypt, C=US Not Before: Thu Apr 29 18:39:46 CST 2021 Not After: Wed Jul 28 18:39:46 CST 2021 CN: R3 Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. Not Before: Thu Oct 08 03:21:40 CST 2020 Not After: Thu Sep 30 03:21:40 CST 2021 CN: Let's Encrypt Authority X3 Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US Not Before: Thu Oct 06 23:43:55 CST 2016 Not After: Wed Oct 06 23:43:55 CST 2021 CN: ISRG Root X1 Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US Not Before: Thu Jun 04 19:04:38 CST 2015 Not After: Mon Jun 04 19:04:38 CST 2035 Exception in thread "main" java.lang.RuntimeException: Can't find certificate CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US in chain. Verify that all entries are correct and match against each other! at tigase.cert.CertificateUtil.sort(CertificateUtil.java:722) at tigase.cert.CertificateUtil.sort(CertificateUtil.java:693) at tigase.cert.CertificateUtil.main(CertificateUtil.java:471) -
Your chain is invalid: your certificate
CN: *.domainwas issued by:CN=R3(Issuer: CN=R3). You have certificate for that issuer (CN: R3), which was issued byDST Root CA X3(Issuer: CN=DST Root CA X3).It should look like this (one of the variants, but you can see correct chain order):
CN: tigase.im alt: [*.tigase.im, tigase.im] Issuer: CN=R3, O=Let's Encrypt, C=US Not Before: Sun Mar 28 21:14:29 CEST 2021 Not After: Sat Jun 26 21:14:29 CEST 2021 Fingerprint: 7914a2b90dda852b3fc13f6215a679eb01912ffe CN: R3 Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. Not Before: Wed Oct 07 21:21:40 CEST 2020 Not After: Wed Sep 29 21:21:40 CEST 2021 Fingerprint: 48504e974c0dac5b5cd476c8202274b24c8c7172 CN: DST Root CA X3 Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. Not Before: Sat Sep 30 23:12:19 CEST 2000 Not After: Thu Sep 30 16:01:15 CEST 2021 Fingerprint: dac9024f54d8f6df94935fb1732638ca6ad77c13Relevant background information can be found here: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
In your case it seems that you used incorrect
R3certificate and the chain is incomplete (yours was issued byDST Root CA X3while you should use one issued byISRG Root X1) -
@woj-tek Hello I see the last chain of ISRG Root X1 was downloaded from wget https://letsencrypt.org/certs/isrgrootx1.pem which is the guide of tigase (https://docs.tigase.net/tigase-server/master-snapshot/Administration_Guide/html/#ServerCertificates)
-
As I said - the chain with
DST Root CA X3is only an example.Alternatively, and recommendable would be using
ISRG Root X1thus in your case the chain would look like this:*.domain->R3->ISRG Root X1.You must always consult Let's Encrypt website for correct certificate order:
In this case you should download following:
wget https://letsencrypt.org/certs/isrgrootx1.pem wget https://letsencrypt.org/certs/lets-encrypt-r3.pemAnd then merge them all:
cat ./cert.pem ./privkey.pem ./lets-encrypt-r3.pem ./isrgrootx1.pem > mydomain.com.pem
Just this error for red words
Describe the bug I used certification of LetsEncryption but tell me "certification is self-signed" in whatever application.
To Reproduce Steps to reproduce the behavior:
Impact It's not security
Expected behavior It is security
Additional context I store the pem file at certs/domain.pem(The pem file is created by LetsEncryption and I obtains all file at domain.pem).When I start tigase.sh,it always log 'Cannot load certficate from file: certs/im.thebd.xyz.pem' which level is warn.And sometime it will create a new certification under the certs/ dic.