After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 592836 - SSL certificate for jabber.gnome.org invalid, clients cannot connect
SSL certificate for jabber.gnome.org invalid, clients cannot connect
Status: RESOLVED FIXED
Product: sysadmin
Classification: Infrastructure
Component: Other
unspecified
Other Linux
: Normal blocker
: ---
Assigned To: GNOME Sysadmins
GNOME Sysadmins
Depends on:
Blocks:
 
 
Reported: 2009-08-23 23:32 UTC by Andrew Cowie
Modified: 2010-03-03 22:15 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
ImportKey.java (6.42 KB, text/x-java)
2010-03-03 22:07 UTC, Olav Vitters
Details

Description Andrew Cowie 2009-08-23 23:32:10 UTC
Having been upgraded to Pidgin 2.6.1 I suddently cannot connect to jabber.gnome.org due to an "invalid certificate chain" which makes sense; inspecting the logs I see the SSL certificate expired in October 2006. Apparently we've been getting away with it all this time.

I guess I can't really blame pidgin for enforcing such things, but it means I've now lost my connectivity to the XMPP network and the JID afcowie@gnome.org I've been using for several years.

I know a fair bit of legwork will be required to fix this, and I almost feel bad for asking, but if there is any possibiltiy of this being addressed urgently it would be most appreciated. Instant messaging is kinda mission critical, and I'd like to keep using GNOME infrastructure if possible.

AfC
Comment 1 Jeff Waugh 2009-08-24 00:34:12 UTC
Wow, impressive. I'll have a look at it soon.
Comment 2 André Klapper 2009-10-28 16:56:46 UTC
ping. Is this solved?
Comment 3 Andrew Cowie 2009-10-29 04:40:00 UTC
I had to move my IM to another Jabber server, so I'm afraid I can't say whether this is resolved or not. Sorry.

Incidentally, Empathy has an account option to "ignore invalid SSL" which means if you're using Empathy to talk to their jabber.gnome.org account you can likely workaround this. People using Pidgin will still be encounter the problem, I expect.

AfC
Comment 4 Tobias Mueller 2009-10-29 17:49:20 UTC
This is still an issue:

$ openssl s_client -connect jabber.gnome.org:5223
CONNECTED(00000003)

depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
verify error:num=10:certificate has expired
notAfter=Oct  7 02:55:21 2006 GMT
verify return:1
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
notAfter=Oct  7 02:55:21 2006 GMT
verify return:1
---
Certificate chain
 0 s:/C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
   i:/C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org
---
Server certificate
[...]


We have our Bugzilla Certificate signed by StartCom, we could totally have a signature for a cert for jabber.gnome.org as well.
To set this up, one need access over either {host,post}master@gnome.org or at least have a mail quickly forwarded to the person getting the signature from StartCom.
Comment 5 Jeff Waugh 2009-10-29 17:56:46 UTC
That'd be the best solution -- I don't quite grok your last paragraph, but let me know what I need to request, and I can set it up.
Comment 6 Tobias Mueller 2009-10-29 18:07:06 UTC
Coola :-)

Simply create a Certificate Signing Request using OpenSSL (assuming you've got a key already): 
    openssl req -new -key jabber.gnome.org.key -out jabber.gnome.org.csr

go to http://www.startssl.com/, sign up, login and validate the gnome.org domain. An email will be send to either hostmaster, postmaster or root@gnome.org with a token. Enter this token within 15 minutes on the website to get the domain validated. Paste you CSR into the webform. Download signed Certificate and deploy on server :-) Reset my mango password and send it to me ;-)
Comment 7 Olav Vitters 2010-03-03 22:07:33 UTC
Created attachment 155167 [details]
ImportKey.java
Comment 8 Olav Vitters 2010-03-03 22:15:53 UTC
Created an private and certificate file. This cannot be imported using keytool, nor with the openfire web interface.


Instructions:
Name the private file key.pem
Name the certificate file cert.pem

Run:
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

In ImportKey.java (taken from http://www.agentbob.info/agentbob/79-AB.html), change
> String keypass = "importkey"
to
> String keypass = "changeit"

and
> String defaultalias = "importkey";
to
> String defaultalias = "jabber.gnome.org";

Run:
/opt/openfire/jre/bin/java ImportKey key.der cert.der
# This creates ~/keystore.ImportKey
/etc/init.d/openfire stop
mv ~/keystore.ImportKey /opt/openfire/resources/security/keystore
/etc/init.d/openfire start


WARNING: /usr/bin/keytool on label is the GNU version. Use one supplied with Openfire /opt/openfire/jre/bin/keytool instead! The GNU version cannot read the file produced by Openfire.


Oh, and to get admin rights on Openfire:
/etc/init.d/openfire stop
vim /opt/openfire/embedded-db/openfire.script

Search for:
> INSERT INTO OFPROPERTY VALUES('admin.authorizedJIDs','admin@gnome.org,jdub@gnome.org,ovitters@gnome.org')
change it appropriately.

then:
/etc/init.d/openfire start

Seems Openfire is configured to read in those SQL statements into a memory database (HSQL).


Btw: Certificate seems to work, maybe missed something. Pidgin didn't accept it by default though.