GNOME Bugzilla – Bug 592836
SSL certificate for jabber.gnome.org invalid, clients cannot connect
Last modified: 2010-03-03 22:15:53 UTC
Having been upgraded to Pidgin 2.6.1 I suddently cannot connect to jabber.gnome.org due to an "invalid certificate chain" which makes sense; inspecting the logs I see the SSL certificate expired in October 2006. Apparently we've been getting away with it all this time. I guess I can't really blame pidgin for enforcing such things, but it means I've now lost my connectivity to the XMPP network and the JID afcowie@gnome.org I've been using for several years. I know a fair bit of legwork will be required to fix this, and I almost feel bad for asking, but if there is any possibiltiy of this being addressed urgently it would be most appreciated. Instant messaging is kinda mission critical, and I'd like to keep using GNOME infrastructure if possible. AfC
Wow, impressive. I'll have a look at it soon.
ping. Is this solved?
I had to move my IM to another Jabber server, so I'm afraid I can't say whether this is resolved or not. Sorry. Incidentally, Empathy has an account option to "ignore invalid SSL" which means if you're using Empathy to talk to their jabber.gnome.org account you can likely workaround this. People using Pidgin will still be encounter the problem, I expect. AfC
This is still an issue: $ openssl s_client -connect jabber.gnome.org:5223 CONNECTED(00000003) depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org verify error:num=18:self signed certificate verify return:1 depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org verify error:num=10:certificate has expired notAfter=Oct 7 02:55:21 2006 GMT verify return:1 depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org notAfter=Oct 7 02:55:21 2006 GMT verify return:1 --- Certificate chain 0 s:/C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org i:/C=Unknown/ST=Unknown/L=Unknown/O=GNOME/OU=Unknown/CN=gnome.org --- Server certificate [...] We have our Bugzilla Certificate signed by StartCom, we could totally have a signature for a cert for jabber.gnome.org as well. To set this up, one need access over either {host,post}master@gnome.org or at least have a mail quickly forwarded to the person getting the signature from StartCom.
That'd be the best solution -- I don't quite grok your last paragraph, but let me know what I need to request, and I can set it up.
Coola :-) Simply create a Certificate Signing Request using OpenSSL (assuming you've got a key already): openssl req -new -key jabber.gnome.org.key -out jabber.gnome.org.csr go to http://www.startssl.com/, sign up, login and validate the gnome.org domain. An email will be send to either hostmaster, postmaster or root@gnome.org with a token. Enter this token within 15 minutes on the website to get the domain validated. Paste you CSR into the webform. Download signed Certificate and deploy on server :-) Reset my mango password and send it to me ;-)
Created attachment 155167 [details] ImportKey.java
Created an private and certificate file. This cannot be imported using keytool, nor with the openfire web interface. Instructions: Name the private file key.pem Name the certificate file cert.pem Run: openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER In ImportKey.java (taken from http://www.agentbob.info/agentbob/79-AB.html), change > String keypass = "importkey" to > String keypass = "changeit" and > String defaultalias = "importkey"; to > String defaultalias = "jabber.gnome.org"; Run: /opt/openfire/jre/bin/java ImportKey key.der cert.der # This creates ~/keystore.ImportKey /etc/init.d/openfire stop mv ~/keystore.ImportKey /opt/openfire/resources/security/keystore /etc/init.d/openfire start WARNING: /usr/bin/keytool on label is the GNU version. Use one supplied with Openfire /opt/openfire/jre/bin/keytool instead! The GNU version cannot read the file produced by Openfire. Oh, and to get admin rights on Openfire: /etc/init.d/openfire stop vim /opt/openfire/embedded-db/openfire.script Search for: > INSERT INTO OFPROPERTY VALUES('admin.authorizedJIDs','admin@gnome.org,jdub@gnome.org,ovitters@gnome.org') change it appropriately. then: /etc/init.d/openfire start Seems Openfire is configured to read in those SQL statements into a memory database (HSQL). Btw: Certificate seems to work, maybe missed something. Pidgin didn't accept it by default though.