Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Damian Righi
Damian Righi Author
User level: Level 2
330 points

SSL Certificate Problem

I finally took the plunge and brought our chat server back up to Leopard. I'm in an SSL mess right now.
I got a new cert for the server from Thawte (got the ApacheSSL cert, which is what I had successfully used on Tiger Server.)
I started the process by creating a new CSR in Server Admin (advanced server), sent the CSR to thawte, they signed and returned the cert. Went back to server admin, imported it, and it looks good!



Well, I selected the cert in the iChat service and clients cannot login. They can login with the Default cert (but get the warning message).



...and we see the following in the iChat service log:

Jan 7 07:27:48 chat jabberd/c2s[6453]: failed to load local SSL pemfile, SSL will not be available to clients

So, I looked in /etc/certificates and it looks good:

chat:certificates herb$ ls -la
total 72
drwxr-xr-x 12 root wheel 408 Jan 7 07:24 .
drwxr-xr-x 124 root wheel 4216 Jan 7 07:25 ..
-rw-r--r--@ 1 root wheel 0 Jan 5 13:35 .defaultCertificateCreated
-rw-r--r-- 1 root wheel 660 Jan 5 13:35 Default.crt
-rw-r----- 1 root certusers 1551 Jan 5 13:35 Default.crtkey
-rw-r----- 1 root wheel 534 Jan 5 13:35 Default.csr
-rw-r----- 1 root certusers 891 Jan 5 13:35 Default.key
-rw-r--r-- 1 root wheel 1155 Jan 7 07:24 chat.northampton.edu.chcrt
-rw-r--r-- 1 root wheel 1306 Jan 7 07:24 chat.northampton.edu.crt
-rw-r----- 1 root certusers 2269 Jan 7 07:24 chat.northampton.edu.crtkey
-rw-r----- 1 root wheel 720 Jan 5 14:09 chat.northampton.edu.csr
-rw-r----- 1 root certusers 963 Jan 7 07:24 chat.northampton.edu.key

I am really at a loss, any ideas?

I notice that in the jabberd c2s.conf configuration file:

<!-- File containing a SSL certificate and private key to use when
setting up an encrypted channel with the router. If this is
commented out, or the file can't be read, no attempt will be
made to establish an encrypted channel with the router. -->
<pemfile>/etc/certificates/Default.crtkey</pemfile>

Now that is odd since I chose the chat.northampton.edu cert!
Later in the file we do see references to the chat.northampton.edu cert so I left that entry alone. Later I read that first entry is okay the way it is.

Any help appreciated!

XServe, Mac OS X (10.5.1)

Posted on Jan 7, 2008 5:51 AM

Reply
9 replies
User profile for user: Damian Righi
Damian Righi Author
User level: Level 2
330 points

Jan 8, 2008 4:41 AM in response to Tim Harris

Here you go Tim.

BTW -- I reinstalled the server from scratch, got my cert reissued, and have the same problem. Just to help. Cert works fine for Apache though!!!

Where is it documented that you need a combined public/private key file? The docs that I've read don't seem to help here. The .key and .crtkey files on my server for the thawte cert were DES encrypted. (The default ones were NOT.) So, I used an openssl command to decrypt them, but that didn't help. (But the thawte cert still continued working for Apache!)

AND, when using the Default cert, windows clients on Neosmt can connect, but iChat client, Tiger or Leopard, cannot. Should Leopard client be set to 5223 or 5222 (after reading I thought 5222 for TLS).

Thanks for any help or information!

Damian
Reply
User profile for user: Damian Righi
Damian Righi Author
User level: Level 2
330 points

Jan 8, 2008 4:45 AM in response to Tim Harris

<local>
<!-- Who we identify ourselves as. This should correspond to the
ID (host) that the session manager thinks it is. You can
specify more than one to support virtual hosts, as long as you
have additional session manager instances on the network to
handle those hosts. The realm attribute specifies the auth/reg
or SASL authentication realm for the host. If the attribute is
not specified, the realm will be selected by the SASL
mechanism, or will be the same as the ID itself. Be aware that
users are assigned to a realm, not a host, so two hosts in the
same realm will have the same users.
If no realm is specified, it will be set to be the same as the
ID. -->
<id>chat.northampton.edu</id>
<!-- <id realm='company'>localhost</id> -->
<!-- IP address to bind to (default: 0.0.0.0) -->
<ip>0.0.0.0</ip>
<!-- Port to bind to, or 0 to disable unencrypted access to the
server (default: 5222) -->
<port>5222</port>
*<!-- File containing a SSL certificate and private key for client*
*connections. If this is commented out, clients will not be*
*offered the STARTTLS stream extension -->*
<!-- File containing an optional SSL certificate chain file for client
SSL connections. -->
<cachain>/etc/certificates/chat.northampton.edu.chcrt</cachain>
<!-- Require STARTTLS. If this is enabled, clients must do STARTTLS
before they can authenticate. Until the stream is encrypted,
all packets will be dropped. -->
<!-- Older versions of jabberd support encrypted client connections
via an additional listening socket on port 5223. If you want
this (required to allow pre-STARTTLS clients to do SSL),
uncomment this -->
<ssl-port>5223</ssl-port>
<pemfile>/etc/certificates/chat.northampton.edu.crtkey</pemfile>
<require-starttls/>
</local>


Note that there is NO cert listed above at the bold area! I did not touch the file.
Reply
User profile for user: Tim Harris
Tim Harris
User level: Level 4
1,481 points

Jan 8, 2008 6:57 AM in response to Damian Righi

I'm a little confused looking at your directory listing which is the public key and which is the private key, so hopefully this will make sense.

Try this:

Comment out <cachain>/etc/certificates/chat.northampton.edu.chcrt</cachain> like thus:

<!-- <cachain>/etc/certificates/chat.northampton.edu.chcrt</cachain> -->

make sure the passphrase is removed from your private key. This should have been done anyway.

combine the private (with passphrase removed) and public key like thus

cat privkey >> publickey (where privkey and publickey are your files)

change permissions on public key to root:jabber

and amend the <pemfile> settings in the local section to:

<pemfile>/etc/certificates/publickey</pemfile> (where publickey is your file that now has both public and private keys combined - note Apache works without combined file)

restart ichat (don't touch the settings in the admin application)

on the ichat client set connect using SSL. First time you connect you may be asked to validate the connection so that it may be saved in the keychain.

See if that has any impact.
Reply
User profile for user: Damian Righi
Damian Righi Author
User level: Level 2
330 points

Jan 8, 2008 9:33 AM in response to Tim Harris

Got it to work!

Had to:

Decrypt the private key.

Create a new file containing the public key, and add the decrypted private key to it.

Point c2s.xml to the original cachain but to the new file in the <local> section.

Then to get OD logins to work, comment out cram-md5 authentication.

Will document this much nicer later this week and post. Gotta run!

Thanks for your help!

-D
Reply
User profile for user: Damian Righi
Damian Righi Author
User level: Level 2
330 points

Jan 9, 2008 1:29 PM in response to Damian Righi

Here's how to get iChat Server working with a real SSL cert. Also, in my case users come from Open Directory (on a Novell eDirectory directory). So this solution kills 2 birds with one stone.

1. Set up your server, in my case a new install. Install updates NOW, not later!!!!!!!
2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
3. Fill in appropriate info, such as Common Name (DNS name of your server!), Organizational Unit, etc.
4. Enter a 24 character passphrase. (Good security please!)
5. Click Save, then second middle button to create a CSR.
6. Drag the CSR icon into the place for the CSR on the thawte(Verisign, whatever) request page. Or email the CSR to them.
7. Verify the CSR on the thawte(Verisign, whatever you're using) site. The information should match what you entered for Common Name, etc.
8. Submit it to them for signing; get the reply from them.
9. Go back into server admin | Certificates, select the my.domain.com cert, click the button and select "import signed..."
10. Paste the response from thawte(Verisign, whatever) in there, then click save.

You should now see that the cert is trusted and the certifying authority (thawte, etc) listed, where it used to say Self-signed.

Fire up web services and see if it your new cert works for web. If it does, continue on.

Your new cert may or may not work for Jabber. If it does, well you're done. If it doesn't...

1. Ensure you've selected the cert for iChat in Server admin. (I know, it doesn't work yet.)
2. Either Remote Desktop to your server and open Terminal or ssh in and get a prompt. BECOME ROOT!! sudo su -
3. Take a look in /etc/certificates.
4. You should see a my.domain.com.key file and a my.domain.com.crt file.

Now using vi, pico, or whatever look at the .key file. Do you see DES encryption lines in there? If you do, your private key is encrypted with your passphrase.

5. Make a copy of my.domain.com.key (Let's call it my.domain.com.jb)
5a. Make a copy of my.domain.com.crt (Let's call it my.domain.com.crt.jb
6. Decrypt the private key: (Remember you're root!) openssl rsa -in my.domain.com.jb -out my.domain.com.jb
It will ask you for your passphrase.
7. Create a new file containing your public key (my.domain.com.crt), and combine with the decrypted private key (my.domain.com.jb):

cat my.domain.com.jb >> my.domain.com.crt.jb

8. Rename my.domain.com.crt.jb to my.domain.com.crtkey.jb
9. Change ownership of my.domain.com.crtkey.jb to root:jabber ( chown root:jabber my.domain.com.crtkey)

Not done yet....

10. Change perms / ownership of my.domain.com.jb to match your original .key file.

EDIT /etc/jabberd/c2s.xml

1. Amend the settings in the local section (under the ssl-port 5223 line) to:

/etc/certificates/my.domain.com.crtkey.jb

1a. I also commented out the cachain line in that area. You may not need to but I did.

2. No matter how tempting, do NOT touch anything else at this time. Trust me.
Leave the 0.0.0.0 IP's alone; where you see your Default cert, leave it be!

Done editing.

3. Restart ichat service (don't touch the settings in the Admin application)

On the iChat client set connect using SSL, port 5223.
All should work.





To get OD logins to work, comment out cram-md5 authentication, like this:


Hopefully the code comes out in the pose there. If not, it's the fix from the Apple:
http://docs.info.apple.com/article.html?artnum=306749 (option 2)

Thanks to MacTroll from AFP548, and Tim Harris at Apple Discussions for their collective pieces in solving this!!
Reply

SSL Certificate Problem

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up