9 Replies Latest reply: Apr 18, 2008 2:11 PM by dtich
Damian Righi Level 2 Level 2 (330 points)
I finally took the plunge and brought our chat server back up to Leopard. I'm in an SSL mess right now.
I got a new cert for the server from Thawte (got the ApacheSSL cert, which is what I had successfully used on Tiger Server.)
I started the process by creating a new CSR in Server Admin (advanced server), sent the CSR to thawte, they signed and returned the cert. Went back to server admin, imported it, and it looks good!



Well, I selected the cert in the iChat service and clients cannot login. They can login with the Default cert (but get the warning message).



...and we see the following in the iChat service log:

Jan 7 07:27:48 chat jabberd/c2s[6453]: failed to load local SSL pemfile, SSL will not be available to clients

So, I looked in /etc/certificates and it looks good:

chat:certificates herb$ ls -la
total 72
drwxr-xr-x 12 root wheel 408 Jan 7 07:24 .
drwxr-xr-x 124 root wheel 4216 Jan 7 07:25 ..
-rw-r--r--@ 1 root wheel 0 Jan 5 13:35 .defaultCertificateCreated
-rw-r--r-- 1 root wheel 660 Jan 5 13:35 Default.crt
-rw-r----- 1 root certusers 1551 Jan 5 13:35 Default.crtkey
-rw-r----- 1 root wheel 534 Jan 5 13:35 Default.csr
-rw-r----- 1 root certusers 891 Jan 5 13:35 Default.key
-rw-r--r-- 1 root wheel 1155 Jan 7 07:24 chat.northampton.edu.chcrt
-rw-r--r-- 1 root wheel 1306 Jan 7 07:24 chat.northampton.edu.crt
-rw-r----- 1 root certusers 2269 Jan 7 07:24 chat.northampton.edu.crtkey
-rw-r----- 1 root wheel 720 Jan 5 14:09 chat.northampton.edu.csr
-rw-r----- 1 root certusers 963 Jan 7 07:24 chat.northampton.edu.key

I am really at a loss, any ideas?

I notice that in the jabberd c2s.conf configuration file:

<!-- File containing a SSL certificate and private key to use when
setting up an encrypted channel with the router. If this is
commented out, or the file can't be read, no attempt will be
made to establish an encrypted channel with the router. -->
<pemfile>/etc/certificates/Default.crtkey</pemfile>

Now that is odd since I chose the chat.northampton.edu cert!
Later in the file we do see references to the chat.northampton.edu cert so I left that entry alone. Later I read that first entry is okay the way it is.

Any help appreciated!

XServe, Mac OS X (10.5.1)
  • 1. Re: SSL Certificate Problem
    Tim Harris Level 4 Level 4 (1,460 points)
    I am really at a loss, any ideas?


    I don't have an SSL setup yet, but if you can post the whole of the section between <local> and <local/> from you s2c.xml file it may help. Also, ichat server requires a combined public/private key file.
  • 2. Re: SSL Certificate Problem
    Damian Righi Level 2 Level 2 (330 points)
    Here you go Tim.

    BTW -- I reinstalled the server from scratch, got my cert reissued, and have the same problem. Just to help. Cert works fine for Apache though!!!

    Where is it documented that you need a combined public/private key file? The docs that I've read don't seem to help here. The .key and .crtkey files on my server for the thawte cert were DES encrypted. (The default ones were NOT.) So, I used an openssl command to decrypt them, but that didn't help. (But the thawte cert still continued working for Apache!)

    AND, when using the Default cert, windows clients on Neosmt can connect, but iChat client, Tiger or Leopard, cannot. Should Leopard client be set to 5223 or 5222 (after reading I thought 5222 for TLS).

    Thanks for any help or information!

    Damian
  • 3. Re: SSL Certificate Problem
    Damian Righi Level 2 Level 2 (330 points)
    <local>
    <!-- Who we identify ourselves as. This should correspond to the
    ID (host) that the session manager thinks it is. You can
    specify more than one to support virtual hosts, as long as you
    have additional session manager instances on the network to
    handle those hosts. The realm attribute specifies the auth/reg
    or SASL authentication realm for the host. If the attribute is
    not specified, the realm will be selected by the SASL
    mechanism, or will be the same as the ID itself. Be aware that
    users are assigned to a realm, not a host, so two hosts in the
    same realm will have the same users.
    If no realm is specified, it will be set to be the same as the
    ID. -->
    <id>chat.northampton.edu</id>
    <!-- <id realm='company'>localhost</id> -->
    <!-- IP address to bind to (default: 0.0.0.0) -->
    <ip>0.0.0.0</ip>
    <!-- Port to bind to, or 0 to disable unencrypted access to the
    server (default: 5222) -->
    <port>5222</port>
    *<!-- File containing a SSL certificate and private key for client*
    *connections. If this is commented out, clients will not be*
    *offered the STARTTLS stream extension -->*
    <!-- File containing an optional SSL certificate chain file for client
    SSL connections. -->
    <cachain>/etc/certificates/chat.northampton.edu.chcrt</cachain>
    <!-- Require STARTTLS. If this is enabled, clients must do STARTTLS
    before they can authenticate. Until the stream is encrypted,
    all packets will be dropped. -->
    <!-- Older versions of jabberd support encrypted client connections
    via an additional listening socket on port 5223. If you want
    this (required to allow pre-STARTTLS clients to do SSL),
    uncomment this -->
    <ssl-port>5223</ssl-port>
    <pemfile>/etc/certificates/chat.northampton.edu.crtkey</pemfile>
    <require-starttls/>
    </local>


    Note that there is NO cert listed above at the bold area! I did not touch the file.
  • 4. Re: SSL Certificate Problem
    Tim Harris Level 4 Level 4 (1,460 points)
    I'm a little confused looking at your directory listing which is the public key and which is the private key, so hopefully this will make sense.

    Try this:

    Comment out <cachain>/etc/certificates/chat.northampton.edu.chcrt</cachain> like thus:

    <!-- <cachain>/etc/certificates/chat.northampton.edu.chcrt</cachain> -->

    make sure the passphrase is removed from your private key. This should have been done anyway.

    combine the private (with passphrase removed) and public key like thus

    cat privkey >> publickey (where privkey and publickey are your files)

    change permissions on public key to root:jabber

    and amend the <pemfile> settings in the local section to:

    <pemfile>/etc/certificates/publickey</pemfile> (where publickey is your file that now has both public and private keys combined - note Apache works without combined file)

    restart ichat (don't touch the settings in the admin application)

    on the ichat client set connect using SSL. First time you connect you may be asked to validate the connection so that it may be saved in the keychain.

    See if that has any impact.
  • 5. Re: SSL Certificate Problem
    Damian Righi Level 2 Level 2 (330 points)
    Got it to work!

    Had to:

    Decrypt the private key.

    Create a new file containing the public key, and add the decrypted private key to it.

    Point c2s.xml to the original cachain but to the new file in the <local> section.

    Then to get OD logins to work, comment out cram-md5 authentication.

    Will document this much nicer later this week and post. Gotta run!

    Thanks for your help!

    -D
  • 6. Re: SSL Certificate Problem
    Damian Righi Level 2 Level 2 (330 points)
    Here's how to get iChat Server working with a real SSL cert. Also, in my case users come from Open Directory (on a Novell eDirectory directory). So this solution kills 2 birds with one stone.

    1. Set up your server, in my case a new install. Install updates NOW, not later!!!!!!!
    2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
    3. Fill in appropriate info, such as Common Name (DNS name of your server!), Organizational Unit, etc.
    4. Enter a 24 character passphrase. (Good security please!)
    5. Click Save, then second middle button to create a CSR.
    6. Drag the CSR icon into the place for the CSR on the thawte(Verisign, whatever) request page. Or email the CSR to them.
    7. Verify the CSR on the thawte(Verisign, whatever you're using) site. The information should match what you entered for Common Name, etc.
    8. Submit it to them for signing; get the reply from them.
    9. Go back into server admin | Certificates, select the my.domain.com cert, click the button and select "import signed..."
    10. Paste the response from thawte(Verisign, whatever) in there, then click save.

    You should now see that the cert is trusted and the certifying authority (thawte, etc) listed, where it used to say Self-signed.

    Fire up web services and see if it your new cert works for web. If it does, continue on.

    Your new cert may or may not work for Jabber. If it does, well you're done. If it doesn't...

    1. Ensure you've selected the cert for iChat in Server admin. (I know, it doesn't work yet.)
    2. Either Remote Desktop to your server and open Terminal or ssh in and get a prompt. BECOME ROOT!! sudo su -
    3. Take a look in /etc/certificates.
    4. You should see a my.domain.com.key file and a my.domain.com.crt file.

    Now using vi, pico, or whatever look at the .key file. Do you see DES encryption lines in there? If you do, your private key is encrypted with your passphrase.

    5. Make a copy of my.domain.com.key (Let's call it my.domain.com.jb)
    5a. Make a copy of my.domain.com.crt (Let's call it my.domain.com.crt.jb
    6. Decrypt the private key: (Remember you're root!) openssl rsa -in my.domain.com.jb -out my.domain.com.jb
    It will ask you for your passphrase.
    7. Create a new file containing your public key (my.domain.com.crt), and combine with the decrypted private key (my.domain.com.jb):

    cat my.domain.com.jb >> my.domain.com.crt.jb

    8. Rename my.domain.com.crt.jb to my.domain.com.crtkey.jb
    9. Change ownership of my.domain.com.crtkey.jb to root:jabber ( chown root:jabber my.domain.com.crtkey)

    Not done yet....

    10. Change perms / ownership of my.domain.com.jb to match your original .key file.

    EDIT /etc/jabberd/c2s.xml

    1. Amend the settings in the local section (under the ssl-port 5223 line) to:

    /etc/certificates/my.domain.com.crtkey.jb

    1a. I also commented out the cachain line in that area. You may not need to but I did.

    2. No matter how tempting, do NOT touch anything else at this time. Trust me.
    Leave the 0.0.0.0 IP's alone; where you see your Default cert, leave it be!

    Done editing.

    3. Restart ichat service (don't touch the settings in the Admin application)

    On the iChat client set connect using SSL, port 5223.
    All should work.





    To get OD logins to work, comment out cram-md5 authentication, like this:


    Hopefully the code comes out in the pose there. If not, it's the fix from the Apple:
    http://docs.info.apple.com/article.html?artnum=306749 (option 2)

    Thanks to MacTroll from AFP548, and Tim Harris at Apple Discussions for their collective pieces in solving this!!
  • 7. Re: SSL Certificate Problem
    nickatbarbarian Level 1 Level 1 (15 points)
    this worked for me! thank you!
  • 8. Re: SSL Certificate Problem
    Steve Yuroff Level 1 Level 1 (75 points)
    Many thanks for posting your fix, Damian. It helped me out too.

    Bonus karma points for you!
  • 9. Re: SSL Certificate Problem
    dtich Level 1 Level 1 (115 points)
    i have the same problem, i haven't tried the fix yet, but i notice that ichat/jabber is creating duplicate .crt and .key files for some reason.

    i have a cert: mydomain.net.crt.

    in the cert folder there is also: mydomain.net.chcrt.

    if i throw this away and restart jabber. it is recreated.

    what is this about??