We're updating the issue view to help you get more done. 

Fix generating of the self-signed certificates after truststore deletion

Description

After an accidental or not deletion of resources/security folder, Openfire shows a red icon with white cross in Admin Console. If one goes to Server Certificates page and generates new self-signed certificates, then HTTP server restarts and everything looks fine until the next server restart. Openfire launcher gives such errors:

java.io.IOException
at org.jivesoftware.openfire.net.SSLConfig.getKeyStore(SSLConfig.java:268)
at org.jivesoftware.openfire.admin.ssl_002dcertificates_jsp._jspService(ssl_002dcertificates_jsp.java:99)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:66)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:42)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:70)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:146)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Guenther Niess
January 26, 2010, 3:49 PM

After installation of openSUSE 11.2 I had also problems with saving the self signed keys, but on the SUSE build log I see that the keystore is only a link to the client truststore. If I remove that link and use a separate file for the keystore it works. I don't know what script builds the SUSEs' RPM package, but in my opinion this script should be fixed.

Peter Nixon
January 26, 2010, 3:58 PM

Hi Guenther

You are correct. This solves the problem for me also. I will have at look at why the package has this in a little bit and see about fixing it. Thanks for your help.

Peter Nixon
January 26, 2010, 4:28 PM

OK. It appears that the problem is caused by the %fdupes macro which had been configured to always use softlinks to avoid cross partition problems as suggested at:
http://en.opensuse.org/Packaging/SUSE_Package_Conventions/RPM_Macros#3.39_.25fdupes

For now I have disabled %fdupes completely. New packages should be on the mirrors shortly.

Is there an easy way to make the default key stores "different" at build time?

Guenther Niess
January 31, 2010, 8:22 AM

Hmm, I've doubts that my fix was so ideal. I think we should at least warn the admin that all root certs were deleted before or after we generate an empty truststore. I'll write a patch which shows a warning in the admin console.

Guenther Niess
February 1, 2010, 3:27 PM

Ok, finally I've separated loading of the keystore and S2S truststore. Since we can't generate the root certs for the S2S truststore I think we should't try to generate any S2S truststore.

Fixed

Assignee

Guenther Niess

Reporter

wroot

Labels

None

Expected Effort

None

Ignite Forum URL

None

Fix versions

Affects versions

Priority

Major
Configure