Fix generating of the self-signed certificates after truststore deletion

Description

After an accidental or not deletion of resources/security folder, Openfire shows a red icon with white cross in Admin Console. If one goes to Server Certificates page and generates new self-signed certificates, then HTTP server restarts and everything looks fine until the next server restart. Openfire launcher gives such errors:

java.io.IOException
at org.jivesoftware.openfire.net.SSLConfig.getKeyStore(SSLConfig.java:268)
at org.jivesoftware.openfire.admin.ssl_002dcertificates_jsp._jspService(ssl_002dcertificates_jsp.java:99)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:66)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:42)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:70)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:146)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)

Environment

None

Activity

Show:
Guenther Niess
February 1, 2010, 3:27 PM

Ok, finally I've separated loading of the keystore and S2S truststore. Since we can't generate the root certs for the S2S truststore I think we should't try to generate any S2S truststore.

Guenther Niess
January 31, 2010, 8:22 AM

Hmm, I've doubts that my fix was so ideal. I think we should at least warn the admin that all root certs were deleted before or after we generate an empty truststore. I'll write a patch which shows a warning in the admin console.

Peter Nixon
January 26, 2010, 4:28 PM

OK. It appears that the problem is caused by the %fdupes macro which had been configured to always use softlinks to avoid cross partition problems as suggested at:
http://en.opensuse.org/Packaging/SUSE_Package_Conventions/RPM_Macros#3.39_.25fdupes

For now I have disabled %fdupes completely. New packages should be on the mirrors shortly.

Is there an easy way to make the default key stores "different" at build time?

Peter Nixon
January 26, 2010, 3:58 PM

Hi Guenther

You are correct. This solves the problem for me also. I will have at look at why the package has this in a little bit and see about fixing it. Thanks for your help.

Guenther Niess
January 26, 2010, 3:49 PM

After installation of openSUSE 11.2 I had also problems with saving the self signed keys, but on the SUSE build log I see that the keystore is only a link to the client truststore. If I remove that link and use a separate file for the keystore it works. I don't know what script builds the SUSEs' RPM package, but in my opinion this script should be fixed.

Fixed

Assignee

Guenther Niess

Reporter

wroot