search

tigase / tigase-server

(M) Highly optimized, extremely modular and very flexible XMPP/Jabber server
https://tigase.net
GNU Affero General Public License v3.0
326 stars 106 forks source link

Using LetsEncryption certification but tell me "certification is self-signed" in whatever application #88

Closed ChenMoGe2 closed 3 years ago

ChenMoGe2 commented 3 years ago

Describe the bug I used certification of LetsEncryption but tell me "certification is self-signed" in whatever application.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Psi'
  2. Do 'Connect your private server'
  3. You can see the error report.

Impact It's not security

Expected behavior It is security

Additional context I store the pem file at certs/domain.pem(The pem file is created by LetsEncryption and I obtains all file at domain.pem).When I start tigase.sh,it always log 'Cannot load certficate from file: certs/im.thebd.xyz.pem' which level is warn.And sometime it will create a new certification under the certs/ dic.

ChenMoGe2 commented 3 years ago

Addtional When I use the command ‘java -cp ./jars/tigase-utils.jar tigase.cert.CertificateUtil -lc certs/domian.pem -simple’ The log is:

Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName
FINE: Certificate DN: *.domain
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName
FINE: Certificate alternative names: [*.domain]
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName
FINE: Certificate DN: R3
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName
FINE: Certificate alternative names: []
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName
FINE: Certificate DN: Let's Encrypt Authority X3
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName
FINE: Certificate alternative names: []
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertCName
FINE: Certificate DN: ISRG Root X1
Apr 29, 2021 8:04:27 PM tigase.cert.CertificateUtil getCertAltCName
FINE: Certificate alternative names: []
Private key: SunRsaSign RSA private CRT key, 2048 bits
  params: null
  modulus: 22331568478156696719327284107610696658750163071798959734805457951667308165364762090496590441358874483959520263155284318785402053422077793615949798361970942793794757576153138240493430030378577708395713300554006215269595993614873701672348614231568686123509863629881200539682435648263428922359587459851076818316217328177768944509493319022215502443535315240180259364670356893655771856899205646371614733322485360993237143763839072473078977050040217612946067381930656164685948238769692074127683331810019346170105062328905184624974334064928308834600570852944800733763042860897629809623916289292512360329156972384769608296021
  private exponent: 16860185975848655777229870418917211203975739945261646515375651303057790378293916844496563697429499511212247472739421519042704023732004962511515571706827017554007119716618967608215434302808063002752947100285521576079765777561742996456166889423959268648111266191716462497573689913729259244065983910057391717202063021624727365865814441179444595188679115539531597834474148967138217106159087522682902349966341059850633387154579963509084335321823043988336171939692620453466220331754000104038641476088761797509887297461559405152773110640200438121362703708354889669582854160732965596161580321484516945888389423819435251882753
CN: *.domain
    alt: [*.domain]
    Issuer: CN=R3, O=Let's Encrypt, C=US
    Not Before: Thu Apr 29 18:39:46 CST 2021
    Not After: Wed Jul 28 18:39:46 CST 2021

CN: R3
    Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
    Not Before: Thu Oct 08 03:21:40 CST 2020
    Not After: Thu Sep 30 03:21:40 CST 2021

CN: Let's Encrypt Authority X3
    Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
    Not Before: Thu Oct 06 23:43:55 CST 2016
    Not After: Wed Oct 06 23:43:55 CST 2021

CN: ISRG Root X1
    Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
    Not Before: Thu Jun 04 19:04:38 CST 2015
    Not After: Mon Jun 04 19:04:38 CST 2035

Exception in thread "main" java.lang.RuntimeException: Can't find certificate CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US in chain. Verify that all entries are correct and match against each other!
    at tigase.cert.CertificateUtil.sort(CertificateUtil.java:722)
    at tigase.cert.CertificateUtil.sort(CertificateUtil.java:693)
    at tigase.cert.CertificateUtil.main(CertificateUtil.java:471)
woj-tek commented 3 years ago

Your chain is invalid: your certificate CN: *.domain was issued by: CN=R3 (Issuer: CN=R3). You have certificate for that issuer (CN: R3), which was issued by DST Root CA X3 (Issuer: CN=DST Root CA X3).

It should look like this (one of the variants, but you can see correct chain order):

CN: tigase.im
    alt: [*.tigase.im, tigase.im]
    Issuer: CN=R3, O=Let's Encrypt, C=US
    Not Before: Sun Mar 28 21:14:29 CEST 2021
    Not After: Sat Jun 26 21:14:29 CEST 2021
    Fingerprint: 7914a2b90dda852b3fc13f6215a679eb01912ffe

CN: R3
    Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
    Not Before: Wed Oct 07 21:21:40 CEST 2020
    Not After: Wed Sep 29 21:21:40 CEST 2021
    Fingerprint: 48504e974c0dac5b5cd476c8202274b24c8c7172

CN: DST Root CA X3
    Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
    Not Before: Sat Sep 30 23:12:19 CEST 2000
    Not After: Thu Sep 30 16:01:15 CEST 2021
    Fingerprint: dac9024f54d8f6df94935fb1732638ca6ad77c13

Relevant background information can be found here: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

In your case it seems that you used incorrect R3 certificate and the chain is incomplete (yours was issued by DST Root CA X3 while you should use one issued by ISRG Root X1)

ChenMoGe2 commented 3 years ago

@woj-tek Thanks,I will try it

ChenMoGe2 commented 3 years ago

@woj-tek Hello I see the last chain of ISRG Root X1 was downloaded from wget https://letsencrypt.org/certs/isrgrootx1.pem which is the guide of tigase (https://docs.tigase.net/tigase-server/master-snapshot/Administration_Guide/html/#ServerCertificates) image

woj-tek commented 3 years ago

As I said - the chain with DST Root CA X3 is only an example.

Alternatively, and recommendable would be using ISRG Root X1 thus in your case the chain would look like this: *.domain -> R3 -> ISRG Root X1.

You must always consult Let's Encrypt website for correct certificate order:

In this case you should download following:

wget https://letsencrypt.org/certs/isrgrootx1.pem
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

And then merge them all:

cat ./cert.pem ./privkey.pem ./lets-encrypt-r3.pem ./isrgrootx1.pem > mydomain.com.pem
ChenMoGe2 commented 3 years ago

@woj-tek Thanks,I success for this step and It's OK for Stork IM but failed at Conversation or Psi+ The error message say 'The certificate is NOT vaild!Reason: iNVALID CA certificate.'It's something wrong for my certification?

woj-tek commented 3 years ago

Could you share the screenshot of the complete error?

ChenMoGe2 commented 3 years ago

image Just this error for red words

ChenMoGe2 commented 3 years ago

@woj-tek It's ok for change hostname and change the CA,Thanks a lot

woj-tek commented 3 years ago

You shouldn't use wildcard hostname as your main host. Ideally you should use CN=domain.com and add wildcard as alternative CNs.