After upgrading to Openfire 4.0.2, I've run into a problem connecting to other servers (namely, jabber.org). Though I can log in to my own server, it's not making any outside connections. Looking through the info logs, I ran across this (my own server info scrubbed):
2016.03.23 13:00:43 org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: (my_server) to jabber.org] - STARTTLS negotiation failed. Closing connection (without sending any data such as <failure/> or </stream>).
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:293)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:178)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 95)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:407)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:305)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:210)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:267)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:243)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:34 4)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:254)
... 10 more
Caused by: java.security.cert.CertificateException: The provided input should not contain multiple certificates with identical subjectDN values. Offending value: CN=Let's Encrypt Authority X1, O=Let's Encrypt, C=US
at org.jivesoftware.openfire.keystore.CertificateUtils.order(CertificateUtils.java :178)
at org.jivesoftware.openfire.keystore.CertificateUtils.identifyEndEntityCertificat e(CertificateUtils.java:234)
at org.jivesoftware.openfire.keystore.OpenfireX509TrustManager.checkServerTrusted( OpenfireX509TrustManager.java:99)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl. java:936)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 18 more
Now, while I DO have a Let's Encrypt cert elsewhere on the system, that's not what my Openfire install is using. That's just using a plain self-signed cert created via the first-time setup when I first installed it (this Openfire setup is just a personal-use one, more or less for fun). In fact, I wasn't aware I had a Let's Encrypt authority sitting around in the first place. But, double-checking the Openfire code in GitHub, sure enough, that's what's throwing the exception.
I'm afraid I don't have quite enough experience in managing SSL certs and/or authorities to figure out why Openfire thinks there's multiple certs with identical subjectDNs, but unless the Let's Encrypt installer did something weird, I'm fairly certain I haven't done anything SSL-related above and beyond whatever Ubuntu Server usually does. Can anyone help?
This is a 64-bit Ubuntu 14.04.4 LTS system, running OpenJDK 8. Output of java -version follows:
openjdk version "1.8.0_72-internal"
OpenJDK Runtime Environment (build 1.8.0_72-internal-b15)
OpenJDK 64-Bit Server VM (build 25.72-b15, mixed mode)
Clik here to view.