My Orient Lodge Google Wave Server has now successfully federated with several different servers, including the Google Wave Sandbox server. I’ve hit various bumps and curves along the way and hopefully this blog post will help others hitting similar curves.

Initially, I tried to use StartSSL for my certificates. However, my preferred web browser is Google Chrome and StartSSL just doesn’t work with Chrome. I gave up and went over to CACert.org.

I created a certificate file using a certificate signing request (CSR) to get a certificate from CACert. The generated certificate worked fine, and I started my wave server with just that certificate file. Later, I received signed certificates for my XMPP server as well, but these did not help with federation.

On the mailing list, there was a long discussion about people chaining certificates, so I added CACert’s root certificate in my chain.
e.g.

CERTIFICATE_FILENAME_LIST=${WAVE_SERVER_DOMAIN_NAME}.crt,cacert.crt

(I had saved CACert.org’s root certificate as cacert.crt)

With that, I managed to successfully federate with another wave server that runs using CACert.org certificates. However, I could not connect with WaveSandbox or other federated servers. Some of the problem connecting with other federated servers may have been because we are all struggling to get federation up and running.

Last night, I federated with one server whose owner I’ve been talking with on the production Google Wave server. What was interesting was that he could send blips to me, but I could not send them back to his server. He checked the log and found that his server was rejecting my requests because of a signing error. He suggested moving to StartSSL and noted that while it does not seem to work well with all browsers, it does work well with Firefox.

So, I went to Firefox and set up an account and got a certificate. I went back and forth trying to get the certificate to validate the certificates. If you can’t validate them with the openssl verify command, then the odds are your wave server will crash when you try to run it
In the end,

openssl verify –CAfile startssl.pem –untrusted sub.class1.server.ca.pem orient-lodge.com.crt

worked.

As part of my testing, I ran the keytool commands:

keytool –importcert –storetype jks –keystore /etc/java-6-opensdk/cacerts –file startssl.pem
keytool –importcert –storetype jks –keystore /etc/java-6-opensdk/cacerts –file sub.class1.server.ca.pem

With all this in place, I changed my run-config.sh file to include:

CERTIFICATE_FILENAME_LIST=${WAVE_SERVER_DOMAIN_NAME}.crt,sub.class1.server.ca.pe
m,startssl.pem

When I restarted my wave server, I could federate with wave24z, wavesandbox and even a CACert certified server. I’ve tested various combinations, federating with several different servers at the same time. This seems to work well. However, if you add servers federated with CACert to servers that do not recognize the CACert certified server, the wave appears to crash on all the servers.

I also ran into a problem with Wavesandbox where I was typing along, and seeing the typing show up on two other federated servers, when it stopped mid sentence. Wavesandbox had a message about the wave becoming unstable and marking it crashed. This is an area that needs further exploration.

For more on this, and a major hat tip to Ralf, whom I worked with a lot trying to get the wave server running, please got out and read his blog post Federate Google Wave sandbox with your own (FedOne) server.

A few other notes, partly as a followup to his blog post:

First, my environment:
Hosted via a 512M Slice at Slicehost. Slicehost is owned by Rackspace.
Running Ubuntu 8.04
With that, I’m running java-6-opensdk instead of java-6-sun
Now using certificates from StartSSL

If people want access to my wave server, please contact me directly.

P.S. I also added the StartSSL root certificate to Google Chrome on my main computer and that seems to have fixed the problem with their site.