-
nuron
strange... when i dont do anything with my prosody or writh from one acc on my server to another everything is fine. But when i start to wrigth the server crash...
-
nuron
No success by installation without toast, mostly the same issues... The logs tell me again that the certificate is invalid... But how can I get a valid one?
-
nuron
Should I use the cert from my ISP?
-
nuron
When I try to send a message from my server to trashserver there came up one issue: 'remote server not found'
-
nuron
https://haste.tchncs.de/kizafocalu.coffee Does anyone have an idea how i can get a valid vert?
-
Maranda
[13:00:32] Maranda: @ping famkibo.eu [13:02:03] Echo1: Ping failed (remote-server-not-found): Server-to-server connection failed: connection-timeout
-
Maranda
Your server is not dialing back that's the problem
-
Maranda
or answering the stream opening request
-
nuron
i have an other domain Maranda
-
Maranda
[13:03:14] Maranda: @ping famkibo.eu [13:04:15] Echo1: Ping failed (remote-server-not-found): Server-to-server connection failed: host-unknown (This host does not serve famkibo.eu)
-
nuron
ping famkibo.eu PING famkibo.eu (95.143.172.177) 56(84) bytes of data. 64 bytes from serpens.uberspace.de (95.143.172.177): icmp_seq=1 ttl=59 time=13.4 ms 64 bytes from serpens.uberspace.de (95.143.172.177): icmp_seq=2 ttl=59 time=13.0 ms ^C --- famkibo.eu ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 13.066/13.240/13.415/0.209 ms But i can ping famkibo.eu
-
Maranda
>.>
-
nuron
@ping famkibo.eu
-
Maranda
who cares about ping, if the host *is there* of course you can ping it, but your xmpp server is misconfigured
-
nuron
but i can login?
-
Maranda
are you logining to famkibo.eu? Because your prosody instance isn't serving that virtualhost.
-
Maranda
(when it answers)
-
nuron
No, i bought a New domain...
-
nuron
shreddox.eu
-
nuron
Maranda: the monitor on uptimerobot tell that the xmpp server is up?! status.shreddox.eu
-
Maranda
Jan 14 12:10:13 c2safc1130 debug Received[c2s]: <iq id='9' type='get' to='shreddox.eu'> Jan 14 12:10:13 mod_router debug Routing to remote... Jan 14 12:10:13 mod_s2s debug opening a new outgoing connection for this stanza Jan 14 12:10:13 mod_s2s debug stanza [iq] queued until connection complete Jan 14 12:10:13 mod_s2s debug First attempt to connect to shreddox.eu, starting with SRV lookup... Jan 14 12:10:13 adns debug Records for _xmpp-server._tcp.shreddox.eu. not in cache, sending query (thread: 0x6ed7bc0 )... Jan 14 12:10:13 adns debug Sending DNS query to 127.0.0.1 Jan 14 12:10:13 socket debug new connection established. id: 8d26ae0 Jan 14 12:10:13 socket debug try to close client connection with id: 8d26ae0 Jan 14 12:10:13 socket debug closing client with id: 8d26ae0 client to close Jan 14 12:10:13 adns debug Reply for _xmpp-server._tcp.shreddox.eu. (thread: 0x6ed7bc0) Jan 14 12:10:13 mod_s2s debug shreddox.eu has SRV records, handling... Jan 14 12:10:13 mod_s2s debug Best record found, will connect to host.shreddox.eu.:61412 Jan 14 12:10:13 adns debug Records for host.shreddox.eu. not in cache, sending query (thread: 0x791ab70)... Jan 14 12:10:13 adns debug Sending DNS query to 127.0.0.1 Jan 14 12:10:13 adns debug Records for host.shreddox.eu. not in cache, sending query (thread: 0xad87d60)... Jan 14 12:10:13 adns debug Sending DNS query to 127.0.0.1 Jan 14 12:10:13 socket debug new connection established. id: a150250 Jan 14 12:10:14 adns debug Reply for host.shreddox.eu. (thread: 0x791ab70) Jan 14 12:10:14 mod_s2s debug DNS reply for host.shreddox.eu. gives us 95.143.172.177 Jan 14 12:10:14 socket debug try to close client connection with id: a150250 Jan 14 12:10:14 socket debug closing client with id: a150250 client to close Jan 14 12:10:14 adns debug Reply for host.shreddox.eu. (thread: 0xad87d60) Jan 14 12:10:14 mod_s2s debug DNS reply for host.shreddox.eu. gives us 2001:1a50:11::5f:8f:acb1:426 Jan 14 12:10:14 s2soutb299270 info Beginning new connection attempt to shreddox.eu ([2001:1a50:11::5f:8f:acb1:426]:6 1412) Jan 14 12:10:14 s2soutb299270 debug Connection attempt in progress... Jan 14 12:10:14 socket debug new connection established. id: bca61a0 Jan 14 12:10:14 s2soutb299270 debug sending: <?xml version='1.0'?> Jan 14 12:10:14 s2soutb299270 debug sending: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' to='shred dox.eu' from='lightwitch.org' version='1.0' xmlns:db='jabber:server:dialback' xmlns='jabber:server'> Jan 14 12:10:14 c2s865cfb0 debug Received[c2s]: <a xmlns='urn:xmpp:sm:3' h='3129'> Jan 14 12:10:14 s2soutb299270 debug Received[s2sout_unauthed]: <features xmlns='http://etherx.jabber.org/streams'><st arttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls><dialback xmlns='urn:xmpp:features:dialback'/></feat ures> Jan 14 12:10:14 lightwitch.org:tls debug shreddox.eu is offering TLS, taking up the offer... Jan 14 12:10:14 s2soutb299270 debug sending: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> Jan 14 12:10:14 s2soutb299270 debug Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> Jan 14 12:10:14 lightwitch.org:tls debug Proceeding with TLS on s2sout... Jan 14 12:10:14 socket debug try to start ssl at client id: bca61a0 Jan 14 12:10:14 socket debug starting handshake... Jan 14 12:10:14 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:1 Jan 14 12:10:14 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:2 Jan 14 12:10:14 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:3 Jan 14 12:10:14 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:4 Jan 14 12:10:15 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:5 Jan 14 12:10:15 s2soutb299270 debug Sending stream header... Jan 14 12:10:15 s2soutb299270 debug sending: <?xml version='1.0'?> Jan 14 12:10:15 s2soutb299270 debug sending: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' to='shred dox.eu' from='lightwitch.org' id='d3f89f4e-b151-4dda-9117-37dad7c3301f' version='1.0' xmlns:db='jabber:server:dialback' x mlns='jabber:server'> Jan 14 12:10:15 socket debug ssl handshake done Jan 14 12:10:15 s2soutb299270 debug certificate chain validation result: valid Jan 14 12:10:15 x509 debug Cert dNSName shreddox.eu matched hostname Jan 14 12:10:15 s2soutb299270 info Session closed by remote with error: not-authorized (Your server's certificate is invalid, expired, or not trusted by shreddox.eu) Jan 14 12:10:15 s2soutb299270 debug sending: </stream:stream> Jan 14 12:10:15 s2soutb299270 info outgoing s2s stream lightwitch.org->shreddox.eu closed: not-authorized (Your serv er's certificate is invalid, expired, or not trusted by shreddox.eu) Jan 14 12:10:15 s2soutb299270 debug Destroying outgoing session lightwitch.org->shreddox.eu: not-authorized (Your ser ver's certificate is invalid, expired, or not trusted by shreddox.eu) Jan 14 12:10:15 s2soutb299270 info sending error replies for 1 queued stanzas because of failed outgoing connection to shreddox.eu Jan 14 12:10:15 mod_router debug Received[s2sin]: <iq id='9' type='error' to='echo1@lightwitch.org/echo1' from='sh reddox.eu'> Jan 14 12:10:15 socket debug try to close client connection with id: bca61a0 Jan 14 12:10:15 socket debug closing delayed until writebuffer is empty Jan 14 12:10:15 s2soutb299270 debug Received </stream:stream> Jan 14 12:10:15 s2soutb299270 debug Attempt to close already-closed session Jan 14 12:10:15 socket debug closing client after writing Jan 14 12:10:15 socket debug closing client with id: bca61a0 client to close Jan 14 12:10:15 s2soutb299270 debug s2s disconnected: lightwitch.org->shreddox.eu (connection closed)
-
Maranda
You don't seem to have DST Root CA X3 added to your certificate authorities
-
Maranda
That or Prosody can't access the server CA-Path.
-
nuron
> You don't seem to have DST Root CA X3 added to your certificate authorities What's that??
-
Maranda
Let's Encrypt CA
-
nuron
I have one... I created them with this command: letsencrypt certonly -d shreddox.eu -d upload.shreddox.eu -d conference.shreddox.eu
-
nuron
Or is this command wrogM
-
nuron
Wrong
-
nuron
ssl = { -- options = { "no_sslv2", "no_sslv3", "no_compression" }; dhparam = "/home/famkibo/var/prosody/ssl/dh-2048.pem"; key = "/home/famkibo/shreddox.eu/privkey.pem"; certificate = "/home/famkibo/shreddox.eu/fullchain.pem"; } Thats the ssl part in the prosody config
-
Maranda
strange Prosody *should* by default use "lsec_continue", "lsec_ignore_purpose" so your server shouldn't refuse connections if it doesn't trust a certificate.
-
Maranda
are you sure you don't have a ssl directive anywhere else in your config file?
-
nuron
Marande maybe this? c2s_require_encryption = true; s2s_require_encryption = true; -- Server müssen anerkannte, gültigen Sicherheitszertifikate vorweisen -- Siehe auch: https://thomas-leister.de/sichere-xmpp-s2s-verschluesselung/ s2s_secure_auth = true;
-
Zash
-certinfo shreddox.eu
-
Bunneh
Zash: Host unreachable: Server-to-server connection failed: Connecting failed: closed
-
Maranda
nuron, yes from documentation it looks to be that.
-
nuron
> -certinfo shreddox.eu What?
-
nuron
> nuron, yes from documentation it looks to be that. So I have to do what?
-
Maranda
This will disable dialback (a DNS-based authentication mechanism), and require that all remote servers present trusted certificates valid for their domain. Note that you can configure which certificate authorities Prosody trusts certificates from, see our documentation on certificates for more info. Beware that many servers on the XMPP network use self-signed or invalid certificates, or even don't support TLS at all (such as gmail.com and all Google-hosted domains). It is possible to make exceptions like this:
-
Maranda
s2s_secure_auth = false; or remove the directive?
-
Maranda
I dunno what the default is
-
nuron
Hmm i'll try it..
-
Maranda
Dialback failing.
-
Maranda
brb
-
nuron
I think now it works!!!
-
nuron
At least with trashserver
-
nuron
But when i try to start a new muc / chat with an other server my clients disconnect from the servern
-
nuron
Server
-
Maranda
I still get timeouts on s2s
-
Maranda
whatever, bbl
-
nuron
Yea, the server crashes sometimes... I don't know why
-
nuron
But prosodyctl status tell me, that the server is still a life but I get timeouts too
-
Zash
What do you mean by crashes?
-
Zash
Also, there's a room specifically for prosody support, prosody@conference.prosody.im
-
nuron
> Also, there's a room specifically for prosody support, prosody@conference.prosody.im Okay, thanks but i think it isn't much to do now...
-
nuron
> What do you mean by crashes? The server is still running (htop -> lua; prosodyctl status -> prosody is running) but all my accounts discontent from the server... And the CPU use of lua rise zu 100%
-
Zash
Not what I would call a crash, but apparently everything is a crash nowdays :(
-
nuron
Okay, than the server do not crash... But there is an issue..
-
nuron
After a while the server is reachable again and the connection to the other server works fine...
-
Zash
And this was the machine with one billion local ip addresses?
-
nuron
The server has very much ipv6 addresses, right
-
Zash
Then you will want to specify the interfaces to use
-
nuron
?
-
Zash
interfaces = { "95.143.172.177", "2001:1a50:11:0:5f:8f:acb1:426" }
-
nuron
Add to config?
-
Zash
Yes. Global section.
-
nuron
Okay, just wait a second...
-
nuron
Then reload or restart prosody?
-
Zash
Reload config and mod_s2s
-
nuron
So the command is? Prosodyctl reload ?
-
Zash
Needs the telnet console or adhoc commands to reload modules
-
Zash
`prosodctl reload` only reloads config, logging and certs
-
nuron
Okay, telnet isn't available... And adhoc I don't know
-
Zash
just restart it then
-
nuron
👍
-
Zash
It would be unwise to enable telnet on that host
-
nuron
How long should a restart need?
-
Zash
What do you mean?
-
nuron
Should it take 1 minute , 5 minute's?
-
nuron
When I restart prosody and then the time where every client is logged in again
-
nuron
Sorry, my English is very bad 😑
-
Zash
Less than a minute
-
nuron
Hmm okay
-
Zash
Like, it should on the order of a second or two
-
Zash
Depends on number of connections that need to be closed
-
nuron
Now prosody is restarted... I'll try with jabber.de
-
404.city
nuron: what is the proble?
-
nuron
404.city: a second please
-
Zash
nuron: Have you tried `prosodyctl check dns`
-
nuron
Of course
-
nuron
https://haste.tchncs.de/amirazipoy.vhdl zash
-
Zash
Ugh, javascript-requiring pastebins :(
-
nuron
404.city: the problem is, that I lose my connection to the server when I try to chat with an other xmpp server...
-
nuron
> Ugh, javascript-requiring pastebins :( Should I post it here?
-
404.city
nuron: firewall allow port 5269?
-
nuron
S2s port is 61412, this port is open an the srv will manage
-
Zash
There is no response on that port
-
nuron
Hmm it should...
-
Zash
It just times out
-
nuron
Hmm
-
nuron
Ipv4 or ipv6
-
Zash
Both
-
nuron
Strange
-
Zash
Says connected, but doesn't say anything
-
nuron
Hmm
-
nuron
I'll go to check the logs
-
Zash
-ping shreddox.eu
-
Zash
Oh
-
Zash
bunnnnnnnnn!
-
Zash
-ping shreddox.eu
-
Bunneh
Zash: Ping failed (remote-server-not-found): Server-to-server connection failed: closed
-
nuron
Now it should work... My Clients are up
-
Zash
What do you see in /etc/ssl/certs ?
-
nuron
zash i only have the folder /home/famkibo/etc/prosody/certs and there are this files inside
-
nuron
ls ~/etc/prosody/certs/ cert.pem chain.pem fullchain.pem privkey.pem README
-
Zash
nuron: That's not what I asked
-
nuron
zash you mean this?
-
nuron
s /etc/ssl/certs ca-bundle.crt localhost-with-intermediate.crt renew-dummy-cert sub.class1.server.sha2.ca.pem wildcard.serpens.uberspace.de.crt ca-bundle.trust.crt make-dummy-cert sub.class1.server.ca.pem sub.class2.server.ca.pem wildcard.serpens.uberspace.de-with-intermediate.crt class3.crt Makefile sub.class1.server.ca.pem.1 sub.class2.server.sha2.ca.pem
-
Zash
Uhu
-
Zash
Prosody expects the list of root certificates to live in there, by default.
-
Zash
If those files are all that's there, then that's not the case, so all cert TLS validation will fail
-
nuron
So I have to use /etc/SSL/certs as cert folder?
-
nuron
Sorry, but I don't unterstand this
-
Zash
You need to do things that are normally done by the packager, such as point Prosody to where local CA root certificates are stored.
-
Zash
Might be that 'ca-bundle.crt', but I don't know.
-
Zash
You might need `ssl = { capath = "path to special directory" or cafile = "path to ca bundle file" }`
-
nuron
And the paths are /etc/ssl/certs/file
-
nuron
Right?
-
Zash
It depends on the OS/distro
-
Zash
Debian & co has `/etc/ssl/certs` in a special format
-
nuron
On uberspace its centOS
-
Zash
My favorite!!!
-
nuron
;)
-
Zash
Majority of my CentOS experience is debugging impossible problems and finding logged in root terminals left by senior admins
-
Zash
Which contributes to my general dislike of uberspace
-
nuron
I don't have root access?! Its shared hosting...
-
Zash
Everything is just weird, and difficult for even weirder reasons.
-
Zash
That was at a previous job.
-
nuron
But what have I to do?
-
nuron
Shall I ask uberspace what the problem is?
-
Zash
Ask where CA certs are
-
nuron
Okay, and when I have the answer, what have I to do then?
-
Zash
Like I said earlier, depending on if it's a bundle file or a directory, `ssl = { capath = "directory", cafile = "bundle file" }`
-
nuron
Okay, thanks
-
Maranda
why are you try to run prosody on shared hosting... when you can get away with a vps at 5$/mo or so >.>
-
nuron
Because I have the shared hosting server anyways
-
Maranda
When you ask for troubles (and possibly a suspended account) you usually find 'em.
-
nuron
> When you ask for troubles (and possibly a suspended account) you usually find 'em. ?
-
Maranda
Because that still makes no sense.
-
nuron
What makes no sense?
-
Maranda
[16:13:35] nuron: Because I have the shared hosting server anyways
-
nuron
Why should I pay for two servers?
-
Zash
Tons of people run on uberspace, and it feels like all of them have the weirdest problems
-
Maranda
Because A) shared hosting sucks B) It's generally way unsafer than a vps C) Costs about the same.
-
Maranda
and D) saves you the hassle of not being able to run on standard ports which is a horrible practice.✎ -
nuron
I'll contact the support and when they can't help me I will stop this "project"...
-
Maranda
and D) saves you the hassle of not being able to run on standard ports which not doing falls below horrible practices. ✏
-
nuron
Or I have to build up a second network at home so I can use my hone server for prosody...
-
Maranda
If you have a static ip address and a good connection it's for sure better than what you're trying to do now imho
-
Maranda
(lightwitch.org web/mail server sit right in my living room on a shelf tbh.)
-
nuron
The connection is good but I have a dynamic IP and don't want to open several ports...
-
nuron
Maranda: you said that you host your web and mail server at home. Do you have a second network for the server(s)? Do you have a static IP?
-
Maranda
I have a static ip, why should I have a second network or vlan?
-
nuron
So you have your Server in your hone network?
-
nuron
But a dynamic IP will work as well, right?
-
Zash
Works, but can be a bit of a pain to deal with IP changes, depending on how it works
-
nuron
I have no other possibility... Of course I can buy another server but I have everything I need
-
nuron
And how do you protect your Server Maranda
-
Maranda
O.o? The way everyone protects networks and servers, via those things called "Firewalls"?
-
nuron
Firewall in your Server, Router on an extra device
-
Maranda
Usually you have a firewall on your nat/router and another on your server...?
-
nuron
Jes oft course...
-
nuron
But do you use additional software like fail2ban?
-
Maranda
No, and fail2ban sucks
-
Maranda
I suppose he was a fan of F2B perhaps.
-
Martin
nuron: didn't read allbut on uberspace you need cafile setting
-
nuron
Martin: what have you set in config as cafile?
-
Martin
Don't remember and am ag icehockey now. Google uberspace prosody cafile there are some examples online
-
nuron
Okay, thanks
-
nuron
Have fun
-
Martin
Thx
-
nuron
Now it works!!
-
nuron
I've added the ca file /etc/ssl/certs/ca-bundle.trust.crt in the config and now it works fine. Also with s2s_secure_auth