XMPP Service Operators - 2018-01-14

strange... when i dont do anything with my prosody or writh from one acc on my server to another everything is fine. But when i start to wrigth the server crash...

No success by installation without toast, mostly the same issues... The logs tell me again that the certificate is invalid... But how can I get a valid one?

Should I use the cert from my ISP?

When I try to send a message from my server to trashserver there came up one issue: 'remote server not found'

https://haste.tchncs.de/kizafocalu.coffee Does anyone have an idea how i can get a valid vert?

‎[13:00:32] ‎Maranda‎: @ping famkibo.eu ‎[13:02:03] ‎Echo1‎: Ping failed (remote-server-not-found): Server-to-server connection failed: connection-timeout

Your server is not dialing back that's the problem

or answering the stream opening request

i have an other domain Maranda

‎[13:03:14] ‎Maranda‎: @ping famkibo.eu ‎[13:04:15] ‎Echo1‎: Ping failed (remote-server-not-found): Server-to-server connection failed: host-unknown (This host does not serve famkibo.eu)

ping famkibo.eu PING famkibo.eu (95.143.172.177) 56(84) bytes of data. 64 bytes from serpens.uberspace.de (95.143.172.177): icmp_seq=1 ttl=59 time=13.4 ms 64 bytes from serpens.uberspace.de (95.143.172.177): icmp_seq=2 ttl=59 time=13.0 ms ^C --- famkibo.eu ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 13.066/13.240/13.415/0.209 ms But i can ping famkibo.eu

>.>

@ping famkibo.eu

who cares about ping, if the host *is there* of course you can ping it, but your xmpp server is misconfigured

but i can login?

are you logining to famkibo.eu? Because your prosody instance isn't serving that virtualhost.

(when it answers)

No, i bought a New domain...

shreddox.eu

Maranda: the monitor on uptimerobot tell that the xmpp server is up?! status.shreddox.eu

Jan 14 12:10:13 c2safc1130 debug Received[c2s]: <iq id='9' type='get' to='shreddox.eu'> Jan 14 12:10:13 mod_router debug Routing to remote... Jan 14 12:10:13 mod_s2s debug opening a new outgoing connection for this stanza Jan 14 12:10:13 mod_s2s debug stanza [iq] queued until connection complete Jan 14 12:10:13 mod_s2s debug First attempt to connect to shreddox.eu, starting with SRV lookup... Jan 14 12:10:13 adns debug Records for _xmpp-server._tcp.shreddox.eu. not in cache, sending query (thread: 0x6ed7bc0 )... Jan 14 12:10:13 adns debug Sending DNS query to 127.0.0.1 Jan 14 12:10:13 socket debug new connection established. id: 8d26ae0 Jan 14 12:10:13 socket debug try to close client connection with id: 8d26ae0 Jan 14 12:10:13 socket debug closing client with id: 8d26ae0 client to close Jan 14 12:10:13 adns debug Reply for _xmpp-server._tcp.shreddox.eu. (thread: 0x6ed7bc0) Jan 14 12:10:13 mod_s2s debug shreddox.eu has SRV records, handling... Jan 14 12:10:13 mod_s2s debug Best record found, will connect to host.shreddox.eu.:61412 Jan 14 12:10:13 adns debug Records for host.shreddox.eu. not in cache, sending query (thread: 0x791ab70)... Jan 14 12:10:13 adns debug Sending DNS query to 127.0.0.1 Jan 14 12:10:13 adns debug Records for host.shreddox.eu. not in cache, sending query (thread: 0xad87d60)... Jan 14 12:10:13 adns debug Sending DNS query to 127.0.0.1 Jan 14 12:10:13 socket debug new connection established. id: a150250 Jan 14 12:10:14 adns debug Reply for host.shreddox.eu. (thread: 0x791ab70) Jan 14 12:10:14 mod_s2s debug DNS reply for host.shreddox.eu. gives us 95.143.172.177 Jan 14 12:10:14 socket debug try to close client connection with id: a150250 Jan 14 12:10:14 socket debug closing client with id: a150250 client to close Jan 14 12:10:14 adns debug Reply for host.shreddox.eu. (thread: 0xad87d60) Jan 14 12:10:14 mod_s2s debug DNS reply for host.shreddox.eu. gives us 2001:1a50:11::5f:8f:acb1:426 Jan 14 12:10:14 s2soutb299270 info Beginning new connection attempt to shreddox.eu ([2001:1a50:11::5f:8f:acb1:426]:6 1412) Jan 14 12:10:14 s2soutb299270 debug Connection attempt in progress... Jan 14 12:10:14 socket debug new connection established. id: bca61a0 Jan 14 12:10:14 s2soutb299270 debug sending: <?xml version='1.0'?> Jan 14 12:10:14 s2soutb299270 debug sending: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' to='shred dox.eu' from='lightwitch.org' version='1.0' xmlns:db='jabber:server:dialback' xmlns='jabber:server'> Jan 14 12:10:14 c2s865cfb0 debug Received[c2s]: <a xmlns='urn:xmpp:sm:3' h='3129'> Jan 14 12:10:14 s2soutb299270 debug Received[s2sout_unauthed]: <features xmlns='http://etherx.jabber.org/streams'><st arttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls><dialback xmlns='urn:xmpp:features:dialback'/></feat ures> Jan 14 12:10:14 lightwitch.org:tls debug shreddox.eu is offering TLS, taking up the offer... Jan 14 12:10:14 s2soutb299270 debug sending: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> Jan 14 12:10:14 s2soutb299270 debug Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> Jan 14 12:10:14 lightwitch.org:tls debug Proceeding with TLS on s2sout... Jan 14 12:10:14 socket debug try to start ssl at client id: bca61a0 Jan 14 12:10:14 socket debug starting handshake... Jan 14 12:10:14 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:1 Jan 14 12:10:14 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:2 Jan 14 12:10:14 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:3 Jan 14 12:10:14 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:4 Jan 14 12:10:15 socket debug ssl handshake of client with id:table: 0xbca61a0, attempt:5 Jan 14 12:10:15 s2soutb299270 debug Sending stream header... Jan 14 12:10:15 s2soutb299270 debug sending: <?xml version='1.0'?> Jan 14 12:10:15 s2soutb299270 debug sending: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' to='shred dox.eu' from='lightwitch.org' id='d3f89f4e-b151-4dda-9117-37dad7c3301f' version='1.0' xmlns:db='jabber:server:dialback' x mlns='jabber:server'> Jan 14 12:10:15 socket debug ssl handshake done Jan 14 12:10:15 s2soutb299270 debug certificate chain validation result: valid Jan 14 12:10:15 x509 debug Cert dNSName shreddox.eu matched hostname Jan 14 12:10:15 s2soutb299270 info Session closed by remote with error: not-authorized (Your server's certificate is invalid, expired, or not trusted by shreddox.eu) Jan 14 12:10:15 s2soutb299270 debug sending: </stream:stream> Jan 14 12:10:15 s2soutb299270 info outgoing s2s stream lightwitch.org->shreddox.eu closed: not-authorized (Your serv er's certificate is invalid, expired, or not trusted by shreddox.eu) Jan 14 12:10:15 s2soutb299270 debug Destroying outgoing session lightwitch.org->shreddox.eu: not-authorized (Your ser ver's certificate is invalid, expired, or not trusted by shreddox.eu) Jan 14 12:10:15 s2soutb299270 info sending error replies for 1 queued stanzas because of failed outgoing connection to shreddox.eu Jan 14 12:10:15 mod_router debug Received[s2sin]: <iq id='9' type='error' to='echo1@lightwitch.org/echo1' from='sh reddox.eu'> Jan 14 12:10:15 socket debug try to close client connection with id: bca61a0 Jan 14 12:10:15 socket debug closing delayed until writebuffer is empty Jan 14 12:10:15 s2soutb299270 debug Received </stream:stream> Jan 14 12:10:15 s2soutb299270 debug Attempt to close already-closed session Jan 14 12:10:15 socket debug closing client after writing Jan 14 12:10:15 socket debug closing client with id: bca61a0 client to close Jan 14 12:10:15 s2soutb299270 debug s2s disconnected: lightwitch.org->shreddox.eu (connection closed)

You don't seem to have DST Root CA X3 added to your certificate authorities

That or Prosody can't access the server CA-Path.

> You don't seem to have DST Root CA X3 added to your certificate authorities What's that??

Let's Encrypt CA

I have one... I created them with this command: letsencrypt certonly -d shreddox.eu -d upload.shreddox.eu -d conference.shreddox.eu

Or is this command wrogM

Wrong

ssl = { -- options = { "no_sslv2", "no_sslv3", "no_compression" }; dhparam = "/home/famkibo/var/prosody/ssl/dh-2048.pem"; key = "/home/famkibo/shreddox.eu/privkey.pem"; certificate = "/home/famkibo/shreddox.eu/fullchain.pem"; } Thats the ssl part in the prosody config

strange Prosody *should* by default use "lsec_continue", "lsec_ignore_purpose" so your server shouldn't refuse connections if it doesn't trust a certificate.

are you sure you don't have a ssl directive anywhere else in your config file?

Marande maybe this? c2s_require_encryption = true; s2s_require_encryption = true; -- Server müssen anerkannte, gültigen Sicherheitszertifikate vorweisen -- Siehe auch: https://thomas-leister.de/sichere-xmpp-s2s-verschluesselung/ s2s_secure_auth = true;

-certinfo shreddox.eu

Zash: Host unreachable: Server-to-server connection failed: Connecting failed: closed

nuron, yes from documentation it looks to be that.

> -certinfo shreddox.eu What?

> nuron, yes from documentation it looks to be that. So I have to do what?

This will disable dialback (a DNS-based authentication mechanism), and require that all remote servers present trusted certificates valid for their domain. Note that you can configure which certificate authorities Prosody trusts certificates from, see our documentation on certificates for more info. Beware that many servers on the XMPP network use self-signed or invalid certificates, or even don't support TLS at all (such as gmail.com and all Google-hosted domains). It is possible to make exceptions like this:

s2s_secure_auth = false; or remove the directive?

I dunno what the default is

Hmm i'll try it..

Dialback failing.

brb

I think now it works!!!

At least with trashserver

But when i try to start a new muc / chat with an other server my clients disconnect from the servern

Server

I still get timeouts on s2s

whatever, bbl

Yea, the server crashes sometimes... I don't know why

But prosodyctl status tell me, that the server is still a life but I get timeouts too

What do you mean by crashes?

Also, there's a room specifically for prosody support, prosody@conference.prosody.im

> Also, there's a room specifically for prosody support, prosody@conference.prosody.im Okay, thanks but i think it isn't much to do now...

> What do you mean by crashes? The server is still running (htop -> lua; prosodyctl status -> prosody is running) but all my accounts discontent from the server... And the CPU use of lua rise zu 100%

Not what I would call a crash, but apparently everything is a crash nowdays :(

Okay, than the server do not crash... But there is an issue..

After a while the server is reachable again and the connection to the other server works fine...

And this was the machine with one billion local ip addresses?

The server has very much ipv6 addresses, right

Then you will want to specify the interfaces to use

?

interfaces = { "95.143.172.177", "2001:1a50:11:0:5f:8f:acb1:426" }

Add to config?

Yes. Global section.

Okay, just wait a second...

Then reload or restart prosody?

Reload config and mod_s2s

So the command is? Prosodyctl reload ?

Needs the telnet console or adhoc commands to reload modules

`prosodctl reload` only reloads config, logging and certs

Okay, telnet isn't available... And adhoc I don't know

just restart it then

👍

It would be unwise to enable telnet on that host

How long should a restart need?

What do you mean?

Should it take 1 minute , 5 minute's?

When I restart prosody and then the time where every client is logged in again

Sorry, my English is very bad 😑

Less than a minute

Hmm okay

Like, it should on the order of a second or two

Depends on number of connections that need to be closed

Now prosody is restarted... I'll try with jabber.de

nuron: what is the proble?

404.city: a second please

nuron: Have you tried `prosodyctl check dns`

Of course

https://haste.tchncs.de/amirazipoy.vhdl zash

Ugh, javascript-requiring pastebins :(

404.city: the problem is, that I lose my connection to the server when I try to chat with an other xmpp server...

> Ugh, javascript-requiring pastebins :( Should I post it here?

nuron: firewall allow port 5269?

S2s port is 61412, this port is open an the srv will manage

There is no response on that port

Hmm it should...

It just times out

Hmm

Ipv4 or ipv6

Both

Strange

Says connected, but doesn't say anything

Hmm

I'll go to check the logs

-ping shreddox.eu

Oh

bunnnnnnnnn!

-ping shreddox.eu

Zash: Ping failed (remote-server-not-found): Server-to-server connection failed: closed

Now it should work... My Clients are up

What do you see in /etc/ssl/certs ?

zash i only have the folder /home/famkibo/etc/prosody/certs and there are this files inside

ls ~/etc/prosody/certs/ cert.pem chain.pem fullchain.pem privkey.pem README

nuron: That's not what I asked

zash you mean this?

s /etc/ssl/certs ca-bundle.crt localhost-with-intermediate.crt renew-dummy-cert sub.class1.server.sha2.ca.pem wildcard.serpens.uberspace.de.crt ca-bundle.trust.crt make-dummy-cert sub.class1.server.ca.pem sub.class2.server.ca.pem wildcard.serpens.uberspace.de-with-intermediate.crt class3.crt Makefile sub.class1.server.ca.pem.1 sub.class2.server.sha2.ca.pem

Uhu

Prosody expects the list of root certificates to live in there, by default.

If those files are all that's there, then that's not the case, so all cert TLS validation will fail

So I have to use /etc/SSL/certs as cert folder?

Sorry, but I don't unterstand this

You need to do things that are normally done by the packager, such as point Prosody to where local CA root certificates are stored.

Might be that 'ca-bundle.crt', but I don't know.

You might need `ssl = { capath = "path to special directory" or cafile = "path to ca bundle file" }`

And the paths are /etc/ssl/certs/file

Right?

It depends on the OS/distro

Debian & co has `/etc/ssl/certs` in a special format

On uberspace its centOS

My favorite!!!

;)

Majority of my CentOS experience is debugging impossible problems and finding logged in root terminals left by senior admins

Which contributes to my general dislike of uberspace

I don't have root access?! Its shared hosting...

Everything is just weird, and difficult for even weirder reasons.

That was at a previous job.

But what have I to do?

Shall I ask uberspace what the problem is?

Ask where CA certs are

Okay, and when I have the answer, what have I to do then?

Like I said earlier, depending on if it's a bundle file or a directory, `ssl = { capath = "directory", cafile = "bundle file" }`

Okay, thanks

why are you try to run prosody on shared hosting... when you can get away with a vps at 5$/mo or so >.>

Because I have the shared hosting server anyways

When you ask for troubles (and possibly a suspended account) you usually find 'em.

> When you ask for troubles (and possibly a suspended account) you usually find 'em. ?

Because that still makes no sense.

What makes no sense?

‎[16:13:35] ‎nuron‎: Because I have the shared hosting server anyways

Why should I pay for two servers?

Tons of people run on uberspace, and it feels like all of them have the weirdest problems

Because A) shared hosting sucks B) It's generally way unsafer than a vps C) Costs about the same.

I'll contact the support and when they can't help me I will stop this "project"...

and D) saves you the hassle of not being able to run on standard ports which not doing falls below horrible practices. ✏

Or I have to build up a second network at home so I can use my hone server for prosody...

If you have a static ip address and a good connection it's for sure better than what you're trying to do now imho

(lightwitch.org web/mail server sit right in my living room on a shelf tbh.)

The connection is good but I have a dynamic IP and don't want to open several ports...

Maranda: you said that you host your web and mail server at home. Do you have a second network for the server(s)? Do you have a static IP?

I have a static ip, why should I have a second network or vlan?

So you have your Server in your hone network?

But a dynamic IP will work as well, right?

Works, but can be a bit of a pain to deal with IP changes, depending on how it works

I have no other possibility... Of course I can buy another server but I have everything I need

And how do you protect your Server Maranda

O.o? The way everyone protects networks and servers, via those things called "Firewalls"?

Firewall in your Server, Router on an extra device

Usually you have a firewall on your nat/router and another on your server...?

Jes oft course...

But do you use additional software like fail2ban?

No, and fail2ban sucks

I suppose he was a fan of F2B perhaps.

nuron: didn't read allbut on uberspace you need cafile setting

Martin: what have you set in config as cafile?

Don't remember and am ag icehockey now. Google uberspace prosody cafile there are some examples online

Okay, thanks

Have fun

Thx

Now it works!!

I've added the ca file /etc/ssl/certs/ca-bundle.trust.crt in the config and now it works fine. Also with s2s_secure_auth