-
Douglas Terabyte
Is it okay to ask unrelated questions in here?✎ - Douglas Terabyte
-
Douglas Terabyte
Is it okay to ask unrelated tech questions in here? I'm pulling by hair out over SIP port forwarding. ✏
-
Licaon_Kter
Douglas Terabyte: server setup?
-
tom
If I'm setting up a a Prosody server using a Let's Encrypt certificate, do I need to set prosody to use the normal .crt cert or the fullchain .pem cert?
-
tom
hmm
-
tom
When I try to connect to my new prosody server I get a error
-
tom
<!-- In Fri 05 Apr 2019 09:24:03 PM PDT --> <?xml version='1.0'?> <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' from='nuegia.net' id='2620d872-c35b-41c0-9f30-fb78b26b1022' version='1.0' xmlns='jabber:client'> <stream:error> <undefined-condition xmlns='urn:ietf:params:xml:ns:xmpp-streams'/> <text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>No stream features to proceed with</text> </stream:error> </stream:stream>
-
tom
any idea what could cause this?
-
tom
hmm
-
tom
strange
-
tom
xmpp# doas -u _prosody /bin/cat /etc/ssl/private/xmpp.nuegia.net.key cat: /etc/ssl/private/xmpp.nuegia.net.key: Permission denied xmpp# ls -la /etc/ssl/private/xmpp.nuegia.net.key -rw-r----- 1 root _prosody 3272 Apr 5 20:47 /etc/ssl/private/xmpp.nuegia.net.key xmpp#
-
tom
xmpp# doas -u _prosody "/usr/bin/id" uid=638(_prosody) gid=638(_prosody) groups=638(_prosody)
-
tom
So if both the user and group is _prosody, why wouldn't _prosody be able to read the key?
-
Licaon_Kter
tom: can it read the folder?
-
Licaon_Kter
*and execute
-
tom
it needs to execute the key?
-
tom
also, would chmod 0710 /etc/ssl/private be safe?
-
tom
*chmod 0701
-
Licaon_Kter
tom: folder...it needs to be able to read&execute the folder in order to read the file
-
Licaon_Kter
750 folder
-
Licaon_Kter
And all the folders in the path...actually...
-
tom
well the folder the key is in is owned by root:wheel , so I don't see how the 5 would be neccecary
-
Licaon_Kter
tom: so _prosody can read the folder Folders need execute to be able to "enter" them
-
Licaon_Kter
*can't read
-
tom
the groups over in #openbsd@freenode.net tell me that it's not correct to have a 5
-
Licaon_Kter
tom: good luck
-
tom
thanks Link Mauve
-
tom
*licaon_Kter
-
tom
scratch that
-
tom
Is there any way to have Prosody run as root and then drop privileges?
-
tom
so that it can read the private keys on startup?
-
tom
also
-
tom
if I have SRV records to my domain pointing to xmpp.mydomain.net
-
tom
so that I can have my JID and my email be the same thing
-
tom
Do I need to have the TLS certificate registered to xmpp.mydomain.net or mydomain.net?
-
tom
also, is it required there to be an alternative name conference.mydomain.net for tls cert ?
-
MattJ
tom: if mydomain.net is the identity you are hosting, that's what you need a certificate for
-
MattJ
The network hostname of the machine can be different and doesn't need a certificate, it isn't used within XMPP
-
MattJ
And generally, yes, you also need to include any services you host such as MUC domains
-
madmalkav
To be honest, I always want to investigate about the reason for those services to require it's own subdomains but I always remember when I'm busy with other stuff
-
tom
well for email, DNS has the MX record
-
tom
I don't think something like an MX record exists for XMPP
-
MattJ
It does
-
MattJ
It's called an SRV record
-
MattJ
But email doesn't do TLS very well
-
MattJ
DNS is not secure, so using the hostname you discover in the MX record to verify the certificate is insecure
-
tom
when I try to contact a friend on 404.city I get an error ‎error while sending test ( Messages from strangers are rejected )
-
tom
he says he never turned 'messages from strangers' off and doesn't know to to fix that
-
tom
does anyone here have any idea how to fix that?
-
tom
or what the problem could be?
-
Douglas Terabyte
Yeah, I could totally use help with that.
-
Douglas Terabyte
I checked my settings and nothing seems to be out of place to cause this.
-
Douglas Terabyte
Also Hi Tom
-
MattJ
Maybe contact your server admin
-
muppeth
tom: afaik its server wide setting on 404. Your friend has to add you to his buddies first
-
muppeth
Or you need to send subscription request to him
-
muppeth
Its very extreme (imo) way to prevent spam but at the same time makes usage annoying for normal users
-
tom
oh my, if that's so I might have accidently ignored someone
-
tom
I got a subscribe request one say, And I usually don't accept those unless I chat first
-
tom
but the other person never responded to anything I'd say to eventually i denied the request
-
Licaon_Kter
tom: subs req and the server side req about strangers are not related
-
tom
does 404.city really get so much xmpp spam to warent that?
-
Licaon_Kter
tom: its admin complains a lot so I guess s/he got fed up
-
tom
strange, I didn't even think XMPP spam was really a thing.
-
tom
anyways, Maybe I can ask 404's admin to whitelist my server
-
Licaon_Kter
tom: its either spimpocalypse or never saw one
-
tom
I see
-
tom
damn spimps
-
madmalkav
Going to ser up a personal xmpp instance soon . Info about srv records on dns says the target must be an A record. Do you know if this includes ANAME records or not?
-
Jonny
why not point in SRV directly to the A record behind the NAME record?
-
Jonny
I have setup A record for xmpp.rimkus.it
-
Jonny
and SRV record in rimkus.it pointing to it
-
tom
madmalkav, not exactly true. my SRC records point to xmpp.mydomain.net, and xmpp.mydomain.net is a A record
-
tom
and the rest of the domains, pubsub, upload, conference, etc are CNAMEs to xmpp.mydomain.com
-
tom
then for TLS certs you can add alternative names as long as they resolve
-
tom
Whenever I try to use http upload on my new server in a external muc, I get an error
-
tom
Can not request upload slot
-
tom
Access denied by service policy
-
tom
however http upload seems to work fine for 1 on 1 private chats
-
tom
any idea what could cause this? I'm not seeing any warnings in prosody.err