XMPP Service Operators - 2021-08-24

rozzin: added a screenshot to the readme; thanks for the prompt.

Sam: excellent—but for bonus points you should have used a screenshot of our conversation here debating the value of screenshots 😜

Ya that would be awesome lol

It's still too early for that, I'm ashamed to say. MUC support is next on my list though. Once that's done it will more or less have the features of my current daily driver (at least, the ones I use), then hopefully it will be easier to squash bugs and what not as I'll be using it full time.

So, any news on the Apple/iOS front, besides snikket? I've heard XMPP clients are in a bit of a miserable state on that contingent. iOS needs a client like Conversations

Comunique looks nice, although I like poezio better though, especially since it gives a low-treshold way to connect to XMPP

poezio: https://github.com/poezio/poezio

> So, any news on the Apple/iOS front, besides snikket? I've heard XMPP clients are in a bit of a miserable state on that contingent. iOS needs a client like Conversations I hear siskin is alright

I heard OMEMO is terrible on Siskin

It seems fine to me, I'm not using it but one of my friends is. We use 1 to 1 and group omemo just fine ✏

right now there's no good client on iOS that implements all the XEPs correctly, e.g. video calling etc

I haven't tried video calling yet, but I can test and let you know

I've been impressed with movim though

had a call with a mate, he was on Conversations, and I was on movim, and all worked fine

(I host movim on my own server btw)

Nice, I tried the public hosted version before. Pretty cool. I host prosody and conversejs for web chat

I have conversejs on my prosody as well, I have some folks that like conversejs, and I keep it for them

I've actually donated to the movim project because I was impressed how well their WebRTC implementation of videocalling works

impressive work needs to be rewarded of course

I used to be a complete IRC buff, but I do like XMPP a lot more. It's a mature standard, and I just love how the federation works (e-mail like)

I like both

Oh, don't get me wrong, I love IRC. It scales so well

protocol simplicity is very nice as well

you can telnet into an IRC server and have a somewhat useable experience :P

I would not recommend typing out stanzas into an XMPP server ;)

(I've tried, with varying levels of success)

well, that's what clients are for :)

> andrath wrote: > So, any news on the Apple/iOS front, besides snikket? I've heard XMPP clients are in a bit of a miserable state on that contingent. iOS needs a client like Conversations https://monal.im/ libre licensed & found wherever iUsers find software ✏

I haven't heard good things about monal either. The apple ecosystem needs a client like conversations that is well implemented.

andrath: you can't since Apple sets the limitations. Siskin can do OMEMO MUC and A/V calls Monal will do OMEMO MUC soon™ and A/V after that Snikket is in beta, but it's Siskin+QOL updates

The big caveat for Siskin/Snikket is that push notifications are not reliable on most servers

Something everyone wants to change, but it hasn't happened yet

That's a conundrum 😒

MattJ: while I agree with the XSF CoC, I didn't agree with matrix.org's ToS and Policies, so until matrix.org bots that copy all these discussions to their server are gone from here... I'll be out...Cheers

What's QOL stand for?

quality of life?

Anyone impacted? https://mattermost.com/blog/securing-xml-implementations-across-the-web/

Trbl, Steven Roose: yup

I still don't really understand that vulnerability

The quotes shouldn't matter if the stuff between them is escaped

They say 'It turns out parsing XML is hard' and then the problem is the serializer that forgot to escape a " in a string?

I'm wondering if entities aren't allowed in this location, hence the need to use the right surrounding quotes

In any case, DTDs are forbidden in XMPP and never generated, so it seems everyone would be safe

That was part of this particular issue, some of the other libraries they looked at had different issues with entities being allowed in the wrong place, or extra attributes getting inserted that could potentially change the namespace, for example (which would indeed be a security vulnerability)

Sorry, didn't read in full and jumped to conclusions

Sam: > 24.08.21 17:52:38 - mdosch.de: Establishing a secure connection from mdosch.de to gopher.chat failed. Certificate hash: 8732608671bfe2b8094c30139ba1c9e67e7f912946aa6395e00c674a2720c0df. Error with certificate 0: certificate has expired.

*sigh* I hate servers, this is why I tell everyone that they should stop self hosting things.

I'll go look and see what went wrong, thanks.

oh, no, same as last month, prosody doesn't automatically pick up cert changes.

systemctl reload?

Huxx: I get a timeout for jabbers.one

Try now?

Sam: works!

BTW, have you heard of observe.jabber.network? :D

Yes, I think one of my domains is signed up, but I don't think I've ever gotten any alerts from it

Afaik it should remind you 7 days prior to a cert expiry.

(well, not since early on when I got a bunch of false positives ¯\_(ツ)_/¯)

Martin: yes saw it in my Monitoring. But thanks. 😉

Might not be one of the domains on this server, I can't remember

(I can tell you if you like ;))

jonas’ yah, that would be great; if you wanted to add gopher.chat and mellium.chat too that would be nice

mellium.chat is already added ✏

I can add gopher.chat

huh, that should have been on the same system/schedule as far as renewing certs goes, so no idea why it's never triggered. I know last month at least it expired too

I don't keep logs further than 14d unfortunately

This happens every month because this setup is stupid but I couldn't figure out a better way to make lets encrypt work, so it will likely happen again. I'll try to remember next time to ask you to look

I saw monitor.chat today. How's that?

Its online again. Must be something with the db. At sunday night its cleaning the db. The next 2 days always problems at the same time, when many ppl connect.

Im using a free Account at uptimerobot. They also have an app which inform you when Services are down

Hmm, since I have no other way to do this I wonder if it's bad somehow to just call 'loop (wait_on -w "cert"; restart prosody)' in the shell, background it, and forget about it until it breaks or I find a better way to manage this machine

Was watching certs renew today, everything seemed fine...but no certs... Run manually...long verbose log, no big ERROR to explain... Ok, take log line by line... was asking cert for a subdomain without DNS entry ( pubsub.mydomain.tld is not needed right?) and that was failing hence while it did not stop to try for others it didn't create the cert ofcourse.

Does reloading prosody reload the certs as well or just the config?

I have `reload_modules = { "groups", "tls", "firewall", "version" }` in my config.

But that is an extra module.

Sam, nowadays it should reload the certs, too

I just restart prosody on cert changes, not reload

When in doubt: hammer 🔨

moparisthebest: and that doesn't break MUC reconnections for Conversations?

Don't think so, regardless it's 4 times a year

Licaon_Kter, only affects remote clients, may be irrelevant for a friends&family server

Licaon_Kter, also modern prosody persists MUC state actually

so a restart won't lose anything there

jonas’: ejabberd, affects remote MUCs only So I should ask for persistent things in ejabberd too? :)

``` while : do wait_on -w /usr/local/etc/prosody/tls service prosody reload done ``` Welp, we'll find out next month if this is working because I'm too lazy to do anything else.

> Don't think so, regardless it's 4 times a year I restart more often as I build from git :) ✏

I just restart one a month

andrath: > I haven't heard good things about monal either. The apple ecosystem needs a client like conversations that is well implemented. I have friends using Monal since the last major release, and it seems fine so far, AFAICT.

I just restart once a month too, except every single month where I forget :)

At least they can receive messages without having to jump through hoops.

> I just restart once a month too, except every single month where I forget :) Same lol

I might finally just add another Cron task

What's missing to get push notifications working properly for iOS? ✏

Define "properly"

rob, 1:1 already should be fine, MUCs are...tricky... MattJ can tell...the Prosody side at least ✏

Sam, rob , when I said "I restart every 3 months" I meant my cronjob, using acme.sh here :)

I would never remember to do it myself

moparisthebest: personally I'm going to remind myself to reload my Let's Encrypt certs by following Leonard Shelby's example and getting a tattoo on my hand, reading "remember Sam Whited"....

Some time ago I considered just setting up a cron job to reload..., but decided against it because I was afraid of having a reload happen while I was in the middle of editing my config file...

Could write the cron job to check for "config file not edited since last reload", but I just wasn't up for that at the time.

I don't know exactly when mine renews so I figured a cron job would just get out of sync

Just run it daily..., and then you're OK until Let's Encrypt shortens their expiry period to < 24 hours?

I actually should just get ejabberd hooked into Let's Encrypt directly, since apparently that's an option....

That's a good point

Sam: I think there are some hooks on the ACME clients like certbot also, depending on which you're actually using...

I'm using caddy, it doesn't have one

I didn't follow the whoe discussion, but don't you just use a hook script after a cert renew that takes care of the reload and whatever you need?

The thing I'm using doesn't have one.

Ah. Interesting. Oups didn't read the last two messages that tell exactly that already, sorry 😀

I think prosody will soon reload certs, might be in trunk but I forget.

I might also be way wrong, but I seem to recall someone saying that in the prosody room

I don't quite get it. If you have a Cron job to run some `renew-cert` command, is it somehow problematic to turn it into `renew-cert && reload-daemons`?

Ahh, seems Caddy is an entire web server with built-in ACME support.

I don't have one for renewing certs, traefik magic

I see.

So the problem is you guys are using solutions which make things easier, which makes easy things complicated 😜

rozzin: Would probably not be too hard to add a call for reloading certificates without reloading the configuration …

Ya, _but_ as they renew with close to 30 days before expiry you could reload prosody twice a month or even every three weeks and always have a valid cert loaded

Yeah.

Holger: there are... a surprisingly large number of ACME clients at this point..., and within that set there are a surprisingly large number with delusions of grandeur. And that's not even getting into the "everything that _uses certificates_ is starting to _be its own ACME client_" trend that (I guess) leads people to think "well, I have this one thing that's already doing ACME to manage certificates for itself, why not just have it also manage certificates for everything else that doesn't know how?".

Ya like how I have to use a script to dump certs from my acme.json for mail and prosody because that came after the rest of the server