XMPP Service Operators - 2021-09-26

  1. Amolith

    @version nixnet.services

  2. Echo1

    Amolith: nixnet.services is running ejabberd version 21.01-2 on unix/linux 5.13.13

  3. Amolith

    @version secluded.site

  4. Echo1

    Amolith: secluded.site is running ejabberd version 21.01-2 on unix/linux 5.13.13

  5. Amolith

    Well that's cool

  6. Menel

    Everybody using letsencrypt already warned their users? https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

  7. Licaon_Kter

    Back in January? Or last year?

  8. Menel

    But now is for real®

  9. ij

    For some reasons, xmpp.net reports X3 cert for some of my domains as expiring in 4 days while SSLlabs are fine with it and shows end date in 3 years. The on-disk chain.pem is correct and using the newer X3 cert, so no idea what’s happening here…

  10. jonas’

    ij, it depends on whether the tool builds the chain using the DST root or not

  11. jonas’

    you can build, even with the current X3, a chain to the DST root expiring next week

  12. jonas’

    if you take the expiry of that chain instead of the chain with the X3 Let's Encrypt root, you end up with an expiration next week

  13. ij

    local X3 cert was the old one, but update-ca-certificates pulled in the new one and certs were rebuild by running dehydrated -c -x afterwards

  14. Licaon_Kter

    The workarounds mentioned here do not apply anymore? https://xmpp.org/2020/12/the-xmpp-newsletter-november-2020/

  15. jonas’

    ij, the chain is built by the client, not by the server. so might very well be the xmpp.net root store at fault, I guess it hasn't been rebuilt since a year or so

  16. Menel

    For android letsencrypt already fixed it for another 4 years. > ...will start getting certificate warnings when visiting sites that use Let’s Encrypt certificates. There’s one important exception: older Android devices that don’t trust ISRG Root X1 will continue to work with Let’s Encrypt, thanks to a special cross-sign from DST Root CA X3 that extends past that root’s expiration. This exception only works for Android.

  17. Menel

    Some strange measures that seem to be allowed: https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

  18. jonas’

    only affects android though

  19. Menel

    I wonder what's the first Ubuntu version that has the native letsencrypt root cert. And what windows version