XMPP Service Operators - 2021-09-30

  1. Licaon_Kter

    My 2 month old cert from LE errors out because of intermediate R3 expiration on Android 11 in Fairemail... as expected? Will regen...

  2. Licaon_Kter

    My 2 month old cert from LE errors out because of intermediate R3 expiration on Android 11 in Fairemail (IMAP)... as expected? Will regen...

  3. Menel

    But does regen help? The intermediate cert stays expired, no? I have a similar problem with DAVx5

  4. Licaon_Kter

    Ok, regen helped, fyi.

  5. Licaon_Kter

    On regen it might not be as an intermediate, right?

  6. Licaon_Kter

    crt.sh still says R3...I dunno, and don't care now, daaamit :(

  7. Menel

    Ahx the intermediate expired? Not the root we were talking about... https://letsencrypt.org/2020/12/21/extending-android-compatibility.html That chart seems so simple there..

  8. Menel

    But somehow there is more to it I don't get'

  9. Licaon_Kter

    R3 went from DST X3 to their ISRG Root X1 as crosssigned

  10. ij

    https://blog.windfluechter.net/2021/09/29/letsencrypt-ca-chain-issues-with-ejabberd/ - check if there are old unused ssl certs with old chain and update your certstores (Debian: update-ca-certificates)

  11. Licaon_Kter

    ij: do note that Conversations, at least, did not complain about the ejabberd server with the same cert.

  12. ij

    Well, it seems that it really depends how the chain is handled. Apache had no issues as well (SSLlabs), but then again in Apache you configure one cert per vhost while in Ejabberd it reads all certs in directory and pick the one needed for the vhost. Maybe Android does similar things… or Conversations has its own check of the chain…

  13. Licaon_Kter

    ij: do post that guide on Fedi ;)

  14. ij

    done on Mastodon

  15. Menel

    R3 was outdated.. I think that should be also considers by the acme client. Or did letsencrypt it not supply some month in advance? A manual renew was enough.

  16. Martin

    ij: Seems to be the case. creep.im: > x509: certificate has expired or is not yet valid: current time 2021-09-30T09:53:57+02:00 is after 2021-09-29T19:21:40Z deshalbfrei.org fixed it already.

  17. ij

    Maybe someone[tm] should create an issue for ejabberd? ;)

  18. ij

    but I’m not really 100% sure if this is an ejabberd bug or not…

  19. Licaon_Kter

    Martin: I've pinged creep.im admin

  20. Maranda

    Licaon_Kter: X3 expired and was just removed from the chain of all newly issued certs (previously chain was R3, ISRG Root X1 and DST Root CA X3... the latter was removed)

  21. Maranda

    But that causes issues with all newly issued certificates apparently that aren't cross signed by X3 as well.

  22. Sam

    Might be useful to some server operators out there who accept donations: https://xmpp.org/2021/09/the-xsf-as-a-fiscal-host/

  23. Ge0rG

    Hm. Having a solid donation source on the order of ~15€/mo would allow me to move yax.im to proper hardware that's not cursed.

  24. Sam

    Ge0rG: I've been thinking about doing a cooperatively run XMPP server if I could find a few people who wanted to split the cost of hosting it. Maybe you'd be interested in splitting the cost with a few other servers that are all hosted on the same machine(s)?

  25. Ge0rG

    Sam: I'm not sure yet if I want to share responsibility as well

  26. Sam

    I was kind of thinking individuals could chip in to get an account on some generic server domain, but other servers could chip in to have their own entire server (with their own rules and registration and what not) hosted too

  27. Sam

    (or individuals who wanted to bring their own domain or what not)

  28. Sam

    Anyways, this is all just something I've been toying around with in my head; no real serious plans yet. Might be useful as far as not having to pay for expensive hardware though.

  29. zp1.net

    someone from creep.im here ?

  30. Licaon_Kter

    zp1.net: read above

  31. Licaon_Kter

    zp1.net: read above, they said they'll take a look

  32. mjk

    Funny thing is, I think this room's host still maintains connection to creep.im that was established prior to expiry

  33. zp1.net

    yes the s2s connection is working but i get every 12 hours a warning

  34. mjk

    zp1.net: you mean you're not enforcing valid certs?

  35. zp1.net

    mjk, sure but it looks like the s2s connection is not interrupted when a cert expires

  36. mjk

    Ah, yeah

  37. zp1.net

    because the s2s connection as build with a valid certificate

  38. zp1.net

    if I now reboot the server the connection will not be rebuild

  39. mjk

    Nice that there are periodic warnings

  40. zp1.net

    but what I do not understand is , why, it is so easy to make certbot renew the certificate with a crontab ... simply add "* 0-23/1 * * * certbot renew" to crontab and your done

  41. zp1.net

    this will check every hour if the certificates still valid and renew them if they are not

  42. mjk

    zp1.net: it's not the domain cert that expired, it's the intermediate one. Cron won't help

  43. ij

    well, the certs are still valid, but the chain is not… or to put it different: the wrong chain is being picked when checking the certs… maybe from some certstore and not from fullchain.pem

  44. mjk

    I wonder how much more breakage will be observed when DST Root will expire in a few hours, heheh. "Valid through" on roots shouldn't matter, but, yknow...

  45. mjk

    Anything that might go wrong, will

  46. Menel

    If the servers are up to date, it shouldn't be a problem for s2s, and they said old android would be covered..

  47. Licaon_Kter

    > do note that Conversations, at least, did not complain about the ejabberd server with the same cert. Rethinking this...I did not try to reconnect though, maybe I would have seen it for ejabberd too.

  48. Martin

    `certbot --reuse-key` if you ever want to use dane. 😉

  49. Ellenor Bjornsd.


  50. Martin


  51. Ellenor Bjornsd.

    I just realized that was like keying up on 121.5 and meowing ;-;

  52. ru_maniac

    there's a --preferred-chain argument for certbot, which will allow to select ISRG root explicitly, without relying on software to properly choose between two chains

  53. ru_maniac

    i've enforced it during periodic re-sign for now, seems to be working as it's supposed to

  54. Maranda

    why certbot isn't using the new chain?

  55. Maranda


  56. ru_maniac

    it uses two by default

  57. ru_maniac

    which lefts an option for software to select between the two, which is handy in case of old Androids, say, 2.3.6, which do not have ISRG root in their CA storage

  58. Maranda

    ru_maniac: oh yeah you're right just noticed there's two entries

  59. Maranda just dumped meaveen.lightwitch.org in https://chainchecker.certifytheweb.com/

  60. ru_maniac

    my point is that one can force ISRG root to be selected explicitly, which will force certbot to drop DST one -- originally, it was intended to go the other way around, but still, useful

  61. ru_maniac

    i've ultimately elected to switch to ISRG root only, cause my service is being used only by members of my immediate family, and no one has a phone or computer with an OS old enough for this to cause problems

  62. Maranda

    I would like to, as well but certbot on Arch seems to ignore --preferred-chain="ISRG Root X1"

  63. Maranda fumes.

  64. Ge0rG

    Maranda: maybe it's just taking the wrong ISRG Root X1 cert? ;)

  65. Ge0rG

    Their naming scheme is... unfortunate

  66. Maranda

    Ge0rG: that's not how it is supposed to work I think, I found a related bug as well on github

  67. Maranda

    That's quite annoying none the less.

  68. ru_maniac

    >> I would like to, as well but certbot on Arch seems to ignore --preferred-chain="ISRG Root X1" I had to update my instance of certbot to the latest one

  69. ru_maniac

    I was using 1.3.0 before, available thru debian repos, and had to switch to snap shipment in order to make it work

  70. ru_maniac

    1.19.1 works just fine

  71. Maranda

    arch has 1.19.0-1

  72. ru_maniac

    hm, where exactly in the command are you putting that argument?

  73. ru_maniac

    I put it right before --force-renew, just like that /usr/local/bin/certbot certonly --force-renew --preferred-chain "ISRG Root X1" --dns-cloudflare [...]

  74. Maranda

    sudo certbot certonly --manual --cert-name <name> --preferred-challenges=dns --preferred-chain="ISRG Root X1" --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual-public-ip-logging-ok -d ...

  75. ru_maniac

    this is very strange btw, is there any reason in particular to point directly towards ACME server?

  76. Maranda

    Have wild cart certificates had some issues without more than once.

  77. Maranda

    Have wild card certificates had some issues without more than once.

  78. Maranda

    ru_maniac: or I'm just dumb... and forget to copy the newly issued certificates in the right place.

  79. ru_maniac

    this is why i'm not using certbot's functionality to renew everything by itself)

  80. ru_maniac

    it's way easier to just run it via crontab, with some deploy-hooks

  81. Maranda

    (so it's not ignoring the flag)

  82. Maranda

    (so it's not ignoring the argument)

  83. Maranda


  84. ru_maniac

    it happens, glad you've figured it out

  85. Sam

    After briefly mentioning it here earlier and having a minor outage (that would have probably not happened if I were using a proper server on proper hardware) I decided to actually start gathering interest in a possibly co-operatively run server. I anyone is interested in helping start a new server for our personal use, join xmpp:unnamedchatcoop@mellium.chat?join

  86. ij

    + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/34316xxxxx (Status 500) - hmmm… now LE itself has issues?

  87. Ge0rG

    Le Breakdówn

  88. Maranda


  89. ernst.on.tour

    Keep fingers crossed that german gov doesn't use LE, there seems to be a IT-Breakdown in Berlin :-D

  90. Licaon_Kter

    Their 112 and 110 was broken the other day in the whole country... LE breaking sounds easy-peasy ;))

  91. ij

    gna… DST Root X3 still listed in newly created certs…

  92. ij

    1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... Replacing debian:DST_Root_CA_X3.pem

  93. ij

    silly update tool

  94. ij

    oh no… now rate limited…

  95. abslimit

    Hello. Just testing server to server

  96. mjk

    abslimit: I saw you somewhere, hmmm

  97. abslimit

    mjk: thanks for test response. Maybe in fediverse?

  98. mjk

    abslimit: nah, just joking about the Gajim room test a minute ago :)

  99. abslimit

    mjk: he he

  100. ij

    Well, the list of latest tests at xmpp.net doesn’t look too promising…

  101. Menel

    Thats more telling about the website, with very old software I hope, then for the serves tested..

  102. Menel

    Hm, even testssl.sh version3.1 doesn't like my cert :-(

  103. Menel

    Or rather, the chain

  104. mjk

    Great opportunity to fix a huge load of multichain-related bugs!