XMPP Service Operators - 2021-11-15

  1. edhelas

    Licaon_Kter https://xmpp.net/result.php?domain=convorb.im&type=client

  2. Licaon_Kter

    edhelas: do explain why that like that

  3. Licaon_Kter

    edhelas: do explain why that's like that

  4. edhelas

    https://blog.windfluechter.net/2021/09/29/letsencrypt-ca-chain-issues-with-ejabberd/

  5. Licaon_Kter

    The cert is valid, there's an issue with xmpp.net, right?

  6. edhelas

    you have to change your certificate keychain, the one you're using is not trusted by some clients/servers

  7. MattJ

    Yes, don't rely on xmpp.net for cert validation

  8. Licaon_Kter

    Except that line I see no issue being mentioned in the report edhelas

  9. Licaon_Kter

    edhelas: not my fault those old systems can't cope.

  10. Licaon_Kter

    ¯\_(ツ)_/¯

  11. MattJ

    edhelas, is your server running Ubuntu? Is the ca-certificates package up to date?

  12. Licaon_Kter

    Maybe thu cert ecosystem moved already? :))

  13. edhelas

    > 2021-11-15 10:57:40.899 [warning] <0.16550.121>@ejabberd_s2s_in:handle_auth_failure:200 (tls|<0.16550.121>) Failed inbound s2s EXTERNAL authentication convorb.im -> movim.eu (::ffff:85.186.135.101): certificate has expired

  14. Licaon_Kter

    Maybe the cert ecosystem moved already? :))

  15. Licaon_Kter

    edhelas: my ISRG inturmediate has not expired, so that's FUD :)

  16. neox

    Licaon_Kter, lol

  17. Licaon_Kter

    edhelas: my ISRG X1 intermediate cert has not expired, so that's FUD :)

  18. edhelas

    I'vz manually removed DST Root CA X3 from the chain to fix it on my side

  19. Licaon_Kter

    That dii not help...afaics

  20. Licaon_Kter

    That did not help...afaics

  21. edhelas

    https://xmpp.net/result.php?domain=movim.eu&type=client

  22. edhelas

    I moved from T to A (and users were able to login again on some clients)

  23. edhelas

    to me that was the fix, but I might be wrong

  24. Licaon_Kter

    edhelas: which OS? I think I've asked this before multiple times, maybe I've missed the answer

  25. Licaon_Kter

    edhelas: which OS&version? I think I've asked this before multiple times, maybe I've missed the answer

  26. Licaon_Kter

    edhelas: compare the two reports, so your's is *great* with DST in thu chain but mine is *bad* without DST? Logic?

  27. Licaon_Kter

    edhelas: compare the two reports, so yours is *great* with DST in thu chain but mine is *bad* without DST? Logic?

  28. Licaon_Kter

    edhelas: compare the two reports, so yours is *great* with DST in the chain but mine is *bad* without DST? Logic?

  29. Julian

    Removing DST Root CA X3 from the chain will break compatibility with clients that dont trust ISRG X1. Especially Android 6 and below. Just saying. 😅

  30. MattJ

    The issue is not related to movim.eu's cert anyway

  31. Licaon_Kter

    Julian: DST is expired so not trusted, there on 6/7 they need to import the cert

  32. Julian

    It is expired, but still served as part of the default chain. LE will by default give you the chain "leaf > ISRG > DST". Thats intendet because some clients ignore the validity date of root certs (e.g. old androids).

  33. Licaon_Kter

    Oh fuuuu

  34. jonas’

    Licaon_Kter, and it should also not be a problem, unless with certain broken validators which stop at the first chain they find

  35. Licaon_Kter

    edhelas: yes, I do get your messages, 'test', bun I can't reply :) Will nuke Movim Android asap too

  36. Licaon_Kter

    edhelas: yes, I do get your messages, 'test', but I can't reply :) Will nuke Movim Android asap too