XMPP Service Operators - 2023-10-28

  1. mirux

    Establishing a secure connection to conference.siacs.eu failed. Certificate hash: 28f112735c956c229a4050c49a38f2c9da13ced3. Error with certificate 1: certificate has expired. Error with certificate 2: certificate has expired. Establishing a secure connection to conference.conversations.im failed. Certificate hash: 19ea0e3a6548a8a73c670cc64e36709851d1dcf7. Error with certificate 1: certificate has expired. Error with certificate 2: certificate has expired.

  2. Licaon_Kter

    At least is not mitm?!

  3. Licaon_Kter

    At least it is not mitm?!

  4. ☭Mike Yellow

    What happens on conversations.im?

  5. Licaon_Kter

    See above...expired cert...now we wait...

  6. dsp3

    Same with jabber.at

  7. Licaon_Kter

    Maybe they updated CAA records last week but not tested?

  8. dsp3

    jabber.at is back. yesterday they had cert problem

  9. dsp3

    Probably everyone running to mitigate MITM issues

  10. Licaon_Kter

    dsp3: this happens in cycles, as certs expire, something is not working in that automated way you've setup it ¯\_(ツ)_/¯

  11. dsp3

    Yeah. Understood. Interesting coincidence it happened to conversations as well

  12. Menel

    Interestingly I get another error: Establishing a secure connection to conference.siacs.eu failed. Certificate hash: d926745ca77c1290bf9ccb27738621e2fb8d2e00e56272e8cd0760ffe9835568. Error with certificate 1: unable to get local issuer certificate.

  13. Licaon_Kter

    I see the same ^^^

  14. Menel

    It's another hash, maybe direct tls port. Vs starttls port

  15. Menel

    I don't think it's a simple expiry, because it's expired 2021 what we see

  16. Menel

    More like a fallback cert that's somewhere ein the sever

  17. Menel

    More like a fallback cert that's somewhere on the the sever

  18. audamar

    it isn't necessarily a different hash, just a different hash type, note the length

  19. dsp3

    On conference.siacs.eu, testtls.com reports "certificate does not match supplied URI (same w/o SNI)"

  20. Licaon_Kter

    Them people are looking into it...

  21. Menel

    Now I got it the cert is fine, but the intermediate cert is old for some reason. Needed the newest version of testssl.sh... Intermediate cert validity #1: expired! (2021-09-29 19:21). R3 <-- DST Root CA X3

  22. Menel

    dsp3: you must use it like this: ./testssl.sh -S -t xmpp-server --xmpphost conference.siacs.eu xmpp-hosting.conversations.im:5269 No SNI problem... "Only" the chain is broken

  23. mimi89999

    Establishing a secure connection from lebihan.pl to conference.siacs.eu failed. Certificate hash: d926745ca77c1290bf9ccb27738621e2fb8d2e00e56272e8cd0760ffe9835568. Error with certificate 1: unable to get local issuer certificate. Establishing a secure connection from lebihan.pl to conference.conversations.im failed. Certificate hash: 44c4dafeb451bb81491e9f37df51e33680190443a8103ba4e94b565e74cef39e. Error with certificate 1: unable to get local issuer certificate.

  24. mimi89999

    Got that 3h ago

  25. Menel

    We all did

  26. dsp3

    > dsp3: you must use it like this: > ./testssl.sh -S -t xmpp-server --xmpphost conference.siacs.eu xmpp-hosting.conversations.im:5269 > No SNI problem... "Only" the chain is broken Yeah, I was just testing on 443 as I presumed same cert used by all services to see if there was a general problem

  27. mirux

    I have a question for https://certwatch.xmpp.net/, I did upgrade to bookworm, and afterwards did a cert renewal via for - when I now try to access certwatch I am getting gateway time-out (might be independant from the upgrade) .... Is this known?

  28. mirux

    I have a question for https://certwatch.xmpp.net/, I did upgrade to bookworm, and afterwards did a cert renewal via certbot for my server - when I now try to access certwatch I am getting gateway time-out (might be independant from the upgrade) .... Is this known?

  29. MattJ

    You can't load the certwatch website?

  30. audamar

    what is the **** website?

  31. mirux

    504 Gateway Time-out nginx/1.18.0

  32. mirux

    getting that

  33. mirux

    https://certwatch.xmpp.net/servers

  34. mirux

    after entering my servername

  35. TheCoffeMaker

    mirux: certwatch is made with which language? maybe u are reverse proxying to the wrong socket (after a version upgrade, your nginx setup can be pointing to the old version number, this is common on php-fpm environments)

  36. mirux

    no proxy on my side

  37. TheCoffeMaker

    go

  38. mirux

    no clue where/what to check ....

  39. root

    It is working just fine for me.

  40. mirux

    any module I need to check on my side?

  41. audamar

    mirux, are you blocking tor?

  42. mirux

    nope, it went ok yesterday, my server is/was registered, only change is bookwork upgrade

  43. Menel

    That service had some hiccups, just try later

  44. mirux

    ok, the pubsub subscription stats I am registered

  45. TheCoffeMaker

    > It is working just fine for me. for me too

  46. mirux

    error message is socks connect tcp localhost:9050->[MYIPV6]:5222: unknown error general SOCKS server failure

  47. mirux

    or

  48. mirux

    504 Gateway Time-out nginx/1.18.0