-
worlio.com
What possible reason could there be for why new users are having issues seeing the avatars of others in a semi-anonymous MUC? It seems to be oddly inconsistent, with each user seeing different users with and without an avatar, and some having no issues at all. I have found no consistency with s2s, clients, networks, or whether the users have added themselves.
-
Menel
One possible reason can be different clients and what vCard standard they support. As a server admin one can only deploy a module to do https://xmpp.org/extensions/xep-0398.html and hope for the best
-
worlio.com
The clients this was mostly seen on are Gajim and monocles, suggesting to me it isn't a client issue as these should be up-to-datew.✎ -
worlio.com
The clients this was mostly seen on are Gajim and monocles, suggesting to me it isn't a client issue as these should be up-to-date. ✏
-
nuegia.net
That module had some bugs and needed to be disabled
-
nuegia.net
In prosody
-
nuegia.net
At some point I had to remove it and go back to vcards instead of pep
-
nuegia.net
Most of the clients used vcard anyways
-
nuegia.net
Something to do with a conflict in the database
-
worlio.com
The problem was the default account settings sets the sharing of the vCard to be contact only, and every client needed to be restarted in order for the avatars to be updated.
-
worlio.com
Someone in the MUC figured it out and told everyone how to change the setting.
-
Menel
In what client, gajim I suppose worlio.com?
-
Trung
so you can't share the card, you need to restart ?
-
worlio.com
Any client they would use seemed to exhibit the problem, but the guide the user who discovered it shared around was for Gajim.
-
Menel
nuegia.net: I think most clients fallback to vCard if they don't see the conversion module, to not split the avatar storages. Eternally stuck at vcard that has no good permission options
-
kapad
what is the new address of servers@joinjabber.org ?
-
kapad
Kris?
-
Kris
same?
-
Kris
we moved the server, but the address is still the same
-
Kris
you have connection issues? Here it seems to work fine
-
kapad
yes, psi says cert is expired
-
Kris
odd
-
Kris
you are the secon person that claims that there is a certificate issue. but it seems to work fine and there are many people connected
-
kapad
``` CheckCert joinjabber.org s2s service: joinjabber.org port: 5269 proto: s2s * : openssl s_client -showcerts -connect joinjabber.org:5269 -starttls xmpp-server -xmpphost joinjabber.org Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Not Before: May 6 14:19:25 2024 GMT Not After : Aug 4 14:19:24 2024 GMT Subject: CN = joinjabber.org ```
-
Martin
https://files.mdosch.de/upload/bhOCZozEAyrnp_dvXu34FERO/XjN1rFBRT-O96KSKk5rNcA.jpg
-
kapad
i think it's almost to a week now
-
Martin
Kris: Seems still expired to me.
-
Kris
yeah, I can replicate it via openssl
-
Kris
ok MsSavoritas will fix it tomorrow morning. we are still in the middle of reworking our certs automation, so it looks like something went wrong with the temporary fix
-
Kris
sorry for the trouble
-
kapad
✌️
-
Martin
> but it seems to work fine and there are many people connected Many servers don't check certs? 😲
-
kapad
/offtopic ``` Input #0, ogg, from 'https://ua3.anondns.net/radio/live': Metadata: icy-name : live icy-pub : 0 icy-url : /radio/live Duration: N/A, start: 127.137959, bitrate: 112 kb/s Stream #0:0: Audio: vorbis, 44100 Hz, stereo, fltp, 112 kb/s Metadata: title : Kick Bong - Just Let Go server : Icecast 2.4.4 ```
-
Kris
> > but it seems to work fine and there are many people connected > Many servers don't check certs? 😲 there are lots of servers that accept expired certs, yes. I also recently did that on my server to route around some problems with another server. Was ment to be only temporarily ↺
-
Kris
🤷♂️️
-
moparisthebest
My money is on the servers that connected anyway having dialback enabled... But that should probably be tested and dialback impls probably shouldn't try to connect anyway if the cert is expired?
-
kapad
in ejabberd even some domain that have no cert records works normal without the need of dialback. i have disable it some years now, never meet an issue
-
moparisthebest
> in ejabberd even some domain that have no cert records works normal without the need of dialback. i have disable it some years now, never meet an issue That shouldn't be possible for s2s, certs and dialback are the only 2 authentication methods, no? ↺
-
kapad
moparisthebest: sorry, i think i meant DNS records, of course domains have certs
-
kapad
don't exactly remember what my problem was and use dialback to solve it ...
-
Menel
Ah I thought you know you had the cert and server issue so I didn't report. I've that issues ongoing wtoo with joinjabber✎ -
Menel
Ah I thought you know you had the cert and server issue so I didn't report. I've that cert issue ongoing with joinjabber too ✏
-
MSavoritias (fae/ve)
on the jj issue writing it here also (wasnt part of the group before for a while) i am gonna fix it tomorrow
👍 2 -
Martin
> My money is on the servers that connected anyway having dialback enabled... My server refused to connect a few days ago but connected right now. No dialback enabled. Maybe dane?
-
moparisthebest
Interesting... Are there multiple servers?
-
moparisthebest
Martin: joinjabber.org appears to have no srv or tlsa records
-
moparisthebest
And 1 IP
-
Menel
Hm? I've still got no connection because of the cert. Mysterious case, considering we have nearly the same setup Martin
-
Martin
Than it's weird.
-
Martin
I was even the one who reported being unable to connect due to cert issues on 3. August.
-
moparisthebest
Kris, MSavoritias (fae/ve): link on front page to https://chat.joinjabber.org/ is broken too, cert invalid for that name
-
moparisthebest
Martin: can you grep logs to see how you connected :/
-
Martin
Yeah, but need to get home first. No fun on phone screens.
-
Menel
I've got no cert issue for https'//chat.joinjabber.org✎ -
Kris
yeah, the chat. webclient is currently broken
-
Martin
ACAB!
-
Menel
I've got no cert issue for https://chat.joinjabber.org ✏
-
Kris
its all work in progress due to the server move
-
moparisthebest
> I've got no cert issue for https://chat.joinjabber.org That points to a DNS issue where we are connected to different servers (: is the old server still up Kris ? ↺
-
Kris
the problem is that everything is recreated from ground up in guix and the cert creation via dns-01 challenge isn't finished
-
Kris
so it was just a quick workaround to create the certs for the main website
-
Menel
Hm testssl confirms no valid SAN but fennec is happy what's going on today 👀
-
moparisthebest
> Hm testssl confirms no valid SAN but fennec is happy what's going on today 👀 Haha that's worse ↺
-
moparisthebest
🐛, 🐛 everywhere
-
Menel
Hm. I'm guessing I must have pressed OK for insecure connection at some point in the past for that website. After clearing the data for the website it is correctly distrusted
-
Martin
> Aug 09 21:01:01 s2sout55b9b8f9b180 info Outgoing s2s stream mdosch.de->joinjabber.org closed: stream closed > Aug 09 21:01:01 s2sout55b9b8f9b180 debug Destroying outgoing session mdosch.de->joinjabber.org > Aug 09 21:01:01 unbound.queryVw0GSs4G-S_Y debug Resolve _xmpps-server._tcp.joinjabber.org IN SRV > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 s2sout55b9b5612d40 debug trying to send over unauthed s2sout to joinjabber.org > Aug 09 21:01:01 unbound.queryVw0GSs4G-S_Y debug Results for _xmpps-server._tcp.joinjabber.org IN SRV: NXDomain (Insecure, 0.122279 sec) > Aug 09 21:01:01 unbound.query3_M4OwB-TfJ4 debug Resolve _xmpp-server._tcp.joinjabber.org IN SRV > Aug 09 21:01:02 unbound.query3_M4OwB-TfJ4 debug Results for _xmpp-server._tcp.joinjabber.org IN SRV: NXDomain (Insecure, 0.353176 sec) > Aug 09 21:01:02 unbound.queryqQVTCXNElgA_ debug Resolve joinjabber.org IN A > Aug 09 21:01:02 unbound.queryH_-tZfKjXpBL debug Resolve joinjabber.org IN AAAA > Aug 09 21:01:02 unbound.queryqQVTCXNElgA_ debug Results for joinjabber.org IN A: 1 items (Insecure, 0.034280 sec) > Aug 09 21:01:02 unbound.queryH_-tZfKjXpBL debug Results for joinjabber.org IN AAAA: 1 items (Insecure, 0.034284 sec) > Aug 09 21:01:02 mdosch.de:tls debug joinjabber.org is offering TLS, taking up the offer... > Aug 09 21:01:02 s2sout55b9b5612d40 warn Forbidding insecure connection to/from joinjabber.org because its certificate has expired > Aug 09 21:01:02 s2sout55b9b5612d40 debug Disconnecting mdosch.de->joinjabber.org[s2sout_unauthed], <stream:error> is: <stream:error><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp > -streams'>Your server's certificate has expired</text></stream:error> > Aug 09 21:01:02 s2sout55b9b5612d40 info Outgoing s2s stream mdosch.de->joinjabber.org closed: Your server's certificate has expired > Aug 09 21:01:02 s2sout55b9b5612d40 debug Destroying outgoing session mdosch.de->joinjabber.org: Your server's certificate has expired > Aug 09 21:01:02 s2sout55b9b5612d40 info Sending error replies for 6 queued stanzas because of failed outgoing connection to joinjabber.org Just closed s2s and now it fails again. But weird that I got a connection in between. Maybe there was a short period were a valid cert was presented? Totally weird things going on there.
-
moparisthebest
Martin: ah, aaaa records! I'm not at a place where I can check IPv6, can you and see if that server has a correct cert ?
-
taba
> at a place where I can check IPv6 there is no place in georgia where you can check if an ipv6 address is working i don't think
-
Martin
moparisthebest: Same > xmpp-dns -sft6 joinjabber.org > failure in xmpp-server lookup: lookup _xmpp-server._tcp.joinjabber.org on 192.168.178.55:53: no such host > failure in xmpps-server lookup: lookup _xmpps-server._tcp.joinjabber.org on 192.168.178.55:53: no such host > Trying fallback ports. > > xmpp-server joinjabber.org 5269 > Priority: 0 Weight: 0 > IP: 2a0c:f040:0:8::3b > Connection: [OK] > STartTLS: [Not OK] > tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-08-09T21:10:47+02:00 is after 2024-08-04T14:19:24Z > > xmpps-server joinjabber.org 5270 > Priority: 0 Weight: 0 > IP: 2a0c:f040:0:8::3b > Connection: [Not OK] > dial tcp6 [2a0c:f040:0:8::3b]:5270: connect: connection refused
-
moparisthebest
Alright I'm back to being out of ideas...
-
moparisthebest
>> at a place where I can check IPv6 > there is no place in georgia where you can check if an ipv6 address is working i don't think taba: sure there is, anyplace set up with a tunnel from https://tunnelbroker.net/ (that's where I get my IPv6 from too) ↺