XMPP Service Operators - 2024-09-15


  1. Martin

    > 15.09.24 18:36:18 - mdosch.de: Establishing a secure connection from mdosch.de to openim.de failed. Certificate hash: e848346b9b635ab1f58cafe6249547aaf3a83e07b35bb6330d742a2ea38a0a45. Error with certificate 0: no matching DANE TLSA records.

  2. Menel

    Openim is hotchilli?

  3. Martin

    Looks like: > xmpp-dns -s openim.de > xmpp-server jabber.hot-chilli.net. 5269 > Priority: 0 Weight: 0

  4. ernst.on.tour

    Roi (Admin from hot-chilli.net) has owned openim.de last year.

  5. Roi removed by moderator

  6. Roi

    Menel, yes, openim.de migrated to us last year as the old admin wanted to shutdown the server. https://jabber.hot-chilli.net/2023/03/30/openim-de/

  7. Roi

    But, hm, TLSA should be okay... There might be short temporary problems during cert rollover. Is it okay now?

  8. Martin

    My server still complains about DANE. :(

  9. a moderator removed a message

  10. moparisthebest

    > But, hm, TLSA should be okay... There might be short temporary problems during cert rollover. Is it okay now? If that's a possibility you are doing it wrong... The easiest thing to do is not change keys, only certs

  11. Roi

    I'm using a Letsencrypt script. Is there an option to leave the keys?

  12. Roi

    But for this check everything is green: https://dane.sys4.de/smtp/openim.de

  13. luca

    What do you mean "not change keys, only certs"? I thought for every cert switch the TLSA records should be updated, as it leads to new hashes

  14. Roi

    luca, moparisthebest said that I am doing it wrong. So I thought maybe TLSA must not be changed when only changing certs, not keys.

  15. moparisthebest

    > What do you mean "not change keys, only certs"? I thought for every cert switch the TLSA records should be updated, as it leads to new hashes If you change keys and update tlsa records then you'll need to get new certs like a week early, add the new keys while keeping the same old cert in use, and only after a week start using the new cert and remove old tlsa records

  16. moparisthebest

    Which is obviously a pain, but the only way to do it without breaking everyone for a time

  17. moparisthebest

    Roi: certbot surely has an option to keep the key the same meaning you don't need to update tlsa ever if you want, but I can't say offhand what it is, I use acme.sh where this is the default

  18. Roi

    moparisthebest, Okay well, I have to dig into this. Even if the TLSA records have a TTL of 5 minutes, it is not perfect. But I update these records right after the cert. So yeah, 300 seconds. But I learned that still a lot of DNS servers and/or clients do not care about TTL...

  19. moparisthebest

    Yep TTL is widely ignored :'(

  20. moparisthebest

    Roi: "reuse-key" assuming https://community.letsencrypt.org/t/certificate-renewal-using-the-same-private-key/173621 is right, then you don't need to change tlsa keys at all

  21. moparisthebest

    Assuming you are setting the key pinning ones and not the cert pinning ones :/

  22. Menel

    I do reuse keys, and if I like new, I'll generate a key manually, put the records for it up, and only after a day generate a new cert from it. Then the old tlsa can be deleted