search

ChatSecure / ChatSecure-iOS

ChatSecure is a free and open source encrypted chat client for iOS that supports OTR and OMEMO encryption over XMPP.
https://chatsecure.org
Other
3.13k stars 1.03k forks source link

Push notifications not working anymore with Let'sEncrypt server certificate after Sept 30 #1251

Closed schorschii closed 2 years ago

schorschii commented 2 years ago

Hi, The push notifications from my ejabberd server are not working anymore, I guess it is related to the last LetsEncrypt certificate renewal.

Server: ejabberd 18.12.1 on Debian 10

The log shows:

2021-10-22 18:50:14.469 [warning] <0.547.0>@ejabberd_s2s_out:handle_auth_failure:226 (tls|<0.547.0>) Failed outbound s2s EXTERNAL authentication sieber.systems -> pubsub.chatsecure.org (45.55.5.246): Authentication failed: Peer responded with error: not-authorized
2021-10-22 18:50:14.469 [warning] <0.547.0>@ejabberd_s2s_out:process_auth_result:141 Failed to establish outbound s2s connection sieber.systems -> pubsub.chatsecure.org: authentication failed; bouncing for 292 seconds

But the certificate is valid, I can't see any problem. Does anyone know why pubsub.chatsecure.org refuses the requests?

Thanks.

licaon-kter commented 2 years ago

Did you regenerate the cert after Sep 30?

Also read https://blog.windfluechter.net/2021/09/29/letsencrypt-ca-chain-issues-with-ejabberd/

schorschii commented 2 years ago

Thanks for your answer. Yes, my server certificate was automatically renewed on Oct 02.

The link you've provided got me a little further. I've used https://xmpp.net/ to test my server: my certificate is issued by the (valid) "ISRG Root X1" root CA which is cross-signed with the old root CA "DST Root CA X3" which expired on Sept 30.

All modern browsers already trusts the "ISRG Root X1" by default. Shouldn't the ChatSecure push server do the same? It seems to me that it only trusts the old "DST Root CA X3". If I see that correctly, it is currently not possible to use push notifications with Let'sEncrypt certificates on ChatSecure.

(Disabling the "DST Root CA X3" on my server as recommended here did not make any difference)

licaon-kter commented 2 years ago

It should by it might not, that's the issue, the push server needs some sort of update.

schorschii commented 2 years ago

For testing purposes, I removed the cross-signed "ISRG Root X1" root CA from my certificate file which is used by ejabberd. This means, my certificate file now only includes the server and the intermediate certificate ("R3"). This gives me an "A" rating here, the certificate is now accepted and there is no error visible anymore when ejabberd is connecting to the ChatSecure push server:

2021-10-24 16:29:31.744 [info] <0.544.0>@ejabberd_s2s_out:init:280 Outbound s2s connection started: sieber.systems -> pubsub.chatsecure.org
2021-10-24 16:29:33.053 [info] <0.544.0>@ejabberd_s2s_out:handle_auth_success:216 (tls|<0.544.0>) Accepted outbound s2s EXTERNAL authentication sieber.systems -> pubsub.chatsecure.org (45.55.5.246)
2021-10-24 16:29:35.001 [info] <0.545.0>@ejabberd_s2s_in:handle_auth_success:181 (tls|<0.545.0>) Accepted inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> sieber.systems (::ffff:45.55.5.246)

But: notifications are still not working. I'll guess there are more problems with the ChatSecure push server, because notifications from my server are working fine with other apps like Monal or Siskin.

Bottom line: it seems that users of servers with Let'sEncrypt certificates will now have to switch to another XMPP client app. Thanks for your help.

chrisballinger commented 2 years ago

Just updated cert store and disabled DST Root CA X3. Can you check again?

p.s. this is a dupe of https://github.com/ChatSecure/ChatSecure-iOS/issues/1250, closing this in favor of the first reported issue