Closed schorschii closed 2 years ago
Did you regenerate the cert after Sep 30?
Also read https://blog.windfluechter.net/2021/09/29/letsencrypt-ca-chain-issues-with-ejabberd/
Thanks for your answer. Yes, my server certificate was automatically renewed on Oct 02.
The link you've provided got me a little further. I've used https://xmpp.net/ to test my server: my certificate is issued by the (valid) "ISRG Root X1" root CA which is cross-signed with the old root CA "DST Root CA X3" which expired on Sept 30.
All modern browsers already trusts the "ISRG Root X1" by default. Shouldn't the ChatSecure push server do the same? It seems to me that it only trusts the old "DST Root CA X3". If I see that correctly, it is currently not possible to use push notifications with Let'sEncrypt certificates on ChatSecure.
(Disabling the "DST Root CA X3" on my server as recommended here did not make any difference)
It should by it might not, that's the issue, the push server needs some sort of update.
For testing purposes, I removed the cross-signed "ISRG Root X1" root CA from my certificate file which is used by ejabberd. This means, my certificate file now only includes the server and the intermediate certificate ("R3"). This gives me an "A" rating here, the certificate is now accepted and there is no error visible anymore when ejabberd is connecting to the ChatSecure push server:
2021-10-24 16:29:31.744 [info] <0.544.0>@ejabberd_s2s_out:init:280 Outbound s2s connection started: sieber.systems -> pubsub.chatsecure.org
2021-10-24 16:29:33.053 [info] <0.544.0>@ejabberd_s2s_out:handle_auth_success:216 (tls|<0.544.0>) Accepted outbound s2s EXTERNAL authentication sieber.systems -> pubsub.chatsecure.org (45.55.5.246)
2021-10-24 16:29:35.001 [info] <0.545.0>@ejabberd_s2s_in:handle_auth_success:181 (tls|<0.545.0>) Accepted inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> sieber.systems (::ffff:45.55.5.246)
But: notifications are still not working. I'll guess there are more problems with the ChatSecure push server, because notifications from my server are working fine with other apps like Monal or Siskin.
Bottom line: it seems that users of servers with Let'sEncrypt certificates will now have to switch to another XMPP client app. Thanks for your help.
Just updated cert store and disabled DST Root CA X3
. Can you check again?
p.s. this is a dupe of https://github.com/ChatSecure/ChatSecure-iOS/issues/1250, closing this in favor of the first reported issue
Hi, The push notifications from my ejabberd server are not working anymore, I guess it is related to the last LetsEncrypt certificate renewal.
Server: ejabberd 18.12.1 on Debian 10
The log shows:
But the certificate is valid, I can't see any problem. Does anyone know why pubsub.chatsecure.org refuses the requests?
Thanks.