Invalid certificate: certificate is signed by unknown CAL Let's Encrypt

[dkliss]

Hi,

I have a LetsEncrypt Certificate and I still keep on getting below warning for a while now. Is this an issue? The TLS works fine despite this issue.

2023-02-10 13:55:38.499616+00:00 [warning] Invalid certificate in /opt/ejabberd/conf/server.pem: at line 91: certificate is signed by unknown CA

Before creating a ticket, please consider if this should fit the discussion forum better: https://github.com/processone/ejabberd/discussions

Environment

• ejabberd version: 22.10 & Master
• Erlang version: erl +V
• OS: Linux (Debian)
• Installed from: source | distro package | official deb/rpm | official binary installer | other

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

loglevel: 4
...

Errors from error.log/crash.log

No errors

Bug description

Please, give us a precise description (what does not work, what is expected, etc.)

[licaon-kter]

Debian 11 right? How did you get the cert, eg. certbot? try to set the proper intermediary: certbot renew --preferred-chain "ISRG Root X1"

[dkliss]

Debian 11 right? How did you get the cert, eg. certbot? try to set the proper intermediary:

certbot renew --preferred-chain "ISRG Root X1"

Yes I got it from certbot. I will try that command.

[licaon-kter]

Also double check the perm of the file, eg. sudo -u ejabberd stat /opt/ejabberd/conf/server.pem (or whatever is your user name for ejabberd processes)

[cippaciong]

Hello, I have a similar issue in a dockerized setup where I pass the certificate using a docker volume.

Since the certificate is used for different services (ejabberd, nginx, etc.) I generate it outside of docker with a systemd service in this way:

/usr/bin/bash -c '/usr/local/bin/certbot-renew.sh example.tld && cat /etc/letsencrypt/live/example.tld/fullchain.pem /etc/letsencrypt/live/example.tld/privkey.pem > /media/data/docker/ejabberd/volumes/ejabberd/ejabberd.pem && docker exec ejabberd /home/ejabberd/bin/ejabberdctl reload-config'

Then I mount it in the ejabberd docker container with this docker-compose snippet:

ejabberd:
   container_name: ejabberd
   image: ejabberd/ecs:23.01
   volumes:
     - ./volumes/ejabberd/ejabberd.pem:/home/ejabberd/conf/ejabberd.pem

My current ejabberd acme and certificate configuration is this one:

acme:
  auto: false

certfiles:
  - "/home/ejabberd/conf/ejabberd.pem

This is the output of stat:

docker-compose exec -T -u ejabberd ejabberd stat /home/ejabberd/conf/ejabberd.pem
  File: /home/ejabberd/conf/ejabberd.pem
  Size: 7409            Blocks: 16         IO Block: 4096   regular file
Device: 803h/2051d      Inode: 30412150    Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: ( 9000/ejabberd)
Access: 2023-02-11 03:00:16.200004626 +0000
Modify: 2023-02-11 03:00:14.870004626 +0000
Change: 2023-02-11 03:00:14.870004626 +0000

I'm using R3 and ISRG Root X1 for the chain of trust and I also don't have any issue other than that warning log.

[licaon-kter]

@cippaciong the full path is accessible to that ejabberd group? Each folder? /home/ejabberd/conf ? /home/ejabberd ?

[poVoq]

Same issue on Fedora 38 with the official ejabberd rpm repositories version 23.04 and externally created letsencrypt certificates (I generate DNS-01 wildcard certificates via certbot).

I have ca_file: /opt/ejabberd/conf/cacert.pem in my config and also tried ca_file: /etc/ssl/cert.pem

I also confirmed that my certbot used the ISRG Root X1 chain for the certs.

Any idea?

[licaon-kter]

@poVoq why do you need to specify ca? Try without it

[poVoq]

Same warning without specifying it, but the default ejabberd.yaml comes with ca_file: /opt/ejabberd/conf/cacert.pem as a default setting.

[cippaciong]

@cippaciong the full path is accessible to that ejabberd group? Each folder? /home/ejabberd/conf ? /home/ejabberd ?

@licaon-kter sorry for the very late reply, I didn't have time to check until now.

Some files/folders are owned by root, but it looks like the ejabberd user is able to access the full path and the file itself.

~ $ whoami
ejabberd

~ $ pwd
/home/ejabberd

~ $ ls -lh
total 24K
drwxr-xr-x    1 root     root        4.0K Jan 17 14:57 bin
drwxr-xr-x    2 root     root        4.0K Feb 11 20:51 conf
drwxr-sr-x    3 ejabberd ejabberd    4.0K Apr 18 22:48 database
drwxr-xr-x   46 root     root        4.0K Jan 17 14:57 lib
drwxr-sr-x    2 ejabberd ejabberd    4.0K Feb 11 20:51 logs
drwxr-sr-x    2 ejabberd ejabberd    4.0K Jan 17 14:57 upload

~ $ ls -lh conf/
total 272K
-rw-------    1 ejabberd ejabberd  216.7K Jan  9 23:15 cacert.pem
-rw-r--r--    1 ejabberd ejabberd     424 Jan 17 14:53 dhparams.pem
-rw-r-----    1 root     ejabberd    7.2K May  2 02:00 ejabberd.pem
-rw-------    1 ejabberd ejabberd   19.1K Feb 11 20:22 ejabberd.yml
-rw-r--r--    1 ejabberd ejabberd    5.5K Jan 17 14:53 ejabberdctl.cfg
-rw-r--r--    1 ejabberd ejabberd     114 Jan 17 14:53 inetrc
-rw-r--r--    1 ejabberd ejabberd    5.2K Jan 17 14:53 server.pem

~ $ cat conf/ejabberd.pem | head -n 1
-----BEGIN CERTIFICATE-----

[poVoq]

Seems related: https://blog.windfluechter.net/2021/09/29/letsencrypt-ca-chain-issues-with-ejabberd/

Edit: I get s2s errors from jabber.ru on my server that seem to be related to this, otherwise everything seems to be working despite this.

[badlop]

What's the status of this problem? Were you able to solve it somehow, or it's still kicking?