Back to Blog
Ejabberd 25/17/2023 ![]() #Plain Text's pt1 = 'Happy Birthday' pt2 = 'Yesterday All my troubles seemed so far away Now it looks as though theyre here to stay Oh, I believe in yesterday Suddenly Im not half the man I used to be Theres a shadow hanging over me Oh, yesterday came suddenly Why she had to go I dont know, she wouldnt say I said something wrong Now I long for yesterday Yesterday Love was. But maybe my story will help you solving your issue if you experience SSL certs issues in the last few days, especially now that the R3 cert has already expired and the X3 cert following in a few hours.CoCalc Share Server. I don’t know if this is a bug in Ejabberd or if this procedure will help you in your case nor if this is the proper solution. Otherwise the update will bring in the expired cert again.Ĭurrently I see at least two other XMPP domains in my server logs having certicate issues and in some MUCs there are reports of other domains as well.ĭisclaimer: Again: this helped me in my case. UPDATE: be sure to use dpkg-reconfigure ca-certificates to uncheck the DST Root X3 cert (and others if necessary) before renewing the certs or running update-ca-certificates. What helped (for me at least) was to delete all expired SSL certs from my directory, downloading the current CA file pems from LetsEncrypt (see their blog post from September 2020), run update-ca-certificates and ejabberdctl restart (instead of just ejabberdctl reload-config). Ejabberd then reads all of the SSL certs and compare them to the list of configured domains to see which it will need and which not. Ejabberd has a really nice feature where you can just configure a SSL cert directory (or a path containing wildcars. When checking out with some online tools like SSLlabs or the result was strange, because SSLlabs reported everything was ok while was showing the chain with X3 and D3 certs as having a short term validity of a few days:Īfter some days of fiddling around with the issue, trying to find a solution, it appears that there is a problem in Ejabberd when there are some old SSL certifcates being found by Ejabberd that are using the old CA chain. It looks like this: Invalid certificate in /etc/letsencrypt.sh/certs//fullchain.pem: at line 37: certificate is no longer valid as its expiration date has passedĪnd… Failed to establish outbound s2s connection -> : Stream closed by peer: Your server's certificate is invalid, expired, or not trusted by (not-authorized) bouncing for 237 seconds ![]() I was having some strange issues on my ejabberd XMPP server the other day: some users complained that they couldn’t connect anymore to the MUC rooms on my server and in the logfiles I discovered some weird warnings about LetsEncrypt certificates being expired – although they were just new and valid until end of December. Honestly, I think the solution needs to be provided by LetsEncrypt… The same is valid for the SSL check on, which seems to be very outdated and beyond repair. So even when you think that your system is now ok, the remote server might refuse to accept your SSL cert. ![]() Additionally older OpenSSL version (1.0.x) seems to have problems. It’s not as simple as described below, I’m afraid… It appears that it’s not that easy to obtain new/correct certs from LetsEncrypt that are not cross-signed by DST Root X3 CA. ![]()
0 Comments
Read More
Leave a Reply. |