ChatSecure-iOS icon indicating copy to clipboard operation
ChatSecure-iOS copied to clipboard

Published 20 hours ago verified publisher icon ChatSecure

Failed inbound s2s EXTERNAL authentication pubsub.chatsecure.org

Open gerroon opened this issue 6 years ago • 9 comments

I am creating a new bug based on a conversation in #1017

I am not sure how push should work with Chatsecure on Ios. I definetely cant get messages if the app is killed but I can get messages if the app is in the background.

I have XEP-0357 (mod_push) enabled in Ejabberd.

I see this message when the app is killed or not running.

jabberd_s2s_in:handle_auth_failure:205 (tls|<0.539.0>) Failed inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> MYDOMAIN

I see this message in Ejabberd log if the app is in the background

2018-05-27 13:13:19.316 [info] <0.542.0>@mod_push:enable:308 Enabling push notifications for USER@MYDOMAIN/USER-chatsecure

Looking at this I am not sure if it is working or not, it looks like it kind of works?

gerroon avatar May 27 '18 17:05 gerroon

I also see this in the log

@ejabberd_s2s_in:handle_auth_failure:205 (tls|<0.520.0>) Failed inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> MYDOMAIN (45.55.5.246): unable to get local issuer certificate

gerroon avatar May 27 '18 18:05 gerroon

Ok here is the exact chain of events when a message sent from Conversations to Chatsecure(IOS)

2018-05-27 14:37:40.519 [info] <0.529.0>@ejabberd_s2s_out:init:281 Outbound s2s connection started: MYDOMAIN.com -> pubsub.chatsecure.org
2018-05-27 14:37:42.696 [info] <0.529.0>@ejabberd_s2s_out:handle_auth_success:217 (tls|<0.529.0>) Accepted outbound s2s EXTERNAL authentication MYDOMAIN.com -> pubsub.chatsecure.org (45.55.5.246)
2018-05-27 14:37:43.623 [info] <0.376.0>@ejabberd_listener:accept:302 (<0.530.0>) Accepted connection 45.55.5.246:53652 -> xx.xx.xx.xx:5269
2018-05-27 14:37:44.639 [info] <0.530.0>@ejabberd_s2s_in:handle_auth_failure:205 (tls|<0.530.0>) Failed inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> MYDOMAIN.com (45.55.5.246): unable to get local issuer certificate

gerroon avatar May 27 '18 18:05 gerroon

I have the same problem here.

jnaeff avatar Jun 14 '18 20:06 jnaeff

You're probably hitting this issue in Ejabberd: https://github.com/processone/ejabberd/issues/2186

Try adding to your ejabberd config: s2s_cafile: "/etc/ssl/certs/ca-certificates.crt"

laszlovl avatar Jun 18 '18 07:06 laszlovl

@laszlovl

I already have s2s_certfile installedin my config. Not enough?

Please bear in mind that I do not seem to have this issue with conversations.im

I will try your solution though

gerroon avatar Jun 18 '18 16:06 gerroon

It's working for me with ejabberd 18.06 pretty good. Please test with a server like conversations.im to make sure, there are no problems on your server.

zuglufttier avatar Jul 06 '18 10:07 zuglufttier

It is just a little bit humorous that this ticket exists simultaneously with #1250. pubsub.chatsecure.org does not accept server chains with the DST Root CA X3 cross-signed version of ISRG Root X1 but presents its own chain with the DST Root CA X3 cross-signed version of ISRG Root X1 to other servers.

GigabyteProductions avatar Dec 23 '22 15:12 GigabyteProductions

@GigabyteProductions the same advice given there applies here too

licaon-kter avatar Dec 23 '22 16:12 licaon-kter

I understand

GigabyteProductions avatar Dec 23 '22 16:12 GigabyteProductions