ejabberd icon indicating copy to clipboard operation
ejabberd copied to clipboard

Published 20 hours ago verified publisher icon processone

Peer certificate rejected: Certificate host name mismatch in group messaging

Open logicwonder opened this issue 2 years ago • 6 comments

Environment

  • ejabberd version: 21.04
  • Erlang version: 9.2
  • OS: Linux (Debian)
  • Installed from: source

Errors from error.log/crash.log

No errors

Bug description

We have setup ejabberd federation between two independent eJabberd clusters. Both the federations are configured with TLS using a wild card domain *.xyz.pqr.com from LetsEncrypt.

Federation-1 has vhost abc1.xyz.pqr.com Federation-2 has vhost abc2.xyz.pqr.com

A group is created in federation1 ([email protected]) and the user in federation-2 ([email protected]) is subscribed to this group. The user in federation 2 is trying to send message to group in federation 1.

We are getting the following error from the server:

<message xmlns='jabber:client' xml:lang='en-IN' to='[email protected]/client' from='[email protected]' id='LBDQV-332' type='error'><text](urn:ietf:params:xml:ns:xmpp-stanzas) xmlns='urn:ietf:params:xml:ns:xmpp-stanzas' Peer' onclick='javascript:event.preventDefault();top.com_zimbra_blockhyperlink_HandlerObject.prototype.AlertMessage("xml:lang='en'>Peer", "xml:lang='en'>Peer")'>xml:lang='en'>Peer certificate rejected: Certificate host name mismatch

The federated group communication was successfully configured and tested earlier and was working up to eJabberd 20.12. We started seeing this error after completing two upgrades 21.01 and 21.04. All one-to-one messages are successful between these two federations. Am I missing any thing here?

logicwonder avatar Apr 11 '22 12:04 logicwonder

I think the error is because the wild card certificate (*.xyz.pqr.com) supports only upto 4th level domain. But [email protected] is in 5th level.

I tried disabling STARTTLS in S2S by the follwoing configuration:

s2s_use_starttls: false

But now I am getting the following error at client side.

<message
 xmlns='jabber:client'
 [xml:lang='en-IN](xml:lang=)'
 to='[email protected]/client'
 from='[email protected]'
 id='P1Z1T-407'
 type='error'>
  <error type='wait'>
  <remote-server-timeout xmlns='[")'>urn:ietf:params:xml:ns:xmpp-stanzas'/>]urn:ietf:params:xml:ns:xmpp-stanzas)
   <text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas' [")'>xml:lang='en'>](xml:lang=)
    Stream closed by local host: STARTTLS is disabled in local configuration (unsupported-feature)
   </text>
  </error>
</message>

Is STARTTLS for S2S connections made mandatory from 21.04?

logicwonder avatar Apr 12 '22 05:04 logicwonder

@badlop Any clue on where I am going wrong? Is TLS mandatory for S2S federation?

logicwonder avatar Apr 13 '22 07:04 logicwonder

@logicwonder does https://docs.ejabberd.im/admin/configuration/modules/#mod-s2s-dialback help?

licaon-kter avatar Apr 13 '22 08:04 licaon-kter

Yes after enabling mod-s2s-dialback, the communication is happening. That solved my problem.

Now when it comes to enabling TLS for S2S, pls clarify how I can solve "Certificate host name mismatch" error for group communication across federation.

Federation-1

  • Domains: abc1.xyz.pqr.com, conference.abc1.xyz.pqr.com
  • Certificates: *.xyz.pqr.com (LetsEncrypt), conference.abc1.xyz.pqr.com (Self signed)

Federation-2

  • Domains: abc2.xyz.pqr.com, conference.abc2.xyz.pqr.com
  • Certificates: *.xyz.pqr.com (LetsEncrypt), conference.abc2.xyz.pqr.com (Self signed)

Is there any limitation for S2S federation when using wildcard certificates, 5th level domains or self signed certificates?

logicwonder avatar Apr 13 '22 09:04 logicwonder

S2S dialback resolved my issue. TLS issue still persist.

logicwonder avatar Apr 19 '22 09:04 logicwonder

@prefiks, @badlop: Any ideas about @logicwonder problem?

Neustradamus avatar Apr 30 '22 21:04 Neustradamus