Hi Lucas,
* Lucas wrote:
> Hi Matthias,
>
> Matthias Schmidt <[email protected]> wrote:
> > Maybe it's me and my stupidity but since this update I can no longer
> > connect to a XMPP server with a LE certificate. Both client and server
> > are running -current (server with prosody). The client reports "Login
> > failed" and the debug log shows:
> >
> > 19/09/2021 11:16:17: prof: INF: Connecting using account:
> > [email protected]
> > 19/09/2021 11:16:17: prof: INF: Connecting as
> > [email protected]/profanity.kTdJ
> > 19/09/2021 11:16:17: prof: DBG: Connecting with flags (0x2):
> > 19/09/2021 11:16:17: prof: DBG: XMPP_CONN_FLAG_MANDATORY_TLS
> > 19/09/2021 11:16:17: xmpp: DBG: SRV lookup failed, connecting via domain.
> > 19/09/2021 11:16:17: xmpp: DBG: sock_connect() to jabber.xosc.org:5222
> > returned 7
> > 19/09/2021 11:16:17: xmpp: DBG: Attempting to connect to jabber.xosc.org
> > 19/09/2021 11:16:17: xmpp: DBG: connection successful
> > 19/09/2021 11:16:17: conn: DBG: SENT: <?xml version="1.0"?><stream:stream
> > to="jabber.xosc.org" xml:lang="en" version="1.0" xmlns="jabber:client"
> > xmlns:stream="http://etherx.jabber.org/streams";>
> > 19/09/2021 11:16:17: xmpp: DBG: RECV: <stream:stream version="1.0"
> > id="8c063ebf-77e7-4493-9ac3-79b6b0defa4d" lang="en" from="jabber.xosc.org">
> > 19/09/2021 11:16:17: xmpp: DBG: RECV: <features
> > xmlns="http://etherx.jabber.org/streams";><starttls
> > xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls></features>
> > 19/09/2021 11:16:17: conn: DBG: SENT: <starttls
> > xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
> > 19/09/2021 11:16:17: xmpp: DBG: RECV: <proceed
> > xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
> > 19/09/2021 11:16:17: xmpp: DBG: handle proceedtls called for proceed
> > 19/09/2021 11:16:17: xmpp: DBG: proceeding with TLS
> > 19/09/2021 11:16:17: tls: DBG: Certificate verification FAILED,
> > result=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(20)
> > 19/09/2021 11:16:17: tls: DBG: Certificate was not presented by peer
> > 19/09/2021 11:16:17: tls: DBG: error=SSL_ERROR_SSL(1) errno=0
> > 19/09/2021 11:16:17: tls: DBG: error:14FFF086:SSL
> > routines:(UNKNOWN)SSL_internal:certificate verify failed
> > 19/09/2021 11:16:17: conn: DBG: Couldn't start TLS! error -3 tls_error 1
> > 19/09/2021 11:16:17: conn: DBG: SENT: </stream:stream>
> > 19/09/2021 11:16:17: xmpp: DBG: Send error occurred, disconnecting.
> > 19/09/2021 11:16:17: xmpp: DBG: Closing socket.
> > 19/09/2021 11:16:17: prof: DBG: Connection handler: XMPP_CONN_DISCONNECT
> > 19/09/2021 11:16:17: prof: DBG: Connection handler: Login failed
> > 19/09/2021 11:16:17: prof: DBG: Connection handler: No reconnect timer
> > 19/09/2021 11:16:17: prof: INF: Login failed
> >
> > The server simply logs:
> >
> > Sep 19 09:23:14 omega prosody[38808]: c2s87a60669340: Client connected
> > Sep 19 09:23:16 omega prosody[38808]: c2s87a60669340: Client disconnected:
> > ssl handshake error: tlsv1 alert unknown ca
>
> I think something is off in your certs. Running
>
> Maybe you aren't using the fullchain and instead present the cert for
> just your host? It doesn't show the "middle" cert from LE. This is the
> chain for a correctly verified (from `openssl s_client` point of view)
> cert issued by LE
Darn, it was my stupidity. My script to renew the LE certificate copied
the single cert into the prosody directory instead of the full chain. I
fixed the script and now it works as expected. Thanks!
@Florian: Sorry for the noise!
Cheers
Matthias
