[SOLVED] Metronome can't join (resolve?) any other domain

Korbak · March 18, 2017, 12:33pm

Hello,

Let’s explain all of what happened, so you won’t miss any puzzle pieces.

I already ad Let’s Encrypt signed certificates. But when I had to renew them, I tried something else by using YunoHost solution. So for any of my (sub)domains, I removed my letsencrypt.conf file in /etc/nginx/conf.d/mydomain.tld.d/ and I generated a self-signed certificate, then a LE-signed one.

When I finished doing this manipulation for any of my subdomains, it came to my principal domain. At first, it became complecated because HSTS didn’t appreciate the manipulation. I comented the associated line in nginx, restarted nginx, and then had to use Midori instead of Firefox which didn’t want to know anything about the new certificate.

So I was able to go to my /yunohost/admin page, and… YunoHost told me that my domain wasn’t ready to install a LE certificate.

Searching on the forum, I found the solution of using the --no-check option in cli, so I did it and everything went fine. I reactivated HSTS and my install was complete.

Except that since I did that, Metronome can’t join anyone. In my client (Profanity), I can see these messages, for instance :
Error from dev@conference.yunohost.org: Server-to-server connection failed: DNS resolution failed

and in /var/log/metronome/metronome.log, I got this :
Mar 18 11:13:37 s2sout1803f0 info Out of connection options, can't connect to conference.yunohost.org Mar 18 11:13:37 s2sout1803f0 info sending error replies for 1 queued stanzas because of failed outgoing connection to conference.yunohost.org

I’m getting the same for every contact, but sometimes, one of them is finally shown connected. This is logged like this :
Mar 18 13:08:12 mydomain.tld:sasl_s2s info Accepting SASL EXTERNAL identity from [CONTACT'S DOMAIN] Mar 18 13:08:12 s2sin403390 info incoming s2s connection [CONTACT'S DOMAIN] -> mydomain.tld complete

But if I try to communicate, this happens :
Mar 18 13:14:46 s2sout70f1c0 info Out of connection options, can't connect to [CONTACT'S DOMAIN] Mar 18 13:14:46 s2sout70f1c0 info sending error replies for 1 queued stanzas because of failed outgoing connection to [CONTACT'S DOMAIN]

I thought it was all about LE certs, so I did this, based on the old manipulation you had to do with LE when it wasn’t integrated to YNH :
$ chown root:metronome /etc/yunohost/certs/ $ chmod g+rx /etc/yunohost/certs/

So I looked at the forum, and I found something about a line to delete resolv-file= in /etc/dnsmasq.d/domain.tld. I did it, for every (sub)domains, but it didn’t get anything fixed, even after I restarted both dnsmasq and metronome.

I’m totally stuck, can you save me ?

Moul · March 18, 2017, 4:15pm

Are you using YunoHost testing?

Korbak · March 18, 2017, 5:35pm

No, and by the way, here is my version :
# yunohost --version yunohost: 2.5.6 yunohost-admin: 2.5.1 moulinette: 2.5.2 ssowat: 2.6.4

Moul · March 18, 2017, 7:28pm

Ok, I had similar issue on stable version with migration from StartSLL cert to LE.
I followed posts you mentions and it works.

Korbak · March 28, 2017, 7:22am

Up !

My issue is still not fixed, but I found something that might help !

When I try to renew the LE certificate for my domain (which needed for a --no-checks, remember ?), I get this :

Error: [Errno 22] The domain cyphergoat.net cannot be resolved from inside your Yunohost server. This might happen if you recently modified your DNS record. If so, please wait a few hours for it to propagate. If the issue persists, consider adding yourdomain.tld to /etc/hosts. (If you know what you are doing, use --no-checks to disable those checks.)

So I tried to edit /etc/hosts with the followings (not at the same time ;)) :

10.0.242.1 mydomain.tld
192.168.1.48 mydomain.tld

When I ping mydomain.tld, whether I editted, I get a pong on 192.168.1.48.

What am I doing wrong ? Is that linked to my resolv.conf ? Is there now some service to restart when you edit /etc/hosts ?

Thanks for helping !

Moul · March 28, 2017, 10:19am

Do you use an InternetCube?

Korbak · March 28, 2017, 10:34am

Yes I do, sorry for not mentionning that.

Korbak · April 5, 2017, 3:21pm

Up ? Kind of despair here :(…

opi · April 5, 2017, 7:29pm

did you try something like 127.0.0.1 domain.tld in your /etc/hosts file ?

Korbak · April 5, 2017, 7:55pm

I just did. I could create a new LE certificate without error and without --no-check option. Thanks for that !

I restarted Metronome & dnsmasq, with and without the line in /etc/hosts. No good news.

Korbak · April 14, 2017, 6:09pm

One month without XMPP, I’m getting sadder and sadder. Still didn’t find anything. Up ?

Au fait, le FR marche aussi ;). J’avais visé l’internationalisme !

Korbak · April 29, 2017, 12:34pm

Problem solved !

The solution was about my /etc/resolv.conf file which was not readable for all : so Metronome couldn’t parse it (cf /usr/lib/metronome/dns.lua) and so it fallbacked on 127.0.0.1, which doesn’t resolve anything.

A chmod a+r /etc/resolv.conf solved it all.

PS : I have a cron that plays with /etc/resolv.conf, so of course I modified the user rights on the manipulated files too.