XMPP clients fail to connect to my server due to invalid TLS certificate


My YunoHost server

Hardware: Raspberry Pi4 at home
YunoHost version: 11.2.5
I have access to my server : Through SSH and through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain: homemade wireguard vpn on a vps server

Description of my issue

Hello, I’m running a Yunohost server for many months now. Great project.
I’ve several users using XMPP.
All fine till two days ago, when Let’s Encript certificates got renewed. Since then the XMPP clients cannot connect anymore reporting an “invalid TLS certificate” error.

The diagnosis tool shows all right.

I’ve tried:

~# sudo yunohost domain cert status maindomain.tld
    CA_type: letsencrypt
    style: success
    summary: letsencrypt
    validity: 89

I’ve also renewed the certificate through web-admin interface, despite it says “Great! You’re using a valid Let’s Encrypt certificate!”

Any suggestions?

Hi Bionick,

Not really what I’d expect, but worth a try: is everyone using the same client? Could it be that it caches the certificate?

I read your previous thread about renewing the certificate. I do not have a muc.maindomain.tld record in my hosts file, but my certificates renew without a problem. Maybe that thing is related to the connection running over Wireguard?

Anyway, when I try to open muc.maindomain.tld in my browser, it returns an error; the certificate that is shown is self signed. I think it has to do with SSO catching the URL (I get the same warning when connecting to a non-existent sub-domain).

In short: I have no idea how to help you further :frowning:

Thank you very much for your answer. Appreciated.

Nope: the same error happens (with different wording) on:

  • Dino on Linux mobile
  • Conversations on Android
  • Gajim on Windows

I had that same suspicion but @rungeard, who conceived the solution, clearly has no problems. And myself too, the last time I had to force the renewal, but after that it worked just fine.

Yes, just checked, Kaspersky says (apart from translation mistakes): “the certificate chain is incomplete”. Then, clicking on “Show certificate” the information windows specifies “not enough information to verify the certificate”

I have no idea either, but hopefully the info above can give a clue to someone

Some further checks.
I tried to test the domain with this tool.
If I test maindomain.tld I get the following result:

While checking muc.maindomain.tld the result is:

There is a quite long list of details related to last test, i suppose the more relevant are the following:

Here the validity dates puzzle me, the certificate for maindomain.tld is valid from 17 Oct. 2023 to 15 Jan 2024. Those are different. What’s happening?

Nice tool!

I have no clue (yet) what the problem with muc.maindomain.tld is,

but I can shed some light here.

All (fictional) sub.maindomain.tld are caught by SSO and then forwarded to the login page or a the public page (whichever applicable). In case of an existent subdomain, there is a mechanism in place to fetch a Letsencrypt certificate.

In case of a non-existent subdomain, the generic self signed certificate is presented. In the case of muc.maindomaind.tld it is an existent domain (CNAME), but it is not listed for certificate signing requests. I don’t know how CNAME certificates are supposed to work in that respect.

You will observe the same behaviour when you go to buc.maindomain.tld, instead of muc.maindomain.tld (provided you didn’t install any app there…).

I just found that in my case the self signed certificate has expired. leaving me with an even worse situation :wink:

XMPP used to be first class citizen in YNH, and I used it quite a lot. Since I started using (the much heavier, but also much ‘hotter’) Matrix, it fell in disuse. I just tried ringing family members, but Conver6ations does not even give me the call-button anymore :crying_cat_face:

I have some interest in seeing your problem solved, if only because maybe it will also solve my newly found problem with Conver6ations, but unfortunately at the moment I don’t have the time for a thorough troubleshoot.

I hope another reader has any suggestions!

1 Like

We are going in the wrong direction: I’ve just tested the domain of a friend, with a fully functional XMPP service, and I’ve got the exact same result for maindomain.tld and muc.maindomain.tld.
So I no longer know what to try :disappointed_relieved:

I’ve solved!
On the Windows way: reboot the system. I probably should have done it sooner.
I apologize for the inconvenience.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.