Hardware: Raspberry Pi4 at home YunoHost version: 11.2.5 I have access to my server : Through SSH and through the webadmin Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes If yes, please explain: homemade wireguard vpn on a vps server
Description of my issue
Hello, I’m running a Yunohost server for many months now. Great project.
I’ve several users using XMPP.
All fine till two days ago, when Let’s Encript certificates got renewed. Since then the XMPP clients cannot connect anymore reporting an “invalid TLS certificate” error.
Not really what I’d expect, but worth a try: is everyone using the same client? Could it be that it caches the certificate?
I read your previous thread about renewing the certificate. I do not have a muc.maindomain.tld record in my hosts file, but my certificates renew without a problem. Maybe that thing is related to the connection running over Wireguard?
Anyway, when I try to open muc.maindomain.tld in my browser, it returns an error; the certificate that is shown is self signed. I think it has to do with SSO catching the URL (I get the same warning when connecting to a non-existent sub-domain).
Nope: the same error happens (with different wording) on:
Dino on Linux mobile
Conversations on Android
Gajim on Windows
I had that same suspicion but @rungeard, who conceived the solution, clearly has no problems. And myself too, the last time I had to force the renewal, but after that it worked just fine.
Yes, just checked, Kaspersky says (apart from translation mistakes): “the certificate chain is incomplete”. Then, clicking on “Show certificate” the information windows specifies “not enough information to verify the certificate”
I have no idea either, but hopefully the info above can give a clue to someone
I have no clue (yet) what the problem with muc.maindomain.tld is,
but I can shed some light here.
All (fictional) sub.maindomain.tld are caught by SSO and then forwarded to the login page or a the public page (whichever applicable). In case of an existent subdomain, there is a mechanism in place to fetch a Letsencrypt certificate.
In case of a non-existent subdomain, the generic self signed certificate is presented. In the case of muc.maindomaind.tld it is an existent domain (CNAME), but it is not listed for certificate signing requests. I don’t know how CNAME certificates are supposed to work in that respect.
You will observe the same behaviour when you go to buc.maindomain.tld, instead of muc.maindomain.tld (provided you didn’t install any app there…).
I just found that in my case the self signed certificate has expired. leaving me with an even worse situation
XMPP used to be first class citizen in YNH, and I used it quite a lot. Since I started using (the much heavier, but also much ‘hotter’) Matrix, it fell in disuse. I just tried ringing family members, but Conver6ations does not even give me the call-button anymore
I have some interest in seeing your problem solved, if only because maybe it will also solve my newly found problem with Conver6ations, but unfortunately at the moment I don’t have the time for a thorough troubleshoot.
We are going in the wrong direction: I’ve just tested the domain of a friend, with a fully functional XMPP service, and I’ve got the exact same result for maindomain.tld and muc.maindomain.tld.
So I no longer know what to try