Expired certificate on pubsub.beta.kontalk.net

#1

Since a few weeks I get a lot of errors from your pubsub node due to none or an expired certificate on your side.

Jul 03 17:10:52 s2sin564fb8faed10       warn    No certificate provided by pubsub.beta.kontalk.net
Jul 03 17:10:52 mod_s2s warn    Forbidding insecure connection to/from pubsub.beta.kontalk.net

Were there any changes to your pubsub node? If there never was any certificate for pubsub.beta.kontalk.net, could you deploy one or is there anything why you do not want a cert there?

#2

Hello and welcome!
Our pubsub node is an internal node living in the server beta.kontalk.net. You can’t really access it directly through pubsub.beta.kontalk.net, that’s a non-existant hostname.

But maybe I understand what you mean. Probably your server can’t handle this use case. What XMPP server are you using?

#3

I am using prosody in latest version (trunk). I am connecting to users on kontalk via normal xmpp, so maybe that is why there are pubsub connections?

#4

Exactly, but Prosody shouldn’t connect directly to pubsub.beta.kontalk.net, it should instead go through beta.kontalk.net. You should look up something in Prosody for this, maybe a configuration entry or a bug - Openfire had I bug like this IIRC.

#5

It looks like your server tries to connect, not the other way around

Sep 04 20:14:58 s2sin55f013025110       debug   Incoming s2s received <stream:stream from='pubsub .beta. kontalk .net' to='domain. org' version='1.0' xmlns='http:// etherx. jabber. org/streams'>
Sep 04 20:14:58 s2sin55f013025110       warn    No certificate provided by pubsub .beta .kontalk .net
Sep 04 20:14:58 domain .org:watchuntrusted      debug   Checking certificate...
Sep 04 20:14:58 mod_s2s warn    Forbidding insecure connection to/from pubsub. beta .kontalk .net
Sep 04 20:14:58 s2sin55f013025110       debug   Sending[s2sin_unauthed]: <?xml version='1.0'?>
Sep 04 20:14:58 s2sin55f013025110       debug   Sending[s2sin_unauthed]: <stream:stream xmlns='jabber:server' xmlns:stream='http ://etherx.j abb er. org/ streams' xml:lang='en' from='domain.o rg' id='68a0fdde-464b-4121-bb98-87c24805c28e' version='1.0' to='pubsub.beta.kontalk. net' xmlns:db='jabber:server:dialback'>
Sep 04 20:14:58 s2sin55f013025110       debug   Disconnecting 46.101.92.252[s2sin_unauthed], <strea m:error> is: <stream:er ror><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>Your server&apos;s certificate is invalid, expired, or not trusted by domain. org</text></stream:error>
Sep 04 20:14:58 s2sin55f013025110       debug   Sending[s2sin_unauthed]: <stream:err or>
Sep 04 20:14:58 s2sin55f013025110       debug   Sending[s2sin_unauthed]: </stream:stream>
Sep 04 20:14:58 s2sin55f013025110       info    Incoming s2s stream pubsub.beta.kontalk.net->domain. org closed: Your server's certificate is invalid, expired, or not trusted by domain. org
Sep 04 20:14:58 s2sin55f013025110       debug   Destroying incoming session pubsub.beta.kontalk.net->domain. org: Your server's certificate is invalid, expired, or not trusted by domain. org
Sep 04 20:14:58 s2sin55f013025110       debug   s2s disconnected: <nil>-><nil> (connection closed)
#6

That’s a dialback connection, because your server requested it. Do you have previous logs when your server decides to contact the pubsub host?

#7

Seems like I missed your reply, sorry. Sadly I cannot provide prosody logs anymore as I migrated to ejabberd (needed for two auth sources at same time).

ejabberd debug logs with this “bug” (i use pastebin this time, shitty “link limit” in codeblock):

https://bin.disroot.org/?29cfbd86b400d92a#GTIVujkgVvZWpAvUTyiHs0NSU5XlQJYAHpG6l92E5JA=

https://bin.disroot.org/?37b6fa6683f10352#4HyLI8Gvlh+HVkep3aTymjgdOMB73t4edlveCyr2Ulk=

#8

Sorry for the late reply. Could you try again now? I think I’ve fixed it somehow.

#9

Yes, the last time the dialback thing happened was on 2019-11-04 21:14:44

Only this is left:

2019-11-04 21:39:40.596 [warning] <0.15687.26>@ejabberd_s2s_out:handle_auth_failure:219 (tls|<0.15687.26>) Failed outbound s2s EXTERNAL authentication domain.org -> beta.kontalk.net (46.101.92.252): Authentication failed: Peer provided no SASL mechanisms; most likely it doesn't accept our certificate

Out of interest, can you please explain what was wrong and how you fixed it? I saw that pubsub.beta.kontalk.net is now a valid hostname and resolves to the same IP as beta.kontalk.net does.