Opened 17 months ago

Closed 17 months ago

Last modified 16 months ago

#12674 closed Bug/Something is broken (fixed)

cannot connect to jabber server (encrypted connection no available on server)

Reported by: https://id.mayfirst.org/soporte Owned by: https://id.mayfirst.org/jamie
Priority: Medium Component: Tech
Keywords: Cc:
Sensitive: no

Description

Since wednesday 19 I haven't been able to connect to the jabber service.

I'm using pidgin client, and these are the logs I got from it:

util: Writing file prefs.xml to directory /home/*/.purple
util: Writing file /home/*/.purple/prefs.xml
account: Connecting to account *@im.mayfirst.org/.
connection: Connecting. gc = 0xkey_identifier
dnssrv: querying SRV record for im.mayfirst.org: _xmpp-client._tcp.im.mayfirst.org
dnssrv: res_query returned an error
dnsquery: Performing DNS lookup for im.mayfirst.org
dns: Successfully sent DNS request to child 5507
dns: Got response for 'im.mayfirst.org'
dnsquery: IP resolved for im.mayfirst.org
proxy: Attempting connection to 162.247.75.137
proxy: Connecting to im.mayfirst.org:5222 with no proxy
proxy: Connection in progress
proxy: Connecting to im.mayfirst.org:5222.
proxy: Connected to im.mayfirst.org:5222.
jabber: Sending (*@im.mayfirst.org): <?xml version='1.0' ?>
jabber: Sending (*@im.mayfirst.org): <stream:stream to='im.mayfirst.org' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
jabber: Recv (217): <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='im.mayfirst.org' id='b12eb570-74c4-42f2-9a58-292193b556ea' xml:lang='en' xmlns='jabber:client'><stream:features/>
connection: Connection error on 0xkey_identifier (reason: 5 description: Necesita cifrado, pero no está disponible esa opción en este servidor.)
account: Disconnecting account *@im.mayfirst.org/ (0xkey_identifier)
connection: Disconnecting connection 0xkey_identifier
jabber: Sending (*@im.mayfirst.org): </stream:stream>
connection: Destroying connection 0xkey_identifier

It seems Im not the only one with this issue since other members from our organization cannot connect neither.

Change History (6)

comment:1 Changed 17 months ago by https://id.mayfirst.org/cleve

I have been having the same problem with the gajim client. Below is a log of the initial attempted connection after gajim is launched. As far as I can tell, the key lines are these two near the end:

21/04/17 13:27:58 (I) nbxmpp.client_nb While connecting with type = "tls": TLS unsupported by remote server
21/04/17 13:27:58 (I) gajim.c.connection Connecting to next type beacuse desired is tls and returned is plain
21/04/17 13:27:57 (D) gajim.c.resolver resolve _xmpp-client._tcp.im.mayfirst.org type=srv
21/04/17 13:27:57 (D) gajim.c.resolver Starting to resolve _xmpp-client._tcp.im.mayfirst.org using <common.resolver.HostResolver instance at 0x7f5a272eeef0>
21/04/17 13:27:57 (I) nbxmpp.idlequeue read timeout set for fd 3 on 20 seconds
21/04/17 13:27:58 (I) nbxmpp.idlequeue read timeout removed for fd 3
21/04/17 13:27:58 (I) nbxmpp.idlequeue read timeout removed for fd 3
21/04/17 13:27:58 (D) gajim.c.resolver Resolving result for _xmpp-client._tcp.im.mayfirst.org: []
21/04/17 13:27:58 (D) gajim.c.connection Connection to next host
21/04/17 13:27:58 (I) gajim.c.connection >>>>>> Connecting to im.mayfirst.org [im.mayfirst.org:5222], type = tls
21/04/17 13:27:58 (I) nbxmpp.plugin Plugging <nbxmpp.transports_nb.NonBlockingTCP instance at 0x7f5a273f28c0> __INTO__ <nbxmpp.client_nb.NonBlockingClient instance at 0x7f5a273f2bd8>
21/04/17 13:27:58 (I) nbxmpp.transports_nb NonBlockingTCP Connect :: About to connect to 162.247.75.137:5222
21/04/17 13:27:58 (I) nbxmpp.transports_nb Plugging fd 3, W:True, R:False
21/04/17 13:27:58 (I) nbxmpp.idlequeue read timeout set for fd 3 on 30 seconds
21/04/17 13:27:58 (I) nbxmpp.transports_nb After NB connect() of 140025182234816. "Operation now in progress" raised => CONNECTING
21/04/17 13:27:58 (I) nbxmpp.transports_nb pollout called, state == CONNECTING
21/04/17 13:27:58 (I) nbxmpp.transports_nb 140025182234816 socket wrapper connected
21/04/17 13:27:58 (I) nbxmpp.idlequeue read timeout removed for fd 3
21/04/17 13:27:58 (I) nbxmpp.transports_nb Plugging fd 3, W:False, R:False
21/04/17 13:27:58 (I) nbxmpp.client_nb -------------xmpp_connect_machine() >> mode: None, data: None...
21/04/17 13:27:58 (I) nbxmpp.plugin Plugging <nbxmpp.dispatcher_nb.XMPPDispatcher instance at 0x7f5a273f2cf8> __INTO__ <nbxmpp.client_nb.NonBlockingClient instance at 0x7f5a273f2bd8>
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering namespace "unknown"
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "unknown" as <class 'nbxmpp.protocol.Protocol'>(unknown)
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "default" as <class 'nbxmpp.protocol.Protocol'>(unknown)
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering namespace "http://etherx.jabber.org/streams"
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "unknown" as <class 'nbxmpp.protocol.Protocol'>(http://etherx.jabber.org/streams)
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "default" as <class 'nbxmpp.protocol.Protocol'>(http://etherx.jabber.org/streams)
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering namespace "jabber:client"
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "unknown" as <class 'nbxmpp.protocol.Protocol'>(jabber:client)
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "default" as <class 'nbxmpp.protocol.Protocol'>(jabber:client)
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "iq" as <class 'nbxmpp.protocol.Iq'>(jabber:client)
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "presence" as <class 'nbxmpp.protocol.Presence'>(jabber:client)
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Registering protocol "message" as <class 'nbxmpp.protocol.Message'>(jabber:client)
21/04/17 13:27:58 (D) nbxmpp.simplexml Preparing to handle incoming XML stream.
21/04/17 13:27:58 (I) nbxmpp.transports_nb Plugging fd 3, W:True, R:True
21/04/17 13:27:58 (I) nbxmpp.client_nb setting RECEIVE_DOCUMENT_ATTRIBUTES on next receive
21/04/17 13:27:58 (I) nbxmpp.transports_nb pollout called, state == CONNECTED
21/04/17 13:27:58 (I) nbxmpp.transports_nb Plugging fd 3, W:False, R:True
21/04/17 13:27:58 (I) nbxmpp.client_nb raising event from transport: :::::DATA SENT::::
_____________
<?xml version='1.0'?><stream:stream xmlns="jabber:client" to="im.mayfirst.org" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="en" >
_____________

21/04/17 13:27:58 (D) gajim.c.ged stanza-sent
Args: (<common.connection_handlers_events.StanzaSentEvent object at 0x7f5a22824f50>,)
21/04/17 13:27:58 (I) nbxmpp.transports_nb pollin called, state == CONNECTED
21/04/17 13:27:58 (I) nbxmpp.idlequeue read timeout removed for fd 3
21/04/17 13:27:58 (I) nbxmpp.client_nb raising event from transport: :::::DATA RECEIVED::::
_____________
<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='im.mayfirst.org' id='4d6cb5a7-5a62-4ee9-84e7-76d0f1004cca' xml:lang='en' xmlns='jabber:client'><stream:features/>
_____________

21/04/17 13:27:58 (D) gajim.c.ged stanza-received
Args: (<common.connection_handlers_events.StanzaReceivedEvent object at 0x7f5a22824f50>,)
21/04/17 13:27:58 (I) nbxmpp.client_nb -------------xmpp_connect_machine() >> mode: RECEIVE_DOCUMENT_ATTRIBUTES, data: <?xml version='1.0'?...
21/04/17 13:27:58 (I) nbxmpp.simplexml STARTTAG.. DEPTH -> 1 , tag -> stream:stream, attrs -> {u'xmlns': u'jabber:client', u'from': u'im.mayfirst.org', u'xml:lang': u'en', u'version': u'1.0', u'xmlns:stream': u'http://etherx.jabber.org/streams', u'id': u'4d6cb5a7-5a62-4ee9-84e7-76d0f1004cca'}
21/04/17 13:27:58 (I) nbxmpp.simplexml STARTTAG.. DEPTH -> 2 , tag -> stream:features, attrs -> {}
21/04/17 13:27:58 (I) nbxmpp.simplexml DEPTH -> 2 , tag -> stream:features
21/04/17 13:27:58 (D) nbxmpp.dispatcher_nb Got http://etherx.jabber.org/streams/features stanza
21/04/17 13:27:58 (I) nbxmpp.client_nb got STREAM FEATURES in first recv
21/04/17 13:27:58 (I) nbxmpp.client_nb -------------xmpp_connect_machine() >> mode: STREAM_STARTED, data: None...
21/04/17 13:27:58 (I) nbxmpp.client_nb While connecting with type = "tls": TLS unsupported by remote server
21/04/17 13:27:58 (I) gajim.c.connection Connecting to next type beacuse desired is tls and returned is plain
21/04/17 13:27:58 (D) gajim.c.connection Connection to next host
21/04/17 13:27:58 (D) gajim.c.connection Out of hosts, giving up connecting to im.mayfirst.org
21/04/17 13:27:58 (D) gajim.c.ged our-show
Args: (<common.connection_handlers_events.OurShowEvent object at 0x7f5a22824f10>,)
21/04/17 13:27:58 (D) gajim.c.ged connection-lost
Args: (<common.connection_handlers_events.ConnectionLostEvent object at 0x7f5a22824e50>,)

comment:2 Changed 17 months ago by https://id.mayfirst.org/jaimev

  • Owner set to https://id.mayfirst.org/jamie
  • Status changed from new to assigned

Let's get jamie's input on this.

comment:3 follow-up: Changed 17 months ago by https://id.mayfirst.org/jamie

Ack - I'm really sorry! The problem started when I replaced our cert for im.mayfirst.org with a lets encrypt cert.

However, let's encrypt certs are only read-able by root and prosody, apparently, doesn't start in root and drop privileges, so the prosody user has to be able to read the key. Furthermore, prosody doesn't seem to use any extra groups it is part of...

I just updated our letsencrypt permissions to allow prosody to read the key. Can you try it again?

Also, I would like to deprecate the xmpp identities ending in @im.mayfirst.org in favor of the shorter @mayfirst.org (which now works).

I know it's a pain (since you lose your contacts) but if you can switch to @mayfirst.org it should be more stable for you (since that is what I use and test regularly).

comment:4 Changed 17 months ago by https://id.mayfirst.org/carlosm

  • Resolution set to fixed
  • Status changed from assigned to closed

I was experiencing the same problem:

xml:lang='en' xmlns='jabber:client'><stream:features/> connection: Connection error on 0xkey_identifier (reason: 5 description: Necesita cifrado, pero no está disponible esa opción en este servidor.)

But now (18/04/2017) everything works fine.

Thanks a lot for your support.

carlos

comment:5 in reply to: ↑ 3 Changed 17 months ago by https://id.mayfirst.org/soporte

Ok. Few minutes ago I tried to switch to mayfirst.org, but a SSL error warn about the change of such mayfirst certificate. It provides a fingerprint. Where can I verify it??

Replying to https://id.mayfirst.org/jamie:

Ack - I'm really sorry! The problem started when I replaced our cert for im.mayfirst.org with a lets encrypt cert.

However, let's encrypt certs are only read-able by root and prosody, apparently, doesn't start in root and drop privileges, so the prosody user has to be able to read the key. Furthermore, prosody doesn't seem to use any extra groups it is part of...

I just updated our letsencrypt permissions to allow prosody to read the key. Can you try it again?

Also, I would like to deprecate the xmpp identities ending in @im.mayfirst.org in favor of the shorter @mayfirst.org (which now works).

I know it's a pain (since you lose your contacts) but if you can switch to @mayfirst.org it should be more stable for you (since that is what I use and test regularly).

comment:6 Changed 16 months ago by https://id.mayfirst.org/jamie

Sorry for the slow answer.

I'm not sure which domain name you are using or what hash is being used... but here are the sha1 fingerprints:

0 mcchesney:/etc/prosody/conf.d# openssl x509 -fingerprint -noout -in /etc/ssl/im.mayfirst.org.le.fullchain.pem 
SHA1 Fingerprint=1F:F6:59:41:66:14:63:6A:C6:1D:6E:F3:79:9B:D1:6E:77:BF:02:5A
0 mcchesney:/etc/prosody/conf.d# openssl x509 -fingerprint -noout -in /etc/ssl/mayfirst.org.crt
SHA1 Fingerprint=69:7E:BA:97:1A:6B:C0:31:59:F1:22:6C:61:7F:8A:C0:2E:08:73:CC
0 mcchesney:/etc/prosody/conf.d# 

And here is the md5:

0 mcchesney:/etc/prosody/conf.d# openssl x509 -md5 -fingerprint -noout -in /etc/ssl/im.mayfirst.org.le.fullchain.pem 
MD5 Fingerprint=EC:8D:C8:67:80:1A:51:22:F2:CF:E8:5C:7A:4D:A4:D6
0 mcchesney:/etc/prosody/conf.d# openssl x509 -md5 -fingerprint -noout -in /etc/ssl/mayfirst.org.crt
MD5 Fingerprint=63:44:62:F8:01:EF:82:EF:A2:EC:CF:48:29:A6:7C:0C
0 mcchesney:/etc/prosody/conf.d#

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.