#1059 Prosody rejects s2s to servers providing a full certificate chain
Reporter
Kiyoshi Aman
Owner
Zash
Created
Updated
Stars
★ (1)
Tags
Priority-Medium
Type-Defect
Status-Invalid
Kiyoshi Aman
on
What steps will reproduce the problem?
1. Set up a server which has the full certificate chain in the certificate file.
2. Create user on this server.
3. Attempt to add this user from another prosody instance.
What is the expected output?
I should be able to add users from such servers.
What do you see instead?
Dec 15 02:46:55 s2sout55a0098f1120 debug certificate chain validation result: invalid
Dec 15 02:46:55 s2sout55a0098f1120 debug certificate error(s) at depth 3: self signed certificate in certificate chain
What version of the product are you using? On what operating system?
0.10.0 as shipped by Alpine Linux.
Please provide any additional information below.
Zash
on
That error most likely means that you don't have the root certificate, or Prosody could not find it.
Check that any root certificate package is installed and that Prosody can find them. By default, Prosody looks in /etc/ssl/certs.
Changes
owner Zash
tags Status-NeedInfo
Kiyoshi Aman
on
Apologies for the lack of response.
It appears to have been due to an outdated ca-certificates package.
What steps will reproduce the problem? 1. Set up a server which has the full certificate chain in the certificate file. 2. Create user on this server. 3. Attempt to add this user from another prosody instance. What is the expected output? I should be able to add users from such servers. What do you see instead? Dec 15 02:46:55 s2sout55a0098f1120 debug certificate chain validation result: invalid Dec 15 02:46:55 s2sout55a0098f1120 debug certificate error(s) at depth 3: self signed certificate in certificate chain What version of the product are you using? On what operating system? 0.10.0 as shipped by Alpine Linux. Please provide any additional information below.
That error most likely means that you don't have the root certificate, or Prosody could not find it. Check that any root certificate package is installed and that Prosody can find them. By default, Prosody looks in /etc/ssl/certs.
ChangesApologies for the lack of response. It appears to have been due to an outdated ca-certificates package.
Ok, thanks, I'll close this then.
Changes