#1059 Prosody rejects s2s to servers providing a full certificate chain

Reporter Kiyoshi Aman
Owner Zash
Created
Updated
Stars ★ (1)  
Tags
  • Priority-Medium
  • Type-Defect
  • Status-Invalid
  1. Kiyoshi Aman on

    What steps will reproduce the problem? 1. Set up a server which has the full certificate chain in the certificate file. 2. Create user on this server. 3. Attempt to add this user from another prosody instance. What is the expected output? I should be able to add users from such servers. What do you see instead? Dec 15 02:46:55 s2sout55a0098f1120 debug certificate chain validation result: invalid Dec 15 02:46:55 s2sout55a0098f1120 debug certificate error(s) at depth 3: self signed certificate in certificate chain What version of the product are you using? On what operating system? 0.10.0 as shipped by Alpine Linux. Please provide any additional information below.

  2. Zash on

    That error most likely means that you don't have the root certificate, or Prosody could not find it. Check that any root certificate package is installed and that Prosody can find them. By default, Prosody looks in /etc/ssl/certs.

    Changes
    • tags Status-NeedInfo
    • owner Zash
  3. Kiyoshi Aman on

    Apologies for the lack of response. It appears to have been due to an outdated ca-certificates package.

  4. Zash on

    Ok, thanks, I'll close this then.

    Changes
    • tags Status-Invalid

New comment