Failed inbound s2s EXTERNAL authentication pubsub.chatsecure.org

[gerroon]

I am creating a new bug based on a conversation in #1017

I am not sure how push should work with Chatsecure on Ios. I definetely cant get messages if the app is killed but I can get messages if the app is in the background.

I have XEP-0357 (mod_push) enabled in Ejabberd.

I see this message when the app is killed or not running.

jabberd_s2s_in:handle_auth_failure:205 (tls|<0.539.0>) Failed inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> MYDOMAIN

I see this message in Ejabberd log if the app is in the background

2018-05-27 13:13:19.316 [info] <0.542.0>@mod_push:enable:308 Enabling push notifications for USER@MYDOMAIN/USER-chatsecure

Looking at this I am not sure if it is working or not, it looks like it kind of works?

[gerroon]

I also see this in the log

@ejabberd_s2s_in:handle_auth_failure:205 (tls|<0.520.0>) Failed inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> MYDOMAIN (45.55.5.246): unable to get local issuer certificate

[gerroon]

Ok here is the exact chain of events when a message sent from Conversations to Chatsecure(IOS)

2018-05-27 14:37:40.519 [info] <0.529.0>@ejabberd_s2s_out:init:281 Outbound s2s connection started: MYDOMAIN.com -> pubsub.chatsecure.org
2018-05-27 14:37:42.696 [info] <0.529.0>@ejabberd_s2s_out:handle_auth_success:217 (tls|<0.529.0>) Accepted outbound s2s EXTERNAL authentication MYDOMAIN.com -> pubsub.chatsecure.org (45.55.5.246)
2018-05-27 14:37:43.623 [info] <0.376.0>@ejabberd_listener:accept:302 (<0.530.0>) Accepted connection 45.55.5.246:53652 -> xx.xx.xx.xx:5269
2018-05-27 14:37:44.639 [info] <0.530.0>@ejabberd_s2s_in:handle_auth_failure:205 (tls|<0.530.0>) Failed inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> MYDOMAIN.com (45.55.5.246): unable to get local issuer certificate

[jnaeff]

I have the same problem here.

[laszlovl]

You're probably hitting this issue in Ejabberd: processone/ejabberd#2186

Try adding to your ejabberd config: s2s_cafile: "/etc/ssl/certs/ca-certificates.crt"

[gerroon]

@laszlovl

I already have s2s_certfile installedin my config. Not enough?

Please bear in mind that I do not seem to have this issue with conversations.im

I will try your solution though

[zuglufttier]

It's working for me with ejabberd 18.06 pretty good. Please test with a server like conversations.im to make sure, there are no problems on your server.

[GigabyteProductions]

It is just a little bit humorous that this ticket exists simultaneously with #1250. pubsub.chatsecure.org does not accept server chains with the DST Root CA X3 cross-signed version of ISRG Root X1 but presents its own chain with the DST Root CA X3 cross-signed version of ISRG Root X1 to other servers.

[licaon-kter]

@GigabyteProductions the same advice given there applies here too

[GigabyteProductions]

I understand