You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I tried to use Let's Encrypt certificate instead of self-signed one with server-mode XMPP frontend, I couldn't get the clients to properly verify the cert.
Turns out the certificate chain as presented by Spectrum is incomplete and contains only the server cert, while it should also present the CA cert if present in the pkcs12, so the intermediate certificate can be verified against the root certs.
Cert on Spectrum's server that fails verification:
CONNECTED(00000003)
depth=0 CN = redacted.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = redacted.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=redacted.domain.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
When I tried to use Let's Encrypt certificate instead of self-signed one with server-mode XMPP frontend, I couldn't get the clients to properly verify the cert.
Turns out the certificate chain as presented by Spectrum is incomplete and contains only the server cert, while it should also present the CA cert if present in the pkcs12, so the intermediate certificate can be verified against the root certs.
Cert on Spectrum's server that fails verification:
Cert on ejabberd, verified correctly:
The text was updated successfully, but these errors were encountered: