Client cannot connect to ejabberd (SSL Certificate verification failed)

Good morning, can anyone help me? I set up nethserver on a machine I already have root access normally, but when testing the chat services (chat) ejjaberd I didn’t get success, I’ve already tested several software, such as gajim, pidgin but none of them works, for example when using gajin even with you connection to the server but it asks me for a valid certificate … pidgin can’t even connect and create users on the web page. anyone can help.

untranslated message (portuguese)

bom dia, alguem pode me ajudar ? configurei nethserver em uma máquina ja tenho acesso root normalmente, porem ao testar os serviços de bate papo (chat) ejjaberd não obtive exito , ja testei varios softwares, como gajim , pidgin mais nenhum deles da certo , por exeplo ao usar o gajin ate consigo conexão com o server porem me pede um certificado valido … já o pidgin nem consigo conexão e nem criar usuários ná pagina web . algume pode ajudar.


EM ANEXO O ERRO

Hi @ediljr_freitas

And welcome to the NethServer forum!

You do not provide any information about your server…
Do you have LetsEncrypt installed and setup as default?

Nowadays, it’s almost impossible to use anything on the Internet without valid SSL certs.
If you want it to work stably, you should get LetsEncrypt working.

And:

Screenshots in spanish?

This is basically an english speaking forum.
My spanish is horrible, I can maybe order a beer, but that’s about it!
So please set the language in Cockpit to english before any screenshots - this way, much more people can help you!

My 2 cents
Andy

I don’t understand spanish.
But IMVHO gaJIM says that the certificate is not valid. Unless you have a signed certificate from a know CA, it’s quite “normal”.
Gajin also allows you to add the certificate to trusted one, than allow the connection.

oi, muito obrigado pela resposta, desculpa a ignorância de ter colocado o print no meu idioma.
E sim, eu tenho o LetsEncrypt instalado e configurado como padrão, já tentei adicionar o certificado no proprio software porem ele sempre me retorna a mesma janela solicitando pra colocar o certificado como confiavél…

conhece algum software que consiga me atender pra ativar o chat?

ou tem alguma forma de conseguir configurar essa software …?

Again… I don’t understand spanish. It happened to me to see similar messages from other softwares.
Being Italian, it’s possible to me sometimes have an hunch about the meaning, but i don’t speak spanish so i cannot help you in that language.

Beg your pardon.

hi, thank you very much for the answer, sorry for the ignorance of having put the print in my language.
And yes, I have LetsEncrypt installed and configured by default, I have already tried to add the certificate to the software itself, but it always returns the same window asking me to put the certificate as trusted…

Do you know any software that can answer me to activate the chat?

or is there any way to configure this software ….?

corp.com seems a not valid domain to me…

Panel
Equipment
ASUS All Series

CPU
Intel(R) Celeron(R) CPU J1800 @ 2.41GHz x 2

Kernel Version
3.10.0-1160.62.1.el7.x86_64

Operational system
NethServer release 7.9.2009 (final)

Charge 1 / 5 / 15 minutes
3.43 / 0.99 / 0.49

connected to
0d 3h 30m 12s

Machine name / Name
spring.corp.com

DNS
8.8.8.8 , 8.8.4.4
system time
Thu May 5 12:09:47 -03 2022

Company
spring

Energy

This hostname is not public. And as far as i know, corp.com is registered to a company for domain services, MarkMonitor.

Long story short: LetsEncrypt works only for public and recognized hostnames. Otherwise, still self signed certificate.
Then, time to read Gajim documentation for configure in the way you want to behave.
Currently, the verification is failed because the certificate is invalid. So the message is correct and reflect the status.

friend how do i get this public name? would it be the public IP?

this information I sent is from my server

because that was actually the name I put in the domain configuration

I see. But anyway, long story short, having a valid certificate using LetsEncrypt depend from several factor:

  • Public static IP
  • registered domain with access to DNS panel (direct or through service provider… not the one of the internet connection but of the domain)
  • Nethserver configured with the designed hostname (and internal DNS should resolve it as that with private ip or via NAT-loopback if possibile)
  • NethServer published at least with 80 and 443 ports (public IP on RED or Port forwarding)
  • DNS A record for the host related to the static IP
  • optional but useful: PTR record for reverse lookup. Your ISP should be contacted for that.

When you have a grip on what that steps mean, if already available all the requested things (Static public IP, domain, access to DNS panel, support contact with the ISP provider) took not more than 3/4 days to accomplish that.

At the first time, most important things are:

  • Read thoroughly the NethServer documentation (taking notes)
  • Read thoroughly router/firewall documentation (if the role si not taken by NethServer)
  • Make a plan, possibily detailed, for the steps to make. Then expand it to little steps made for every stage of the main plan. Also considering rollbacks
  • let it sit for a night
  • Review the plan, stage by stage, step by step
  • Do your thing

On the other hand…
Gajim team knows that something is working not great about SSL

If the option is not working as intended, consider some alternatives for XMPP protocol. One could be pidgin, latest version is dated 2020.
Or feel free to pick alternatives from XMPP project.
https://xmpp.org/software/clients/

Hi

LetsEncrypt also works with a dynamic IP, but you need some sort of (NethServer or Firewall supported) DynamicDNS Provider which converts the IP into a dns name which stays constant.

You can use any of your own DNS names as a CNAME to point to this dyndns-name, and you can use LetsEncrypt on this.

This means you need your own dns-domain to be able to use: A real dns-domain and not any .local or .lan crap, which is anyway discouraged for more than 10 years now - even Microsoft discourages using this for more than 10 years now!

I’m using this at home, it works rock solid for now more than 2 years!
See here:

https://intranet.r7.anwi.ch/

My 2 cents
Andy