self-signed cert

[ghost]

What version of ejabberd are you using?

18.06-3

What operating system (version) are you using?

Archlinux 4.18.8.a-1-hardened

How did you install ejabberd (source, package, distribution)?

package

What did not work as expected? Are there error messages in the log? What
was the unexpected behavior? What was the expected result?

i generate self-signed cert for my onion domain:

openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj /CN=b7sssd27ldcy27fj.onion,*.b7sssd27ldcy27fj.onion

but Ejabberd not accept it.
how to fix this problem?

• [warning] <0.366.0>@ejabberd_pkix:validate:615 Failed to validate certificate from /etc/ejabberd/cert.pem: self-signed certificate
• [warning] <0.366.0>@ejabberd_pkix:handle_call:259 No certificate found matching 'b7sssd27ldcy27fj.onion': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
• [info] <0.343.0>@gen_mod:start_modules:130 Loading modules for b7sssd27ldcy27fj.onion
• [warning] <0.343.0>@gen_mod:sort_modules:155 Module 'mod_mam' is recommended for module 'mod_muc' but is not found in the config
• [warning] <0.366.0>@ejabberd_pkix:handle_call:259 No certificate found matching 'conference.b7sssd27ldcy27fj.onion': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
• [warning] <0.366.0>@ejabberd_pkix:handle_call:259 No certificate found matching 'pubsub.b7sssd27ldcy27fj.onion': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
• [warning] <0.366.0>@ejabberd_pkix:handle_call:259 No certificate found matching 'echo.b7sssd27ldcy27fj.onion': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
• [info] <0.374.0>@ejabberd_listener🉑272 (<0.523.0>) Accepted connection 127.0.0.1:46196 -> 127.0.0.1:5222
  [warning] <0.523.0>@ejabberd_c2s:process_terminated:289 (tls|<0.523.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden

[licaon-kter]

/close as invalid

There is no issue, as the last line says, you need no setup encryption protocols better

[zinid]

how to fix this problem?

What problem exactly? All messages (except the last line) are warnings, they are correct and expected, feel free to just ignore them. Regarding the last line: I have no idea what that means, the error is generated by OpenSSL library, go figure.

[prefiks]

To add to this, if your server will be available to other servers by server2server communication, they wouldn't be able to access for example pubsub.b7... because there will be no valid certificate for that domain, that's why those warning is generated, only way to fix them is having extra certificates for those domain (or possibly wildcard certificate for your main domain).

About that last warning, are you using openssl 1.1.1? If so this happens when client tries to estabilish TLS1.3 connection, this problem was fixed by change in fasttls dependency, but it's not available in 18.06 release, it should work in next release that will probably arrive next week. If you aren't using openssl 1.1.1 (and so TLS1.3 is not available), then that error is expected, as this is protection for vulnerability, and means that there was MITM attack attempt.