snikket-im / snikket-server Goto Github PK
View Code? Open in Web Editor NEWImage builder for Snikket server
Home Page: https://snikket.org/service/
License: Apache License 2.0
snikket-server's People
Contributors
Stargazers
Watchers
Forkers
horazont dpalmigiano craeckie aluaces magicbrothers resoli kosssi uniteddiversity distefam 3-w-c rijul-a mitchellurgero davidalphafox podverse jknigga relaytt mterblanche2 stan-stani mrrico666 p42ity pegelinuxtop mnsmithuk hharng mettaversesociety asemana1 kjc-dev fenrir89 gmemstr thostetler danilo-salve sanyaade-teachingssnikket-server's Issues
Switch to SQLite storage backend
Currently Prosody is configured to use the internal backend for everything, including archives. This works fine for most setups, especially given the default retention period of 7 days.
Switching to SQLite would:
- Give more consistent memory usage and performance while querying/processing archives
- Allow for longer retention periods without incurring a significant performance impact (there is currently no plan to change the default though)
- Open up the door to various SQLite-based tooling, such as live backups, Litestream, SQLCipher, etc.
Generate type="error" stanza for roster entries of restricted users upon login
I'm not sure if the apps use it, but it would be the correct thing to do, protocol-wise.
Normally, when one of your roster entries is not reachable via s2s, a type="error" presence stanza is generated for them with the error message indicating the s2s error and this stanza is sent to the client during the initial presence phase.
For isolated users, the behaviour for non-local roster entries should be similar to mirror normal s2s issues. Again, not sure if the apps use it in any way.
Challenge failed for domain esmailelbob.xyz
Hi,
I'm trying to install snikket server and each time i get Challenge failed for domain esmailelbob.xyz error when snikket start to run let'scrypt but what is odd is when i run certbot command outside docker it works just great so i'm not sure what causes it break inside docker...
My domain is: esmailelbob.xyz
I ran this command: docker-compose up
It produced this output:
root@debian:~/docker-compose/snikket# docker-compose exec snikket_certs cat /var/log/letsencrypt/letsencrypt.log
2021-12-23 11:24:46,874:DEBUG:certbot.main:certbot version: 0.31.0
2021-12-23 11:24:46,875:DEBUG:certbot.main:Arguments: ['-n', '--webroot', '--webroot-path', '/var/www', '--cert-path', '/etc/ssl/certbot', '--keep', '--agree-tos', '--email', '[email protected]', '--expand', '--allow-subset-of-names', '--config-dir', '/snikket/letsencrypt', '--domain', 'esmailelbob.xyz', '--domain', 'share.esmailelbob.xyz', '--domain', 'groups.esmailelbob.xyz']
2021-12-23 11:24:46,876:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-23 11:24:46,885:DEBUG:certbot.log:Root logging level set at 20
2021-12-23 11:24:46,885:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-12-23 11:24:46,886:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-12-23 11:24:46,887:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f1668414a20>
Prep: True
2021-12-23 11:24:46,887:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f1668414a20> and installer None
2021-12-23 11:24:46,887:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-12-23 11:24:46,906:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-12-23 11:24:46,908:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-12-23 11:24:47,639:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-12-23 11:24:47,640:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:47 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"9oS3c7MMyNc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-12-23 11:24:47,641:DEBUG:acme.client:Requesting fresh nonce
2021-12-23 11:24:47,641:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-12-23 11:24:47,873:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-12-23 11:24:47,874:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:47 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01024D8CJCkI7ia2pnf-BDRojQjemNIVn-GNtAZBJRSzABw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2021-12-23 11:24:47,874:DEBUG:acme.client:Storing nonce: 01024D8CJCkI7ia2pnf-BDRojQjemNIVn-GNtAZBJRSzABw
2021-12-23 11:24:47,874:DEBUG:acme.client:JWS payload:
b'{\n "contact": [\n "mailto:[email protected]"\n ],\n "termsOfServiceAgreed": true,\n "resource": "new-reg"\n}'
2021-12-23 11:24:47,882:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogIndnNDBmZ0hpbmdXaExmNloyQW1aU0hfanphcHktNDdVZE1aTWZjZ2wySmsyNkFjTVFNdTM4Mm5KeS16YzJTUXp0OG1CZnZwZEE0dFFFblhYQUlOelJrNU8zWHhtSUtQc3FZMW92enhlN0JTcFFTSzlxRENmUHFQNWdKMHFpVTQ0c2xneExMdnZzbDFCVEVxd0lFa3FYcTB3UW03RUMyS0Ftd1FkeHZ3SVR3RWVfVXpkanU1MlZJM3I1V3J0OVRobFlSa25hS280UkhCeHJNN1IxdVFtbC11UnYtbkdXbWxPSUhDUEFCb2V6M1BXMy00QzduRWpkcnh6RTdhQ1BzSFNUZ2VJVklkR0I5UHVyaTFuSHk1THYwSVd5SEgweXQ5MFJ1UndkdXJxY3dZbTVYampmeXppaDBKbFBWM2xfenR5T1VuanRIWnFySkdybERRa3dYSU0ydyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiMDEwMjREOENKQ2tJN2lhMnBuZi1CRFJvalFqZW1OSVZuLUdOdEFaQkpSU3pBQnciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0",
"signature": "Ku9Hy4L93FrRlGTbjBqgZQTHlvJk3mC3RGvw2x9tv1GjKwa9iIUcsiv1rNAD8_tarftnYD5XMedcBuHyk2om9Yxz-YAuq6TclqQKm1pg0s1EVqAP7WYsDV30YN2zS6AiwV-s5cSk6DCLMA8XnkHOV7So22PlMgJBPlGIla__CkJQHLP3SN82mFOtrRrkd9_sqZYmFnZWQzRKgFLksQ6EeA32SyPT97T01XYO3sKj3ZQYNPRA81-YQN2NRyOfa5Bm9BzJ1dr3YfheVGir0yOaVmlvMSw2aS9m3VYfqxF1oNtsYPhEhhQq_c0_XAtaWPYsn1Bm4cMiMAD82Sxzp8-1Zw",
"payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzplc21haWxAZXNtYWlsZWxib2IueHl6IgogIF0sCiAgInRlcm1zT2ZTZXJ2aWNlQWdyZWVkIjogdHJ1ZSwKICAicmVzb3VyY2UiOiAibmV3LXJlZyIKfQ"
}
2021-12-23 11:24:48,190:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 563
2021-12-23 11:24:48,191:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 23 Dec 2021 11:24:48 GMT
Content-Type: application/json
Content-Length: 563
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
Location: https://acme-v02.api.letsencrypt.org/acme/acct/333092700
Replay-Nonce: 01022RqoflNyfXzVh7FyTUNKzppiFdME-ZDQ02KZkQE9BEc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"key": {
"kty": "RSA",
"n": "wg40fgHingWhLf6Z2AmZSH_jzapy-47UdMZMfcgl2Jk26AcMQMu382nJy-zc2SQzt8mBfvpdA4tQEnXXAINzRk5O3XxmIKPsqY1ovzxe7BSpQSK9qDCfPqP5gJ0qiU44slgxLLvvsl1BTEqwIEkqXq0wQm7EC2KAmwQdxvwITwEe_Uzdju52VI3r5Wrt9ThlYRknaKo4RHBxrM7R1uQml-uRv-nGWmlOIHCPABoez3PW3-4C7nEjdrxzE7aCPsHSTgeIVIdGB9Puri1nHy5Lv0IWyHH0yt90RuRwdurqcwYm5Xjjfyzih0JlPV3l_ztyOUnjtHZqrJGrlDQkwXIM2w",
"e": "AQAB"
},
"contact": [
"mailto:[email protected]"
],
"initialIp": "41.45.73.75",
"createdAt": "2021-12-23T11:24:48.047153714Z",
"status": "valid"
}
2021-12-23 11:24:48,191:DEBUG:acme.client:Storing nonce: 01022RqoflNyfXzVh7FyTUNKzppiFdME-ZDQ02KZkQE9BEc
2021-12-23 11:24:48,194:DEBUG:certbot.reporter:Reporting to user: Your account credentials have been saved in your Certbot configuration directory at /snikket/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
2021-12-23 11:24:48,197:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f16683c2208>)>), contact=('mailto:[email protected]',), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/333092700', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 9fe9db839755f5eb7ecf4314ede22ce2, Meta(creation_dt=datetime.datetime(2021, 12, 23, 11, 24, 48, tzinfo=<UTC>), creation_host='bd51503ea3b4'))>
2021-12-23 11:24:48,198:INFO:certbot.main:Obtaining a new certificate
2021-12-23 11:24:48,326:DEBUG:certbot.crypto_util:Generating key (2048 bits): /snikket/letsencrypt/keys/0000_key-certbot.pem
2021-12-23 11:24:48,331:DEBUG:certbot.crypto_util:Creating CSR: /snikket/letsencrypt/csr/0000_csr-certbot.pem
2021-12-23 11:24:48,332:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "esmailelbob.xyz"\n },\n {\n "type": "dns",\n "value": "share.esmailelbob.xyz"\n },\n {\n "type": "dns",\n "value": "groups.esmailelbob.xyz"\n }\n ]\n}'
2021-12-23 11:24:48,336:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDIyUnFvZmxOeWZYelZoN0Z5VFVOS3pwcGlGZE1FLVpEUTAyS1prUUU5QkVjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "k_gH-m9vCTnHPtzRQVkvR3uq4ZAkbVOmYOCAk3sr_1KNI5ZEiVt9p0XPB3YGZ_jTEt20qKvMySapyVPeJiAfuxgSrRmy7UkHw2h6IlJeihBgAHlzyxp4jzXuVeMZ9yhMXKzWJuKUtldWFI9mEBElyi8stCm52RQtikwAiUjrdvpQaMRXC5nNzuNg3GOveRBm3moFSZ6_6frif5D_hMl65BUqZQUgHOZ1nTGQ5_gqReTUeBRSZTBt_DV89_oieg4QkKm5VAzvWOUoa3vDSsCGFnYB3wsHiPVgPmsQjXEUx1UjYA6QNlUeTj4gKoUY1Ge0x8Sy8FXKyuK5U-cVbuBf1A",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImVzbWFpbGVsYm9iLnh5eiIKICAgIH0sCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsCiAgICAgICJ2YWx1ZSI6ICJzaGFyZS5lc21haWxlbGJvYi54eXoiCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAiZ3JvdXBzLmVzbWFpbGVsYm9iLnh5eiIKICAgIH0KICBdCn0"
}
2021-12-23 11:24:48,791:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 625
2021-12-23 11:24:48,792:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 23 Dec 2021 11:24:48 GMT
Content-Type: application/json
Content-Length: 625
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/333092700/49524646720
Replay-Nonce: 0101FGuh9KEfbz3sFVtAhwazLhkIHdmfutTi_EVrkGE6bBU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2021-12-30T11:24:48Z",
"identifiers": [
{
"type": "dns",
"value": "esmailelbob.xyz"
},
{
"type": "dns",
"value": "groups.esmailelbob.xyz"
},
{
"type": "dns",
"value": "share.esmailelbob.xyz"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735720",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735730",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735740"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/333092700/49524646720"
}
2021-12-23 11:24:48,792:DEBUG:acme.client:Storing nonce: 0101FGuh9KEfbz3sFVtAhwazLhkIHdmfutTi_EVrkGE6bBU
2021-12-23 11:24:48,793:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:48,796:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735720:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDFGR3VoOUtFZmJ6M3NGVnRBaHdhekxoa0lIZG1mdXRUaV9FVnJrR0U2YkJVIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTcyMCJ9",
"signature": "IG_Oi8_IPnbxQDz3-VbN0VUb20NVxm9XcRaE6JkTof5JSg5B3Sm3ruxWBQtUazc0VGQNOb3AQedUF75mrN0aIg3ZX1mXdcVc3DM6_xXqXI0_NkpnjYFgKWoSBQTv4lattDoHJFJam9x4Z7p-7rkY43_x70bMWsMHpFj4CySSFgeWdwvU62uVbC8a1LyyudwDBO6VKeEsefDtV9Hff6z_gx0mkf8SGsrUNqlxetzaVjyT5aACdCPbFpzjLPRGlbmruk3b7NrG8gVh5XNzZYbGAOUeDMRmSSTEVd4lOMLuA89JBobL3Ni2f9L5sAYPka9qk-eduxN-JkeKte6Na0q1lw",
"payload": ""
}
2021-12-23 11:24:49,049:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735720 HTTP/1.1" 200 796
2021-12-23 11:24:49,049:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:48 GMT
Content-Type: application/json
Content-Length: 796
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102gQSkUgVDr2oSgIIApTU7ov0BDzB7qKc5z22veZxAxB4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "esmailelbob.xyz"
},
"status": "pending",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/Ybnufg",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/AL-zhA",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE"
}
]
}
2021-12-23 11:24:49,049:DEBUG:acme.client:Storing nonce: 0102gQSkUgVDr2oSgIIApTU7ov0BDzB7qKc5z22veZxAxB4
2021-12-23 11:24:49,050:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:49,053:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735730:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJnUVNrVWdWRHIyb1NnSUlBcFRVN292MEJEekI3cUtjNXoyMnZlWnhBeEI0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTczMCJ9",
"signature": "QZLNgeVv7oi8R0I-Xd_Hn2Eihw_7oXZLBre9XbhZTVtakgzAqeDzMSv-voMI3Sp-nlWX6BOfdjPjUEer4F3CakfTEoDl7sUcLHtmsQNkQZZvoIO9cy3AU0od2_dRqpcF3FzcBiXKAMvavciazuIBh6WWOhztV5K1S_rnhiMfFTaaENGcmchob9g-NaXPsKM_EMxqq7VNWt_7n108kPhhF-UtHKXPMAfLtTy_fcWOgpREwoOqsZnvbwug6Ic80ffIDUGXxUMuKqQAF3YZfWgf1q23vENhlMKylmS6_7YsGTLPJ5iltuDowCT0bWDT2d96YJ8aBSA6zefau1FlKESEgg",
"payload": ""
}
2021-12-23 11:24:49,300:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735730 HTTP/1.1" 200 803
2021-12-23 11:24:49,301:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:49 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102OItbcbZpB4ENwEMUrQUhTBTSMQ7lKB-LlBbGZYVnBZY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "groups.esmailelbob.xyz"
},
"status": "pending",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/5JBLXw",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/Akoo8g",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4"
}
]
}
2021-12-23 11:24:49,301:DEBUG:acme.client:Storing nonce: 0102OItbcbZpB4ENwEMUrQUhTBTSMQ7lKB-LlBbGZYVnBZY
2021-12-23 11:24:49,302:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:49,306:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735740:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJPSXRiY2JacEI0RU53RU1VclFVaFRCVFNNUTdsS0ItTGxCYkdaWVZuQlpZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTc0MCJ9",
"signature": "YCe7OjpDARTBZ0cFmtsMaEqXXnY3gxPAdj6cDLjqa-jz9dmMIW4cylc_Kdw2HElC4LX17Wmy4pEIahytr2XHI_SZGDuktsce6UFLbnmNtuqVSIy6caE-jtRF93r-CJ657W8NfqWWo0s6RkeDnweTsDaYTQA2IPZvdRJX3c2oD-FyUNRc4pPS1jK48xhI83uLDv-P9R8uPYpxhrW_IoifyL54g6sqY8vYG_Fl8ReAOl2aKaXd8ol3Vkl6fGDC3P1Drm-Wc4M6SvN8CNiGCvKN3vPYqFzgt_whGMgQCLYKxE6ex87_nhfvf9WzlqMFsurh_qur-x_sBRTvUMxF7B1t7A",
"payload": ""
}
2021-12-23 11:24:49,589:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735740 HTTP/1.1" 200 802
2021-12-23 11:24:49,590:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:49 GMT
Content-Type: application/json
Content-Length: 802
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102_qRICkGs96_Z92W3jhZDhTa44Yil9Cj2_Y0HXNzwN9I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "share.esmailelbob.xyz"
},
"status": "pending",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/pfcguA",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/K4SXxA",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY"
}
]
}
2021-12-23 11:24:49,590:DEBUG:acme.client:Storing nonce: 0102_qRICkGs96_Z92W3jhZDhTa44Yil9Cj2_Y0HXNzwN9I
2021-12-23 11:24:49,591:INFO:certbot.auth_handler:Performing the following challenges:
2021-12-23 11:24:49,591:INFO:certbot.auth_handler:http-01 challenge for esmailelbob.xyz
2021-12-23 11:24:49,591:INFO:certbot.auth_handler:http-01 challenge for groups.esmailelbob.xyz
2021-12-23 11:24:49,591:INFO:certbot.auth_handler:http-01 challenge for share.esmailelbob.xyz
2021-12-23 11:24:49,592:INFO:certbot.plugins.webroot:Using the webroot path /var/www for all unmatched domains.
2021-12-23 11:24:49,592:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/.well-known/acme-challenge
2021-12-23 11:24:49,592:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/.well-known/acme-challenge
2021-12-23 11:24:49,592:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/.well-known/acme-challenge
2021-12-23 11:24:49,597:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/.well-known/acme-challenge/PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE
2021-12-23 11:24:49,601:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/.well-known/acme-challenge/o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4
2021-12-23 11:24:49,606:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/.well-known/acme-challenge/QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY
2021-12-23 11:24:49,606:INFO:certbot.auth_handler:Waiting for verification...
2021-12-23 11:24:49,606:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
2021-12-23 11:24:49,610:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJfcVJJQ2tHczk2X1o5MlczamhaRGhUYTQ0WWlsOUNqMl9ZMEhYTnp3TjlJIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MTIzMTczNTcyMC9vZ3BxR3cifQ",
"signature": "ObM5xKXrTuLrAyufaRVi2p5g5uLCotOAwik4v_IAZ4VfVMUHMpVleTwJoNw4UiPAF6S2GQePQi1SC8aJdmI1Jjg-sb_IKzsfA5Szv_-cqBOPtjSeCdBvQEsiwGt6aCRueZqB64_-nkcRqci9Zueb03lGhAbs6dpib5-4hntdwGKbgqJMssLx3ZV2SzoWAB9-fKoey5LW9IfeuWQJzodDDhwK4sD9C5wAF1v0RMqSUzi7PKELjTT4rJY86XvIq2ZaU2KNSxQpLH_4LApLoIGjVHT1YSYb3buv9u75W9e8FOR_4Lr_NdjiD4FwXStISX8aeIY-pRkcNThvk2jIUruXJw",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-12-23 11:24:49,874:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/61231735720/ogpqGw HTTP/1.1" 200 186
2021-12-23 11:24:49,875:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:49 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735720>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw
Replay-Nonce: 01029lL3UwbyresHdDVITqP59aHZaLI2p0L74D4MZuYqQv8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE"
}
2021-12-23 11:24:49,875:DEBUG:acme.client:Storing nonce: 01029lL3UwbyresHdDVITqP59aHZaLI2p0L74D4MZuYqQv8
2021-12-23 11:24:49,876:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
2021-12-23 11:24:49,880:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDI5bEwzVXdieXJlc0hkRFZJVHFQNTlhSFphTEkycDBMNzRENE1adVlxUXY4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MTIzMTczNTczMC9Xc0hiaFEifQ",
"signature": "H5Jb1ODu5fYftg7a3AhGejm9YdBp5ftAlfwRpfBi7znLAD4BC1lC1vDNipbim56XKiBTNm8NJTQ2jyIHG_fZER5hoRjDEXct3umgBGn5bjR6mDcsITbp4qySSDCIPNmEu6KHW09QpuRhSvqCo_zD0C-DGEl3NPpi9bIn71_3sOo5XFoqXS_UxZtXWqhlA1D9I8HrxnrI0ZsWslSQlk2dyR7ViiXphmmv-zXvdjFl1iT50VCl_uk6pwtgwoE-8WsRFG6otHnNdaHsKvG0YX45LlBc3uYzgHSJOOWVVF7Ah0a5rW-eSgeri-MsgvhxYtH9lCLjrj4hznWcjSfZP21xCA",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-12-23 11:24:50,143:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/61231735730/WsHbhQ HTTP/1.1" 200 186
2021-12-23 11:24:50,143:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:50 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735730>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ
Replay-Nonce: 0102MX_Al5PRUdyuulILm3HHejPx79W1WIjNOpoyKzbC4Uc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4"
}
2021-12-23 11:24:50,143:DEBUG:acme.client:Storing nonce: 0102MX_Al5PRUdyuulILm3HHejPx79W1WIjNOpoyKzbC4Uc
2021-12-23 11:24:50,144:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
2021-12-23 11:24:50,148:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJNWF9BbDVQUlVkeXV1bElMbTNISGVqUHg3OVcxV0lqTk9wb3lLemJDNFVjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MTIzMTczNTc0MC9EWkEzRlEifQ",
"signature": "j2MI2TkllaRAI2lrRzJy92f23q9a4ndpxuRbFadaw9GuIjR6ZU1oSnGtHy9VKk_PJdch4N9egR2xxiuKvZ0jVZBA1f5-RizyuI4I70bic7ep7o5HHj4VYdYlvEDNjTN_seGO924b1wq2yE8BZoRhD251XHVlfz8_hCqxmp273u83P97jArmBF1-SobXwvYrDfJhN3pAMOXQrxDZWmT8raSAbR4slT0SD8v3XdM2BcYenQ30w2BVcKNS060D_zkNyG7Mp0W9DpEv-XNS6pGdV0EmNteIentGAlXp2_lnvXhIj8a_LPgz9Wwc1JPlrJLFsMgmythGJyAW5JkdyqhUTGA",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-12-23 11:24:50,412:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/61231735740/DZA3FQ HTTP/1.1" 200 186
2021-12-23 11:24:50,413:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:50 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735740>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ
Replay-Nonce: 0102bENB-1haWJs5eJ4_4i4tTKxttSE4H4UlfwMRK7sDcPw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY"
}
2021-12-23 11:24:50,413:DEBUG:acme.client:Storing nonce: 0102bENB-1haWJs5eJ4_4i4tTKxttSE4H4UlfwMRK7sDcPw
2021-12-23 11:24:53,416:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:53,420:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735720:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJiRU5CLTFoYVdKczVlSjRfNGk0dFRLeHR0U0U0SDRVbGZ3TVJLN3NEY1B3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTcyMCJ9",
"signature": "XS_tMV-LCU1aM8tSk6y4OIKCkWuNsocLvyhE5zIefOHINUJM_xZsT8AvnQDRDLkHbKntmB8HArj9UxjN2soGYZu0P2EPBN10hFj8-ZOGUekChvW8e37e2SS8FXgPaOqzLFS6zbI-hAPcAbBXwKqtE2MFGuwAPEzC8NmGzhxFB_gFkmE2AlS26E3hjqSNxYCm1YSp721LfSo0ZpshwVmX1PbCn93P_Ev3LPwJucqg2fsuQTDO7CJdftzabarlfzTy5DE8QHDMqcTlY2O-RVzLkJI8aEre-DMG61qz7bMPkDxJL5HlhIOnWA5rLQY_EeZGApWpa4w_VdXEH2rrqyowZA",
"payload": ""
}
2021-12-23 11:24:53,671:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735720 HTTP/1.1" 200 1245
2021-12-23 11:24:53,672:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:53 GMT
Content-Type: application/json
Content-Length: 1245
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101Q8UcQPElRR0zcrhAPrepbfyTrB4rQhb6h3IjnQH_o2s
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "esmailelbob.xyz"
},
"status": "invalid",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://esmailelbob.xyz/.well-known/acme-challenge/PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE [41.45.73.75]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n\\t\u003chead\u003e\\n\\t\\t\\n\\t\\t\u003ctitle\u003eError: Nothing here\u003c/title\u003e\\n\\t\\t\u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE",
"validationRecord": [
{
"url": "http://esmailelbob.xyz/.well-known/acme-challenge/PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE",
"hostname": "esmailelbob.xyz",
"port": "80",
"addressesResolved": [
"41.45.73.75"
],
"addressUsed": "41.45.73.75"
}
],
"validated": "2021-12-23T11:24:49Z"
}
]
}
2021-12-23 11:24:53,672:DEBUG:acme.client:Storing nonce: 0101Q8UcQPElRR0zcrhAPrepbfyTrB4rQhb6h3IjnQH_o2s
2021-12-23 11:24:53,672:WARNING:certbot.auth_handler:Challenge failed for domain esmailelbob.xyz
2021-12-23 11:24:53,673:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:53,677:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735730:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDFROFVjUVBFbFJSMHpjcmhBUHJlcGJmeVRyQjRyUWhiNmgzSWpuUUhfbzJzIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTczMCJ9",
"signature": "MYE9SjLWAv8Wot4_ZqLJQf6pDWalWiwh-bYsCqAIhUUYajjHH1Wq6Y80u9S_jlssUDXaFyXmn-2W7Qcwk-QYQll6H7j-Tiy-Vp1OHOqFr_GWF1hWyqMC-YsfrR8FIAgKw6M9yvRJyoFDYDV8vJK6E50jOi0EM2rEh26j2EqChk3aTv_YtIopy-zfwhaQmI3v2Zzvl0fDgg9_LkgjYiIkonrmHsQ0cROlT-E8IMpLj_XUQrznKCZ1vZXaneVC3C7zfuOgcmhB6fQP_ijK7DuY94favjFVyyNxxv2bVS-lp-o7P0QJ5a2uKTyFmmB5j5GwJODzO2RnZ76xMYR2t3dllQ",
"payload": ""
}
2021-12-23 11:24:53,945:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735730 HTTP/1.1" 200 1273
2021-12-23 11:24:53,946:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:53 GMT
Content-Type: application/json
Content-Length: 1273
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101gTDVNGVFpUWlSrY06C65_S-84vHLdqXIvh4ffZvDzZc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "groups.esmailelbob.xyz"
},
"status": "invalid",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://groups.esmailelbob.xyz/.well-known/acme-challenge/o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4 [41.45.73.75]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n\\t\u003chead\u003e\\n\\t\\t\\n\\t\\t\u003ctitle\u003eError: Nothing here\u003c/title\u003e\\n\\t\\t\u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4",
"validationRecord": [
{
"url": "http://groups.esmailelbob.xyz/.well-known/acme-challenge/o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4",
"hostname": "groups.esmailelbob.xyz",
"port": "80",
"addressesResolved": [
"41.45.73.75"
],
"addressUsed": "41.45.73.75"
}
],
"validated": "2021-12-23T11:24:49Z"
}
]
}
2021-12-23 11:24:53,946:DEBUG:acme.client:Storing nonce: 0101gTDVNGVFpUWlSrY06C65_S-84vHLdqXIvh4ffZvDzZc
2021-12-23 11:24:53,946:WARNING:certbot.auth_handler:Challenge failed for domain groups.esmailelbob.xyz
2021-12-23 11:24:53,947:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:53,949:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735740:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDFnVERWTkdWRnBVV2xTclkwNkM2NV9TLTg0dkhMZHFYSXZoNGZmWnZEelpjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTc0MCJ9",
"signature": "ayhqxjEDV78ggCKzqV_4b6o-yFbHFySHwEKGfGktv4Fd0X5oPKZuCpFJcDaih5ODmv6GmblKK0mmTBj87CgCRZnD8gJoaQhNhEZUiclDvnecTa1nJ2EkqFqi5KIPxCKUmXys5CA8yHPhJ2vMzlWQpTPZis3hr3AjpgyN3_3XZm6Z08LoDEKurCENib1h8vlFx8FIUNT0sL2T11I3XnEWbFQvuwNH690Z0rPQI2z3BAcvud2Bcw143i5PmbxpYxqyJe8HX40RDE7ZxIq_3-ww1CESLUncIWyXHLmC1LkYmGRiHtZNqczpjG6J0xNX8X561ctec5H78k2u5QrAjB2t5w",
"payload": ""
}
2021-12-23 11:24:54,217:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735740 HTTP/1.1" 200 1269
2021-12-23 11:24:54,218:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:54 GMT
Content-Type: application/json
Content-Length: 1269
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102wXDD4tzXS5PpK2T05nZydVoU4n86iXcXT3AZPBASw58
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "share.esmailelbob.xyz"
},
"status": "invalid",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://share.esmailelbob.xyz/.well-known/acme-challenge/QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY [41.45.73.75]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n\\t\u003chead\u003e\\n\\t\\t\\n\\t\\t\u003ctitle\u003eError: Nothing here\u003c/title\u003e\\n\\t\\t\u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY",
"validationRecord": [
{
"url": "http://share.esmailelbob.xyz/.well-known/acme-challenge/QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY",
"hostname": "share.esmailelbob.xyz",
"port": "80",
"addressesResolved": [
"41.45.73.75"
],
"addressUsed": "41.45.73.75"
}
],
"validated": "2021-12-23T11:24:50Z"
}
]
}
2021-12-23 11:24:54,218:DEBUG:acme.client:Storing nonce: 0102wXDD4tzXS5PpK2T05nZydVoU4n86iXcXT3AZPBASw58
2021-12-23 11:24:54,219:WARNING:certbot.auth_handler:Challenge failed for domain share.esmailelbob.xyz
2021-12-23 11:24:54,219:DEBUG:certbot.error_handler:Calling registered functions
2021-12-23 11:24:54,219:INFO:certbot.auth_handler:Cleaning up challenges
2021-12-23 11:24:54,219:DEBUG:certbot.plugins.webroot:Removing /var/www/.well-known/acme-challenge/PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE
2021-12-23 11:24:54,219:DEBUG:certbot.plugins.webroot:Removing /var/www/.well-known/acme-challenge/o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4
2021-12-23 11:24:54,219:DEBUG:certbot.plugins.webroot:Removing /var/www/.well-known/acme-challenge/QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY
2021-12-23 11:24:54,220:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2021-12-23 11:24:54,220:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 93, in handle_authorizations
"Challenges failed for all domains")
certbot.errors.AuthorizationError: Challenges failed for all domains
My web server is (include version): nginx
The operating system my web server runs on is (include version): debian 11
My hosting provider, if applicable, is: none, it's self hosted
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0
bosh/websocket broken
Currently, snikket does not enable bosh/websocket for use with converse.js.
Disable features Message Archive Management
I have checked the server information, I would like to ask some way to disable features.
- I want to disable the feature Message Archive Management
- I want to enable the feature Security Labels in XMPP
HAProxy, own certbot, "Waiting for certificates..."
Good day,
I'm trying to run the docker image of Snikket, but it is stuck at
snikket | Waiting for certificates...
Is there any way to disable cert-monitor.sh or otherwise circumvent the check?
I have configured HAProxy to solve the acme challenges using a separate certbot + acme.sh container, so it's not quite compatible with Snikket's built-in solution.
I received certificates for the following 3 domains:
groups.snikket.<myserver>share.snikket.<myserver>snikket.<myserver>
and tried pointing the container to the appropriate directory:
...
snikket_server:
...
volumes:
- <path_to_my_certs>:/etc/ssl/certbot
Yet it doesn't seem to help.
Add a web chat client
I'm quite new to the XMPP ecosystem, but I discovered that there is a web interface for using XMPP and that you already added the conversejs module here.
However, nothing is accessible on chat.example.com/conversejs, it returns me a 404.
What is still needed to deploy it? Do we need to add the module name to the configuration file? Is it sufficient?
From what I understand from the documentation there isn't much to be done. So maybe it could be a great improvement to have a web interface and have one XMPP web interface available on all desktops (GNU/Linux, Mac OS and Windows).
Bounce incoming Jingle proposals if immediately undeliverable
In certain circumstances the JMI proposal will be delivered into MAM, no clients will receive it until they come online, and the caller will be stuck until it times out.
Proposal:
- If JMI to the bare JID is received
- If no call-capable clients are registered to receive push notifications or those pushes are unsuccessful
- Bounce the stanza with an appropriate error (likely service-unavailable to prevent JID existence probing)
- Archive the stanza as normal (for missed call detection)
We should consider tracking and rescuing proposals that get stuck in 198 queues as well.
These changes should reduce user frustration on the caller side. It also enables us to be more relaxed about displaying the call button even if no client is currently available (see e.g. snikket-im/snikket-ios#157).
Suggestion: include xmpp address of snikket-admin in welcome message
The welcome message currently includes the server admins email address. This is already good.
But wouldn't it be useful to also include the admins xmpp URI in this welcome message? Maybe as a clickable link. Clickable link comes for free when adding the xmpp: URI scheme.
Same would be for email - but mailto: is currently not handled by snikket (or even upstream conversations)
Having this clickable link would reduce the barrier to contact the admin for questions by a lot.
I guess for the small instances this is anyway going to be the person who sent you the individual invite, but if there is e.g. a soccer club, this might get a bit more anonymous.
Traefik support
Hei there
Thanks for developing such a great project. I'd really like to host a snikket server but my web server set up is based on traefik as a reverse proxy. Would it be possible to add some sort of guide or example conf-file for traefik?
https://doc.traefik.io/traefik/
Thanks in advance.
Make groupchats more configurable
I'd like to invite users of other xmpp servers to my groupchat on my snikket server. I don't seem to be allowed to do this? gajim does not let me configure the chatroom.
Caddy support
Hi. Please, add support and instructions to the reverse proxy section for Caddy web server.
Caddy is a web server commonly used by self-hosters. After trying for a few days, I have not been able to make it work with snikket.
Caddy:
- https://github.com/caddyserver/caddy
- https://caddyserver.com/
- Documentation https://caddyserver.com/docs/
Thank you for your work and effort. Snikket is a great project
mod_invites_api usage
I am currently testing the invites API and found a small mistake in the documentation at https://modules.prosody.im/mod_invites_api.
The command
prosodyctl mod_invites_api create example.com "My test key"
should be
prosodyctl mod_invites_api example.com create "My test key"
Thank's for developing snikket 👍
Snikket on a RaspberryPi
When I try to run the container on a raspberry I get "Error response from daemon: Container is restarting, wait until the container is running". docker logs --tail 50 --follow --timestamps snikket returns "exec user process caused: exec format error". Googling a bit it seems that happens when you're trying to run adm packages on arm. Im just confused as the quick setup explicitly says "For the server [...] you can use a physical device such as a Raspberry Pi." Is the raspberry not supported yet?
Enable IPv6 by default if possible
This issue is to track enabling IPv6 by default in the snikket-server image. It can currently be enabled by setting the environment variable SNIKKET_TWEAK_IPV6=1.
There are some hurdles. Docker does not enable IPv6 by default, which means it will be broken unless the admin explicitly enables it. This probably (hopefully?) doesn't affect host network mode, which is currently in use but changing this back has been discussed, e.g. in snikket-im/snikket-web-portal#72
Another consideration is lack of "happy eyeballs" support in Prosody. Certain network configuration issues/malfunctions may cause undesirable user experiences with federation. I think work on this should be prioritized.
Web tokens are not invalidated on role change
When changing the role of a user in the web portal, their current XMPP connections are killed to let the changes take effect, but web portal sessions continue to live on.
This means that I can nicely test everything with my own user because I can change my role to Limited and have it take effect in the app without de-admin-ing myself in the portal :). However, obviously this is a problem in real deployments, because in a bad situation, you might want to be able to take admin permissions away immediately, without the subject being able to do things with those permissions afterward (such as restoring their admin permissions and taking yours away).
Allow to backup Snikket
Hello,
I installed Snikket on a server and also installed the Snikket app through F-Droid. It all worked well.
I know Snikket is still on Alpha, but is it possible to allow backups?
To do this I think we should make the Docker volume available on the host. What is required to be backed up? On Prosody's documentation I read /etc/prosody, but maybe as Snikket already configures everything it is not needed and /var/lib/prosody is empty in the container.
However, there is plenty of files in /snikket. Should we backup this entire folder? Or maybe only subfolders like /snikket/prosody/chat.example.com/accounts?
I have never managed a XMPP server, but I think the only important thing is to have the accounts backed up in order to avoid users to have to register themselves again.
For the moment I will configure the backups myself with Restic for /etc/prosody and entire /snikket folder.
Bad certificate share.chat.xxx.org
Bad certificate share.chat.xxx.org
i can't send any images because snikket use wrong certificate for http upload.
Not able to create admin account - Invitation expired
I installed server using docker and when I try to create admin account I get message about invitation expired.
docker exec snikket create-invite --admin --group default
Server is running behind haproxy reverse proxy.
Cannont send pictures
Hi,
I installed snikket server on Debian 10 following instructions provided in the Quick Guide.
Server is working fine, I can chat with firends correctly but each time I try to send a picture it fails.
Is there any way to look at a log file to see what is happening ?
Thanks!
run server on subdomain, jabber-id on domain
How can i configure, that my id is [email protected], but the server runs on chat.domain.at?
mod_easy_invite generate needs help and better command line parsing
There seem to be options (--reset?), but maybe there are none. It does not fail if I pass --fnord, and it doesn’t print a useful --help either.
The Welcome Plan
A popular request from admins is the ability to set the welcome message that is sent to users after account creation.
Known issues with the current welcome message flow:
- It's not translated (currently no server strings are translated, this is something we want to fix in general)
- Its handling in clients is not great, e.g. it pops up during the setup flow, potentially confusing people. It definitely confuses the automated tests (due to variations in timing).
- It conflicts with the Android app's default behaviour of opening the "Start a conversation" screen after setup.
- It comes from the server JID, which is weird
- It bounces confusing delivery errors if replied to
- It has no avatar
- The email address in the message may not be the email address admins want people to use for support
- It gets sent again after a password reset (#30)
The current goals of the welcome message are:
- Give the user a friendly greeting, let them know they successfully registered on the server.
- Give them a sample conversation/message to see how the app works
- Provide an out-of-band contact method to reach the admin (for support, etc.)
People have requested:
- Translation to the user's own language
- The ability to override the advertised email address
- The ability to share additional information (...what information exactly?)
Why not just make the welcome message fully editable by the admin:
- Due to some of the issues above, the welcome message may be removed in the future.
- It is not the best way to convey some kinds of information, especially information that the user may want to recall easily in the future (contact info, etc. could be built into the app).
- Even if the message stays, we may want to update it from release to release, e.g. we have discussed adding an automatically-generated sign-in link for the web portal.
Next steps
We need to identify the kinds of information that Snikket itself needs to convey to people when they register a new account, and what kinds information an admin may want to additionally convey to the users. For each type of information, we need to figure out the best place for it. We then need to put effort into improving or removing the current welcome message.
Couldn't send message
Dear Admin
Couldn't send message: Server-to-server connection failed: Could not authenticate to remote server, we get error can't send messages but only receive messages from other xmpp systems.
Design and/or implement restrictions for prosody:restricted users
In snikket-im/snikket-web-portal#42, support for changing roles of users was implemented in the web portal. Now we "just" need to make that do anything beyond admin vs. normal.
What restrictions should prosody:restricted users have? Where and how should they be enforced?
Inbound traffic not filtered for restricted users
Restricted users cannot communicate out of the local server. However, inbound messages are not filtered. That should be changed to avoid weird one-way situations and also to fulfill one of the use cases (accounts for children) properly.
Some thought should go into how to respond to messages from remotes: it should not be possible to discern a non-existant account, an account which is restricted and an account which exists, but to which no presence subscription exists.
That basically only leaves "blackhole", which is not a good UX if the role is changed later, or if initial communication is attempted to be established.
I suggest however:
- Blackhole all stanzas from foreign entities which are not in the roster of the restricted recipient.
- Reply with an error stanza (and type="unsubscribed" presence potentially) to all stanzas from which are in the roster of the restricted recipient. This will provide a better UX for those on the other side of the blocking fence.
Role change is revealed to foreign entities with a presence subscription
When I change the role of a user in the current dev build, remote entities with a presence subscription see "Role changed" as reason for going offline.
I'm not sure if this is a problem, but I wanted to note it anyway.
Running Snikket behind nginx-proxy-letsencrypt
Dear all,
first of all thank you for your work and this new project :)
I am having some trouble with the set up in my docker environment. I guess it could be a combination with the "nginx-proxy-letsencrypt" container for providing SSL certificates.
For the basic set up I followed the quick-start instructions over here https://snikket.org/service/quickstart/. I extended it environmental variable with the parameters VIRTUAL_HOST=tld, LETSENCRYPT_HOST=tld and the VIRUTAL_PORT=8083. In the set up I cannot just use the ports 80 and 443 case they are used by the nginx-proxy-letsencrypt container for providing SSL certificates to other containers as well.
After deploying the container and generating a invite links with "sudo docker exec snikket create-invite --admin" I am able to ob the link in a browser with a valid SSL certificate. Opening the invitation with the snikket Android App I cannot create the account and/or login. The message is "TLS-handling error".
The logs from the container are not helping me that much:
2020-06-05T08:33:05.938526444Z c2s563a12a8a4b0 info Client connected
2020-06-05T08:33:05.960633897Z c2s563a12a8a4b0 info Client disconnected: no shared cipher,
In my firewall I have opened the ports as mentioned here: https://github.com/snikket-im/snikket-server/blob/master/docs/advanced/firewall.md
docker-compose:
version: "3.3"
services:
snikket:
container_name: snikket
image: snikket/snikket:alpha
ports:
- 5222:5222
- 5269:5269
- 5000:5000
- 3478:3478
- 3479:3479
- 5349:5349
- 5350:5350
- 49152:49152
- 8083:80
- 5080:80
- 5443:443
env_file: snikket.conf
restart: unless-stopped
network_mode: host
volumes:
- snikket_data:/snikket
network_mode: hostingnetwork
hostname: snikketcontainer
volumes:
snikket_data:
snikket.conf
# The primary domain of your Snikket instance
SNIKKET_DOMAIN=tld
# An email address where the admin can be contacted
# (also used to register your Let's Encrypt account to obtain certificates)
SNIKKET_ADMIN_EMAIL=user@tld
VIRTUAL_HOST=tld
LETSENCRYPT_HOST=tld
VIRUTAL_PORT=8083
SNIKKET_TWEAK_HTTP_PORT=5080
SNIKKET_TWEAK_HTTPS_PORT=5443
Could you please help me with my setup?
Best regards
Add an easily-discoverable section/page somewhere for listing supported XEP
Most XMPP software usually put an easily discoverable section titled Implemented XEPs (or similar) listing what they have implemented. This would be nice for Snikket too.
What motivates me to open this issue is wondering if Snikket supports XEP 0054, specifically its Description marker which, as I understand, can be used to set a status message/about text similar to WhatsApp/Signal.
Support for per-circle owners/administrators
As an addition to #58 with focus on circle admins: it came up in the general chat that it would be nice to be able to able to customise the avatar of the main circle. There is currently a work-around documented in https://gist.github.com/horazont/1e80c64315dc67dc091ad037914cafd1. Maybe there is other stuff to request on this ticket idk.
The Circle Plan
In the beginning, there was a server, and everyone within the server saw each other.
Then, we implemented Circles, to allow multiple such groups of people within the same domain (separate your friends and family, etc.). To avoid major disruption, the transition to Circles was designed to keep the server operating exactly as before, for people who did not make any changes (such as creating new circles or modifying circle membership).
One thing we strongly want to avoid is a user being invited and having an empty contact list. As well as being a bad experience, such a scenario makes no sense for a Snikket server - which is designed with social relationships as a guiding principle.
For this reason we do not currently allow circle-less invitations.
That's the then and now. It was intended from the start that this circle-only design was just a first step, so now let's move on to the future.
New admin settings in web portal
- Allow users to invite new users to join this Snikket instance
- This controls the
allow_user_invitesandallow_contact_invitessettings. Need a way to control and persist this setting (#57).
- This controls the
Required plumbing
- Invited users are given the "Limited" role by default (#37).
Future
We want to be able to allow people to invite new users to circles as well. Within the app this can be an option in the menu of the circle's MUC.
iOS client displays OMEMO error message as push notification body when backgrounded
The notification body upon receipt of a new message has the standard OMEMO error message about client not supporting OMEMO rather than being empty when the iOS app is backgrounded.
Deleting doesn't change circle user count
I just experienced this today with a test user on my server.
Steps to reproduce:
- Create new individual invitation link via Admin > Manage Invitations
- Use the link to manually create new user
- Sign into a "legacy" XMPP client (Dino in this case)
- Send a test message to the circle
- Delete user via manage users
Expected:
User is removed from users and circle, and circle count decreases by one
Actual:
User is removed from users and circle, but the user count of the circle remains the same
Manage accounts through Web interface
Currently we need to create invitations through the command line.
As there is already a web page online, it could be more practical to allow admin users to log in into the Web interface and to manage users through it.
It could allow admin users to create accounts while being away from their computers, just with a simple smartphone for example, and share links with people while being talking about Snikket instead of having to come home and SSH to the server.
Or maybe is it already possible on the Snikket mobile app?
Reverse proxy guide does not properly handle HTTP/HTTPS
The nginx reverse proxy guide proxies to the HTTP port only. This may cause a redirect loop because the built-in snikket proxy will try to redirect to HTTPS.
To make this work easily, we should update the guide to use:
location / {
proxy_pass https://localhost:5443/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# REMOVE THIS IF YOU CHANGE `localhost` TO ANYTHING ELSE ABOVE
proxy_ssl_verify off;
proxy_set_header X_FORWARDED_PROTO https;
proxy_ssl_server_name on;
}
for the SSL sections.
docs: TURN settings for disablin/replacing undocumented
These new settings appear undocumented. Guessed example values.
SNIKKET_TWEAK_TURNSERVER=0|1
SNIKKET_TWEAK_TURNSERVER_DOMAIN=stun-turn.example.com
SNIKKET_TWEAK_TURNSERVER_SECRET=secret-token:c2VjcmV0LXRva2VuQ: Any security recommendation?
Hi all,
I just installed snikket and after containers upgrade the problem I had in #61 has been solved. Snikket works and looks fine.
The only questions I have now:
- Are there some security recommendation I can apply after installation? For example:
a) redirect http to https in nginx
b) close some ports via iptables
c) tune docker-compose.xml in order to limit interfaces for listening
and so on...
Or the basic installation is quite safe and I have nothing to worry about?
Thanks
Actually destroy private rooms upon deleting associated circle
When one deletes a circle from the admin dashboard the associated group chat still persists in client applications. While this may be desired, there is no indication that the group chat is no longer functional. Additionally, users may still send messages in the group chat.
Steps to reproduce:
- Create a circle
- Observe associated group chat in client
- Delete circle
- Observe associated group chat still in client
- Successfully send messages within group chat
New users without published OMEMO keys break groups/circles
I created a self hosted server, everything worked fine.
When it started it creates a group named chat.myserver.com
But I added a user, mainly i have generated a link (using command line) [email protected], but the user has never joined the application.
I have deleted that user (using web interface).
Now it is impossible for users to send messages to the group chat.myserver.com. When I try it shows a screen asking to validate the fingerprints, but the user [email protected] is present in the list and it says "No valid key is available for this user. [....]".
Now nobody can send messages to that group but I can create other groups and add all the users.
Strange thing is that now this users appear twice in the android app, but when I open the web admin interface the user is not present.
Server : Debian 10
Add persistent settings API
There are certain settings that ought to be configurable via the web portal.
We need a simple API for fetching/updating these, a way to store them, and a way to apply them within Prosody.
Translate welcome message
Currently the welcome message is English-only, we need to come up with a workflow for snikket-server translation.
Reduce / make configurable the range of needed udp ports
Some appliances restrict the range of ports in single a port forwarding rule. This makes difficilt/unpractical to comply with the required very large udp port range.
It would be nice to reduce that range and/or configure it basing on real needs (e.g. max envisioned number of contemporay a/v calls.
The Domain Sharing Plan
People would like to use Snikket with JIDs @example.com while also having an existing website on example.com. This is currently tricky, particularly when Snikket is running on a different machine.
Things that need to happen:
- Snikket needs to be able to separate the XMPP domain and the web domain.
- We need to be able to overcome certificate issues (if example.com:80 is a website on a separate server, we can't easily get certificates for the XMPP domain)
- Option 1) Respond to DNS challenges and instruct people to delegate via an
_acme-challengerecord - Option 2) Serve a self-signed certificate and instruct people to upload a POSH file (requires adding support in snikket-ios and snikket-server)
- Option 3) Sit back and wait for Let's Encrypt/CABF to get moving on SRV support (cabforum/servercert#268) (reality: it may never happen for end-user certs)
- Option 4) Sit back and wait for LE or another CA to get moving on STAR certificates
- Option 1) Respond to DNS challenges and instruct people to delegate via an
Federation status API
To build a future web portal UI for federation status/diagnostics, we need to expose an API. We don't currently have/store much of this data, so we'll need to do that as a first step.
Rough API/model overview:
- List remote servers
- This includes all remote domains federated with in the past 24 hours, regardless of current status
- Per-domain federation status
- Current status: Connected, Inactive, Error (this is actually the same as the most recent connection log entry result, or "connecting" if no result yet)
- Connection log (last 3 connection attempts to the domain):
- Entry:
- Timestamp (initiated)
- Result (when available): Connected, Disconnected cleanly, Disconnected with error
- Result timestamp
- Error details:
- raw error name (from remote)
- raw error text (from remote)
- friendly text (generated locally)
- Entry:
- Force close/connect (depending on state)
- Block remote domain
- List blocked domains
- Allow unblock
systemd startup file
For restarting all services on OS reboot I added this file /etc/systemd/system/snikket.service for systemd. Feel free to integrate it somehow.
[Unit]
Description=Snikket service
After=docker.service
Requires=docker.service
[Service]
User=root
Group=root
TimeoutStartSec=0
RestartSec=10
Restart=always
WorkingDirectory=/etc/snikket
ExecStartPre=-/usr/local/bin/docker-compose down
ExecStart=/usr/local/bin/docker-compose up
ExecStop=/usr/local/bin/docker-compose down
[Install]
WantedBy=multi-user.target
Q: Do Audio/Video calls use direct connection after STUN/TURN?
Hi guys,
Sorry for that "issue spam", just want to ask where I can read about calls logic that Snikket use. I took a look at the explanation what STUN is and checked connection flow between two nodes. Do I understand it right, that a couple of Snikket applications uses my own server in order to find theirs public IPs and establish direct connection after that? So, the traffic doesn't flow through my or your server, correct?
What would happen if they couldn't find any option to establish direct connection? Would them use my server as proxy then?
I'd appreciate if you can say a couple of words in regards to the audio/video calls logic. Couldn't find it in docs directory on github.
Thanks.
Implement management of user bookmarks via group membership (add/remove only)
Currently, we only send invitations. While that is nice and will pull in at least Snikket Android, it’s not perfect because it doesn’t allow clients which missed the invitation to join.
Potential future simplification of prosody repo task
Note for the future:
This way of adding the repo
snikket-server/ansible/tasks/prosody.yml
Lines 8 to 13 in d6b2676
could in the future be done by installing extrepo (available in Debian 11/bullseye or buster-backports) and then extrepo enable prosody.
Note: Doesn't work at the time of this writing because the entry for the Prosody repo in Edit: Merged.extrepo-data doesn't include bullseye. MR'd to update.
Snikket container is unhealthy
I'm trying to install my own server and use it with reverse_proxy. When I'm starting all containers the "snikket" got "unhealthy" after about 2 minutes and on my domains (via port 80) I see in browser the info that snikket is starting and obtaining sertificates but it never ends. Same as for #40.
What should I check first in order to solve it? DNS are find and I put configuration from reverse proxy in nginx config.
One more thing, in
ss -4 -na
output I see only 5080 port, but not 5443, despite I have lines
SNIKKET_TWEAK_HTTP_PORT=5080
SNIKKET_TWEAK_HTTPS_PORT=5443
in snikket.conf
Thanks in advance
Resetting the password will resend the welcome message
When you reset your password (I tried with a generated password reset link from Admin panel), the user will receive the "Welcome to snikket" message again.
It's not a big deal, but maybe this message could rather be some info that the passwor was changed?
Steps to reproduce:
- Account is setup
- Account is added to Snikket App (or any other client probably)
- Log in to Admin panel
- generate password reset link
- use password reset link
- Go back to snikket app and change password
- Snikket will connect
- Welcome Message is received again
Expected:
Nothing - or a warning/info that password was changed
Actual:
Same welcome message as before.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.