Push notifications not working anymore with Let'sEncrypt server certificate after Sept 30 about chatsecure-ios HOT 5 CLOSED

For testing purposes, I removed the cross-signed "ISRG Root X1" root CA from my certificate file which is used by ejabberd. This means, my certificate file now only includes the server and the intermediate certificate ("R3"). This gives me an "A" rating here, the certificate is now accepted and there is no error visible anymore when ejabberd is connecting to the ChatSecure push server:

2021-10-24 16:29:31.744 [info] <0.544.0>@ejabberd_s2s_out:init:280 Outbound s2s connection started: sieber.systems -> pubsub.chatsecure.org
2021-10-24 16:29:33.053 [info] <0.544.0>@ejabberd_s2s_out:handle_auth_success:216 (tls|<0.544.0>) Accepted outbound s2s EXTERNAL authentication sieber.systems -> pubsub.chatsecure.org (45.55.5.246)
2021-10-24 16:29:35.001 [info] <0.545.0>@ejabberd_s2s_in:handle_auth_success:181 (tls|<0.545.0>) Accepted inbound s2s EXTERNAL authentication pubsub.chatsecure.org -> sieber.systems (::ffff:45.55.5.246)

But: notifications are still not working. I'll guess there are more problems with the ChatSecure push server, because notifications from my server are working fine with other apps like Monal or Siskin.

Bottom line: it seems that users of servers with Let'sEncrypt certificates will now have to switch to another XMPP client app. Thanks for your help.

from chatsecure-ios.

Did you regenerate the cert after Sep 30?

Also read https://blog.windfluechter.net/2021/09/29/letsencrypt-ca-chain-issues-with-ejabberd/

from chatsecure-ios.

Thanks for your answer. Yes, my server certificate was automatically renewed on Oct 02.

The link you've provided got me a little further. I've used https://xmpp.net/ to test my server: my certificate is issued by the (valid) "ISRG Root X1" root CA which is cross-signed with the old root CA "DST Root CA X3" which expired on Sept 30.

All modern browsers already trusts the "ISRG Root X1" by default. Shouldn't the ChatSecure push server do the same? It seems to me that it only trusts the old "DST Root CA X3". If I see that correctly, it is currently not possible to use push notifications with Let'sEncrypt certificates on ChatSecure.

(Disabling the "DST Root CA X3" on my server as recommended here did not make any difference)

from chatsecure-ios.

It should by it might not, that's the issue, the push server needs some sort of update.

from chatsecure-ios.

Just updated cert store and disabled DST Root CA X3. Can you check again?

p.s. this is a dupe of #1250, closing this in favor of the first reported issue

from chatsecure-ios.