“The Certificate does not match the expected identity of the Site”
Versions
- OS:
Fedora 38
- Gajim version:
1.7.3
- GTK version:
gtk3.x86_64 3.24.37-1.fc38
,gtk4.x86_64 4.10.3-2.fc38
- Python-nbxmpp version:
python3-nbxmpp.noarch 4.2.2-1.fc38
Steps to reproduce the problem
- have a pure Chat-Server
xmpp.example.com
(Prosody here), with “pure” I mean: the Webserver for the Domainexample.com
points to a different IP-Address - have Cert from Letsencrypt, containing only
xmpp.example.com
, becauseexample.com
is not reachable forcertbot
- have DNS-Entries
_xmpp-client._tcp.example.com. 3600 IN SRV 0 5 5222 xmpp.example.com.
_xmpps-client._tcp.example.com. 3600 IN SRV 0 5 5223 xmpp.example.com.
- have a JID
test123@example.com
(nottest123@xmpp.example.com
)
Expected behavior
- Gajim should pick up the
SRV
-Entries and connect toxmpp.example.com
, which it does👍 . I can recognize the Cert's Serial in the Pop-Up - Gajim should accept the Cert for
xmpp.example.com
, without having to tickConnection/Hostname
and to specifyxmpp.example.com
, as this is redundant with theSRV
-Entry. - Gajim should accept the Cert for
xmpp.example.com
at all
Actual behavior
Gajim complains:
“SSL-Certificate-Verification-Error
There was an Error while attempting to verify the SSL-Certificate of your XMPP-Server (example.com)
Identified Error
The Certificate does not match the expected identity of the Site”
Of course example.com
is not in the Certificate. It cannot be there. My Understanding was, that this is the whole Point of the SRV
-Entries.
Two additional Notes:
- “Conversations” works for me, even if I also have to specify the exact Servername. But at least it accepts the Cert then. (Issue there)
- Server2Server-Communication behaves exactly as it should. A Message from
test456@jabber.de
directed totest123@example.com
knows which Server to contact, according to theSRV
-Entries