Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ejabberdctl request_certificate crashes #4267

Open
svbergerem opened this issue Aug 16, 2024 · 4 comments
Open

ejabberdctl request_certificate crashes #4267

svbergerem opened this issue Aug 16, 2024 · 4 comments

Comments

@svbergerem
Copy link

Environment

  • ejabberd version: 24.07
  • Erlang version: Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 15.0.1
  • OS: Linux (Arch Linux)
  • Installed from: distro package

Errors from error.log/crash.log

12:36:38.730 [error] GenServer :ejabberd_acme terminating
** (stop) {:invalid_ejson, {"crv", "P-256"}}
    (jiffy 1.1.2) /build/ejabberd/src/ejabberd-24.07/deps/jiffy/src/jiffy.erl:91: :jiffy.encode/2
    (jose 1.11.10) src/json/jose_json_jiffy.erl:26: :jose_json_jiffy.encode/1
    (jose 1.11.10) src/jws/jose_jws.erl:134: :jose_jws.to_binary/1
    (jose 1.11.10) src/jws/jose_jws.erl:307: :jose_jws.sign/4
    (p1_acme 1.0.23) /build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl:923: :p1_acme.jose_json/3
    (p1_acme 1.0.23) /build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl:286: anonymous fn/1 in :p1_acme.request_new_account/1
    (p1_acme 1.0.23) /build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl:614: :p1_acme.http_request/3
    (p1_acme 1.0.23) /build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl:290: :p1_acme.request_new_account/1
Last message: {:"$gen_cast", {:request, ["conference.example.org", "example.org", "proxy.xmpp.example.org", "pubsub.xmpp.example.org", "upload.example.org"]}}

(replaced my domain by example.org)

Bug description

In addition to the error above, ejabberdctl request_certificate all (as well as ejabberdctl request_certificate "example.org") crashes as well:

Unhandled exception occurred executing the command:
** exception exit: {{{invalid_ejson,{<<"crv">>,<<"P-256">>}},
                   [{jiffy,encode,2,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/jiffy/src/jiffy.erl"},
                         {line,91}]},
                    {jose_json_jiffy,encode,1,
                        [{file,"src/json/jose_json_jiffy.erl"},{line,26}]},
                    {jose_jws,to_binary,1,
                        [{file,"src/jws/jose_jws.erl"},{line,134}]},
                    {jose_jws,sign,4,
                        [{file,"src/jws/jose_jws.erl"},{line,307}]},
                    {p1_acme,jose_json,3,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl"},
                         {line,923}]},
                    {p1_acme,'-request_new_account/1-fun-0-',1,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl"},
                         {line,286}]},
                    {p1_acme,http_request,3,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl"},
                         {line,614}]},
                    {p1_acme,request_new_account,1,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl"},
                         {line,290}]}]},
                  {gen_server,call,
                      [ejabberd_acme,
                       {request,
                           [<<"example.org">>,<<"proxy.xmpp.example.org">>,
                            <<"pubsub.xmpp.example.org">>,
                            <<"conference.example.org">>,
                            <<"upload.example.org">>]},
                       600000]}}
   in function  gen_server:call/3 (gen_server.erl, line 1126)
   in call from ejabberd_acme:request_certificate/1 (src/ejabberd_acme.erl, line 491)
   in call from ejabberd_ctl:call_command/4 (src/ejabberd_ctl.erl, line 328)
   in call from ejabberd_ctl:try_call_command/4 (src/ejabberd_ctl.erl, line 289)
   in call from ejabberd_ctl:process2/4 (src/ejabberd_ctl.erl, line 229)
   in call from ejabberd_ctl:process/2 (src/ejabberd_ctl.erl, line 207)
   in call from erpc:execute_call/4 (erpc.erl, line 1250)
@prefiks
Copy link
Member

prefiks commented Aug 20, 2024

I added processone/p1_acme@cd292d0 in p1_acme library that i think will help with that error.

@knoelli
Copy link

knoelli commented Sep 19, 2024
edited
Loading

I get the same error as svbergerem reported here. Tried to fix it by recompiling ejabberd with the commit cd292d0 (and ef06ff8) to p1_acme, however, the problem still persists.

Output of ejabberdctl request_certificate all:

Unhandled exception occurred executing the command:
** exception exit: {{{invalid_ejson,{<<"crv">>,<<"P-256">>}},
                   [{jiffy,encode,2,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/jiffy/src/jiffy.erl"},
                         {line,91}]},
                    {jose_json_jiffy,encode,1,
                        [{file,"src/json/jose_json_jiffy.erl"},{line,26}]},
                    {jose_jws,to_binary,1,
                        [{file,"src/jws/jose_jws.erl"},{line,134}]},
                    {jose_jws,sign,4,
                        [{file,"src/jws/jose_jws.erl"},{line,307}]},
                    {p1_acme,jose_json,3,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl"},
                         {line,923}]},
                    {p1_acme,'-request_new_account/1-fun-0-',1,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl"},
                         {line,286}]},
                    {p1_acme,http_request,3,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl"},
                         {line,614}]},
                    {p1_acme,request_new_account,1,
                        [{file,
                             "/build/ejabberd/src/ejabberd-24.07/deps/p1_acme/src/p1_acme.erl"},
                         {line,290}]}]},
                  {gen_server,call,
                      [ejabberd_acme,
                       {request,
                           [<<"conversations.p***.de">>,
                            <<"pubsub.conversations.p***.de">>,
                            <<"conference.conversations.p***.de">>,
                            <<"proxy.conversations.p***.de">>,
                            <<"upload.conversations.p***.de">>]},
                       600000]}}
   in function  gen_server:call/3 (gen_server.erl, line 1126)
   in call from ejabberd_acme:request_certificate/1 (src/ejabberd_acme.erl, line 491)
   in call from ejabberd_ctl:call_command/4 (src/ejabberd_ctl.erl, line 328)
   in call from ejabberd_ctl:try_call_command/4 (src/ejabberd_ctl.erl, line 289)
   in call from ejabberd_ctl:process2/4 (src/ejabberd_ctl.erl, line 229)
   in call from ejabberd_ctl:process/2 (src/ejabberd_ctl.erl, line 207)
   in call from erpc:execute_call/4 (erpc.erl, line 1250)

@badlop
Copy link
Member

badlop commented Sep 20, 2024

You could apply this debugging patch. It allows you to check if ejabberd is really using the patched p1_acme binaries, and also prints the arguments that provoke the crash:

diff --git a/src/p1_acme.erl b/src/p1_acme.erl
index 8e22352..211d52f 100644
--- a/src/p1_acme.erl
+++ b/src/p1_acme.erl
@@ -910,6 +910,7 @@ jose_json(#state{account = {Key, AccURL}, nonce = Nonce} = State, Data, URL) ->
 	     end,
     JwsMap0 = #{<<"nonce">> => Nonce,
 		<<"url">> => iolist_to_binary(URL)},
+    ?INFO_MSG("JOSE privkey: ~p~npubkey: ~p", [PrivKey, PubKey]),
     JwsMap = case AccURL of
 		 undefined ->
 		     {_, BinaryPubKey} = jose_jwk:to_binary(PubKey),
@@ -919,7 +920,7 @@ jose_json(#state{account = {Key, AccURL}, nonce = Nonce} = State, Data, URL) ->
 		     JwsMap0#{<<"kid">> => iolist_to_binary(AccURL)}
 	     end,
     JwsObj = jose_jws:from(maps:merge(JwsMap, AlgMap)),
-    ?DEBUG("JOSE payload: ~s~nJOSE protected: ~p", [Data, JwsObj]),
+    ?INFO_MSG("JOSE payload: ~s~nJOSE protected: ~p", [Data, JwsObj]),
     {_, JoseJSON} = jose_jws:sign(PrivKey, Data, JwsObj),
     encode_json(JoseJSON).

@knoelli
Copy link

knoelli commented Sep 20, 2024

Thank you for your input. You are right with your assumption, my test ejabberd was indeed compiled with a p1_acme version tagged 1.0.23 instead of the latest head, although I placed the current version in the deps directory. My mistake. Now with commits cd292d0 and ef06ff8 correctly applied during compilation, certificate renewal works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@prefiks @badlop @svbergerem @knoelli