This server reports an invalid SSL certificate (one of the certificates in the chain sent by the server is expired). If I'm correct, the expired certificate is Digital Signature Trust Co., CN = DST Root CA X3 which LetsEncrypt was using for cross signing certificates and it should be removed from the certificate chain sent by the server.

Solution: fix the SSL certificates on this server.

Can I request to make the error report be more descriptive of the problem?

The error is to the end user and not for debugging of the server issues. It needs to be simple end explain the situation. In this case it is not possible to establish connection to the XMPP server and this is what the error message states.

@hantu85 but the chain also holds a valid intermediate like "ISRG"? If yes...then your ssl lib should use that instead, no matter if DST is expired.

This is a known issue around the ecosystem (better said for Let's Encrypt users), since Sep 30.

@hantu85 is there any comment from you on the observation of @licaon-kter . I renewed the certs and it has ISRG intermediate. I see not problem in other clients, gajim, conversation, monal all work.

Also regarding the error message, it would help both users and the sysadmins if the error is a bit more descriptive. It need not be complex. Just adding two words like "bad certificates" can help. Often times syadmins and people rely on error message passed on by users. A generic message saying "app can't sign in" is not helpful.

@raghu-kamath Actually, in the end, after debugging the app against the XMPP server used by you, I've found the cause of the issue to be DNS misconfiguration. (SSL certificates had nothing to do with it).

This server domain name has SRV records for _xmpps-client._tcp.:

_xmpps-client._tcp.emblik.studio has SRV record 0 5 5223 emblik.studio.

but there is no server listening on port 5223.

In a typical use-case, Siskin IM will fall back to using port 5222, however, during account adding or account registration we are not sure that the server actually is there, so it fails fast - after initial try in your case points to port 5223 (due to your DNS configuration) which is not accessible for SiskinIM.

The solution here is simple - fix your DNS entries.

There is a server listening on 5222, so shouldn't it fallback to it?

It would but not when the account is added or registered.

Account is already created, the user is just trying to login to existing account.

So he is adding it, and in this case, Siskin will not fall back.

The root cause here is DNS misconfiguration.

So should I remove the configuration? It doesn't have any issue with other clients

Advertisement of XMPPS for your server which is not offering it is incorrect. It should be removed!

Removing it solved the issue.

But I think the error message should give more hints, since initially we thought this is a cert error. With correct message it will help sysadmins to know what is breaking