I requested the letsencrypt cert on the LOCAL vm but it should work with reverse proxy and notls option too. I’m going to test and report.
Hi @mrmarkuz
I copy the TLS cert I asked in the name of LOCAL on my main server to the LOCAL server. I checked it and now it is the one offered by LOCAL.
When I tried to join a room of LOCAL Matrix-Synapse from https://riot.im/app, I still get:
“Invalid signature for server matrix.org with key ed25519:a_RXGa: Unable to verify signature for matrix.org: <class ‘nacl.exceptions.BadSignatureError’> Signature was forged or corrupt”
Michel-André
Sorry, I can’t reproduce the error, it just works here, even with a reverse proxy providing the cert and forwarding to my local VM.
Is your matrix-synapse installation up to date? I use version 1.41.1.
See upgrade instructions and the install section in this howto.
It seems you are using well-known delegation, maybe there’s an issue? I’m going to test…
Hi @mrmarkuz,
Everything is up to date.
I will install a new NS on a new VM and start all over.
Thank you for your great support,
Michel-André
1 Like
Hi @mrmarkuz
It’s getting better.
But I can join #synapse:matrix.org.
From my site, if I invite @michelandre:matrix.org he receives the invitation.
When he clicks to respond:
If he clicks again:
In .well-known I tried 8448, 443 and nothing: same problem.
Michel-André
Hi @mrmarkuz,
I just received an answer from GitHub - matrix-org/synapse: Synapse: Matrix homeserver written in Python/Twisted. forum which is very interesting.
@micronator: If you’re the same person that asked this question in #synapse, then your logs showed that something upstream of your server (Apache, presumably, or possibly Cloudflare) was replacing
%40with@in the request URI of incoming requests (and%3Awith:), hence invalidating the signature made by the sending server.
Because I even tried with both NoDecode and nocanon, now I suspect Cloudflare…
...
##### RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set X-Forwarded-Proto "https"
AllowEncodedSlashes NoDecode
ProxyPreserveHost on
ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
...
I have another domain name without Cloudflare, I will start all over again and see what will happen,
Michel-André
1 Like
cool, try without cloudflare, share what you find, then revert to cloudflare on the same.
I took out the redirection of DNS to Cloudflare and now it is directly from ionos.fr.
I created a room #salon-mar:mozilla.org at https://chat.mozilla.org/.
https://riot.im/ sees it in the search and it can join it.
My chat site doesn’t see it in the search but it can join it.
In this room, I am able to send to https://riot.im/ and to https://chat.mozilla.org/ but I can not receive from them.
** Unable to decrypt: The sender's device has not sent us the keys for this message. **
Request encryption keys from your other sessions.?
I requested the keys but there is nothing happening.
I copied the fullchain key and private key in /opt/synapse and indicated their paths in homeserver.yaml, restarted httpd and matrix-synapse. Nothing changed.
In the homeserver.log, always same problem:
2021-09-06 13:42:24,462 - synapse.federation.transport.server._base - 267 - WARNING - GET-484 - authenticate_request failed: 401: Invalid signature for server matrix.org with key ed25519:a_RXGa: Unable to verify signature for matrix.org: <class 'nacl.exceptions.BadSignatureError'> Signature was forged or corrupt
This morning someone was writing about:
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
This does’t work it has to be:
RequestHeader set X-Forwarded-Proto "https"
I will take a pause for a while,
Michel-André
Maybe it just takes some time to get the keys?
From github:
The keys haven’t arrived yet. Patience you must have.
1 Like
If it is not crypted, it took 3 minutes to receive the message from https://riot.im/ and https://chat.mozilla.org/
Michel-André
1 Like
In one case from https://chat.mozilla.org it took 8 minutes.
Also, when non crypted, it see %3A ( the character " : " ) in the log when receiving something from https://chat.mozilla.org.
So the nocanon is working if non-crypted.
Why it is not working when crypted ?
Michel-André
I enabled well-known delegation and closed port 8448 and now I get the same errors even if I open the port again…really weird.
1 Like
The default for well-known is 8448. The federation will use 8448 if you put no port.
What happen if you put in 443 ?
What kind of DNS record you used for the main domain, A or CNAME ?
I tried both and the federation test give different results.
-
m.serveris the same for both cases. -
Host CNAMEgive toto-dev.org if I use CNAME and chat.toto-dev.org if I use A.
History of the development
My main domain is toto-dev.org. For Matrix Synapse I use chat.toto-dev.org and for mail, www, etc, I use mail.chat.micronator.dev.org, www.chat.toto-dev.org, etc.
I was wondering if it makes a difference as for my documentation of 2021-03 (which was working correctly) I was using chat.toto-dev.org, and no chat for mail.toto-dev.org, www.toto-dev.org, etc.
I am using the domain differently as now I want to use Mattermost, Discourse, Matrix Synapse and Jitsi Meet all running at the same time in VMs on LOCAL network and all using a single suffix domain.
Mattermost uses mattermost.toto-dev.org, Discourse use discourse.toto-dev.org and Jitsi Meet uses jitsi.toto-dev.org.
I can run Mattermost, Discourse, and Jitsi Meet at the same time. Both Mattermost and Discourse have a link to Jitsi Meet - all is working correctly.
To be able to include Matrix Synapse with this trio, I changed all the CNAMEs for Matrix Synapse to cname.matrix.toto-dev.org.
In 2021-03 I was using PostgreSQL-12 so I won’t have to update for a long time and all was working correctly. I was using Element and Riot.
I didn’t use PostgreSQL-13 as at that time the librairies for it were not available.
This time, I use PostgreSQL-13 as the librairies are now available.
At first I had problem because the recommended installation wants to use postgresql-devel as a prerequisite. The psql was from PostgreSQL-9 and came in conflict with psql-13.
I resolved the problem by creating an add-on file for the profile so to include the folder of psql-13 in $PATH. All is working correctly.
Also, I wanted to use chat.toto-dev.org instead of toto-dev.org/element.
So I created a virtualhost for Element and another one for Riot.
I have LDAP, Captcha, Terms of use, new users with name or mail address, etc…
Even with a link to my Jitsi Meet, all is working correctly except for the Federation (the show stopper).
I am working on all four applications since March.
So close to the goal, I absolutely want to solve this last problem of Federation.
Michel-André
3 Likes
OK, now sometimes it works, sometimes I get badsignature error and sometimes error when joining room, no matter what config. Maybe the config changes are problematic or it’s some browser cache issue. I’m going to test…
matrix.example.org. 10 IN CNAME example.org.
example.org. 10 IN A 1.2.3.4
1 Like
Hi @mrmarkuz,
In 2021-03, I used the same DNS records as yours and it was working. For the new one, I tried both ways, with and without A.
For the caches, when I do a change of any parameter I always clear the Windows cache with ipconfig /flushdns and all the browser history and data caches then restart both httpd and matrix-synapse.
I had joining a room working a very few times only, then never after. In all cases the search always displayed it didn’t find the room but after clicking the Join button, it joins the room. Same thing for an invitation of someone to join a discussion.
Last night, for a test, I put the below two lines directly in almost all of the files in /etc/httpd/conf.d. Then I saw a lot of %3A in the log file and almost no “:”. Also much less bad signing key.
RequestHeader set X-Forwarded-Proto "https"
AllowEncodedSlashes NoDecode
For what I want to achieve, the only difference I see with Mattermost is the Federation. But it’s so flaky that I don’t know if it worth the effort.
Michel-André
OK, with open port 8448 and no delegation it seems working.
I had an issue because I use a reverse proxy from my Nethserver to the synapse VM and port forwarding 8448 from my firewall to the VM. I had a server alias on the Nethserver (that is my DNS server) for my matrix domain so internal DNS provided the wrong server (Nethserver instead of the synapse VM) for 8448, therefore the port forwarding failed for internal devices. In other words a split DNS issue.
Could this be an issue?
If you use a virtualhost for chat.toto-dev.org it may interfere with the synapse virtualhost.
Can you reach https://chat.toto-dev.org:8448 ?
1 Like
Yes, with open port 8448 you don’t need a .well-known/matrix/master
1 Like
Do you have a SRV record ?
Michel-André
No. SRV or well-known is only needed for delegation AFAIK.
Delegation is needed if you can’t open port 8448 or if you like to have users like user@toto-dev.org while using chat.toto-dev.org as matrix domain.
1 Like