By default, CrtFile and KeyFile properties have empty values. In this case, nethserver-base generates a self-signed certificate during nethserver-base-update event.
Default SELinux-aware certificate locations are:
/etc/pki/tls/private/NSRV.key : private key
/etc/pki/tls/certs/NSRV.crt : CA certificate
A daily cron job checks certificate validity. If expired, the self-signed certificate is re-generated and certificate-update event is signaled.
Default certificate duration is set to 365 days. To change it:
db configuration setprop pki CertificateDuration 3650
/etc/pki/tls/certs/NSRV.crt : CA certificate
QUESTION:
Does it imply that NethServer is considered as a Certificate Authority or that by default the installation would set this value and later, when requesting a Let’s Encrypt certificate, this value would be replaced by the installation of the new certificate?
For instance nethserver-httpd adds the following template configuration:
Does this setting denote a server private key used for communication between server ↔ server with /etc/pki/tls/certs/localhost.crt used as the public key ?
What about /etc/pki/tls/private/NSRV.key and /etc/pki/tls/certs/NSRV.crt ?
What is used for server ↔ server communication: localhost.crt / localhost.key or NSRV.crt / NSRV.key ?
Is it possible that NSRV.crt / NSRV.key are used with the self-signed certificate and localhost.crt / localhost.key with a Let’s Encrypt certificate?
A daily cron job checks certificate validity. If expired, the self-signed certificate is re-generated and certificate-update event is signaled.
Default certificate duration is set to 365 days. To change it:
db configuration setprop pki CertificateDuration 3650
On a fresh NethServer installation:
NethServer default certificate
Validity
Not Before: Mar 1 00:10:38 2021 GMT
Not After : Feb 27 00:10:38 2031 GMT
QUESTION:
Would these numbers (365 / 3650) be reversed?
AFAIK Matrix-Synapse / Federation must have a ‘real’ certificate. So you either use LetsEncrypt or another official certificate. You can not use a self signed certificate to make federation work.
Copy Let’s Encrypt LOCAL with acme.sh to main server and assigned it to redirected domains
Requets Let’s Encrypt for my Matrix domain + CNAMEs on main server and assigned it to redirected domains on main server.
Copy Let’s Encrypt for my Matrix domain + CNAMEs on main server to LOCAL
On main server, I request Let’s Encrypt for main server including LOCAL domains and assign it to redirected domains
Copy Let’s Encrypt for main server including LOCAL domains to LOCAL
Send an invitation to join room on my Matrix-Synapse site to myself logged in at matrix.org:
I receive the invitation at matrix.org but when I tried to join, matrix.org said:
Invalid signature for server matrix.org with key ed25519:0: Unable to verify signature for matrix.org: <class ‘nacl.exceptions.BadSignatureError’> Signature was forged or corrupt
Invalid signature for server mozilla.org with key ed25519:0: Unable to verify signature for mozilla.org: <class ‘nacl.exceptions.BadSignatureError’> Signature was forged or corrupt
At matrix.org or at mozilla.org, if I search for @my-user-name:FQDN-my-matrix-site to join a room, matrix.org or mozilla.org finds me and displays my name.
When I click Invite:
Failed to make_join via any server
At matrix.org, if I invite myself with my mail address, I receive the email, respond, and I can join the Room.
I saw somewhere that Matrix doesn’t support SNI.
Maybe that is the reason and it is not possible to have a LOCAL redirected site??? But I don’t think so.
Because I have a few domains on my main server and I do not want to disturb it too much, in the request for Let’s Encrypt for main server including LOCAL domains, I kept FQDN of my main server as the first domain.
Maybe I should try to put my Matrix-Synapse domain FQDN as the first one ???
Everything else with my Matrix-Synapse LOCAL site is working correctly with any of the above Let’s Encrypt certificate using either Firefox or TOR…
Again, thank you for your support.
Michel-André
EDIT:
I use https://192.168.1.75 when redirecting to LOCAL, should I use http instead of https ?
Note, specifying a port is optional. If no port is specified, then it defaults to 8448.
With .well-known delegation, federating servers will check for a valid TLS certificate for the delegated hostname (in our example: synapse.example.com).
In /var/www/html/.well-known/matrix/server I had:
{ "m.server": "matrix.micronator-dev.org:443" }
I changed to:
{ "m.server": "matrix.micronator-dev.org" }
As Matrix-Synapse is using port 8448 for server ↔ server communication, and as the note says If no port is specified, then it defaults to 8448, then removing 443 resolved the problem.
Unbelievable, now everything works properly: LDAP, new users, Community, Room, Captcha, Terms & Conditions, invitations, mail, Federation, and all the bells and whistles.
Now it’s possible to have a fully functioning Matrix-Synapse running on a LOCAL NethServer.
Total victory, let us raise the banner of victory.
Thanks a lot for your support. It was your how-to and your last post that encouraged me not to give up and to continue my quest, even though I had been looking for the solution for several days (weeks).
For Matrix-Synapse community, I do not know if that is THE solution as even in their video: https://www.youtube.com/watch?v=dDddKmdLEdg at 12:05 they use :443 in the .wellknown/matrix/server file. But since their site on the video is hosted at matrix.org so there’s no problem for them to invite & join etc… With my site I was also able to search Room, invite & join.
I will update my document: 701-01, start a new one for Rooms, and then the third one will be for Jistsi witch is the one that is the most interesting…
Once again, thank you and @capote a thousand times for your support.
Michel-André
P.S. My site is down as I am ajusting my documentation. When it will be finished I will send you a note.
EDIT:
I will enable the Captcha, the Terms & Conditions, etc… It wil be a very good test if you are able to create a new account, recieve the mail, etc…
Total victory, let us raise the banner of victory.