search

element-hq / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://element-hq.github.io/synapse
GNU Affero General Public License v3.0
1.61k stars 203 forks source link

Synapse Homeserver Installation fails the Matrix Federation Test #17364

Open mherfurt opened 5 months ago

mherfurt commented 5 months ago

Description

I am trying to run a synapse server on my kubernetes cluster. Therefore, I am using the currently latest official container (Version 1.109.0) from docker hub in combination with an official postgresql container. The server is reverse-proxied by HAProxy (with SSL Offloading) using a lets-encrypt certificate.

After being able to register a user on this server using the flatpak version of the Element client on Linux, I tried logging in with the Android Element app from the Google Play store. On Android, the Element client rejects the server name claiming that the entered server name "is not a valid matrix server address".

From what I found out is that the Android version of the Element App relies on the Federation API, which brought me to the Matrix Federation Tester website, where my server fails the test. In the json-report of the test, it is stated that the server which seems to be addressed with its IP address, does not respond with HTTP response code 200, which might have to do with the fact, that lets-encrypt does not issue SSL-certificates for IP addresses and therefore a connection to the server via its IP address fails due to certificate validation.

Next thing I tried was to switch from serving wellknown info to having a SRV record for the server... same negative result.

Is it even possible to host a federated synapse homeserver with letsencrypt certificates?

Please find a slightly obfuscated json report from the tester below: { "WellKnownResult": { "m.server": "mydomain.com:443", "CacheExpiresAt": 0 }, "DNSResult": { "SRVSkipped": true, "SRVCName": "", "SRVRecords": null, "SRVError": null, "Hosts": { "hxz.one": { "CName": "mydomain.com.", "Addrs": [ "1.2.3.4" ], "Error": null } }, "Addrs": [ "1.2.3.4:443" ] }, "ConnectionReports": {}, "ConnectionErrors": { "1.2.3.4:443": { "Message": "Non-200 response 404 from remote server" } }, "Version": { "name": "Synapse", "version": "1.109.0" }, "FederationOK": false }

Steps to reproduce

Homeserver

another homeserver

Synapse Version

1.109.0

Installation Method

Docker (matrixdotorg/synapse)

Database

I am using a single PostgreSQL server

Workers

Single process

Platform

The deployment is done on a microk8s cluster running Ubuntu Server 24.04 LTS

Configuration

No response

Relevant log output

2024-06-26 16:26:56,750 - synapse.access.http.8008 - 473 - INFO - GET-28 - 94.237.61.73 - 8008 - {None} Processed request: 0.000sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 26B 200 "GET /.well-known/matrix/server HTTP/1.1" "Go-http-client/2.0" [0 dbevts]
2024-06-26 16:26:56,924 - synapse.access.http.8008 - 473 - INFO - GET-29 - 94.237.61.73 - 8008 - {None} Processed request: 0.000sec/0.001sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 49B 200 "GET /_matrix/federation/v1/version HTTP/1.1" "Go-http-client/2.0" [0 dbevts]

Anything else that would be useful to know?

The firewall log shows a third connection from 94.237.61.73, that is not passed to the haproxy backend due to the issues described above.

stephanedupont commented 2 months ago

Hi @mherfurt, I'm in the same situation, did you manage to solve this?

mherfurt commented 2 months ago

Nope... did give up, eventually.

stephanedupont commented 2 months ago

I fixed it by adding the following line to homeserver.yaml:

public_baseurl: https://matrix.mydomain.com/

Without it, the well-known returned a "404".

mherfurt commented 2 months ago

Unfortunately, this didn't fix the issue I am having.