Closed ponfertato closed 1 day ago
synapse=# \d e2e_room_keys
Table "public.e2e_room_keys"
Column | Type | Collation | Nullable | Default
---------------------+---------+-----------+----------+---------
user_id | text | | not null |
room_id | text | | not null |
session_id | text | | not null |
version | bigint | | not null |
first_message_index | integer | | |
forwarded_count | integer | | |
is_verified | boolean | | |
session_data | text | | not null |
Indexes:
"e2e_room_keys_room_id" btree (room_id)
"e2e_room_keys_with_version_idx" UNIQUE, btree (user_id, version, room_id, session_id)
synapse=# \d e2e_room_keys_versions
Table "public.e2e_room_keys_versions"
Column | Type | Collation | Nullable | Default
-----------+----------+-----------+----------+---------
user_id | text | | not null |
version | bigint | | not null |
algorithm | text | | not null |
auth_data | text | | not null |
deleted | smallint | | not null | 0
etag | bigint | | |
Indexes:
"e2e_room_keys_versions_idx" UNIQUE, btree (user_id, version)
ERROR: relation "room_keys" does not exist at character 15
STATEMENT: select * from room_keys;
ERROR: relation "key_backups" does not exist at character 15
STATEMENT: select * from key_backups;
synapse=# select * from e2e_room_keys_versions;
user_id | version | algorithm | auth_data | deleted | etag
--------------------------------+---------+----------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+------
@<USER_ONE>:potatoenergy.ru | 2 | m.megolm_backup.v1.curve25519-aes-sha2 | {"public_key":"<EDIT>","signatures":{"@<USER_ONE>:potatoenergy.ru":{"ed25519:KDETVOBTKA":"<EDIT>","ed25519:FDUCWWGAKB":"<EDIT>","ed25519:VcScmR5edfhYW8bgVK6RNoBVsmWkeyVRaN87O0fmhxI":"<EDIT>","ed25519:MRASKJNEOU":"<EDIT>"}}} | 0 | 59
@ponfertato:potatoenergy.ru | 1 | m.megolm_backup.v1.curve25519-aes-sha2 | {"public_key":"<EDIT>","signatures":{"@ponfertato:potatoenergy.ru":{"ed25519:KWMORYTWEU":"<EDIT>"}}} | 1 | 6
@<USER_TWO>:potatoenergy.ru | 1 | m.megolm_backup.v1.curve25519-aes-sha2 | {"public_key":"<EDIT>","signatures":{"@<USER_TWO>:potatoenergy.ru":{"ed25519:JGJLOTMEKY":"<EDIT>","ed25519:Yz8bti9B/unDrHbjUbwn31NIHyUhJGO/qPziWRqhMlw":"<EDIT>"}}} | 0 | 3
@<USER_ONE>:potatoenergy.ru | 1 | m.megolm_backup.v1.curve25519-aes-sha2 | {"public_key":"<EDIT>","signatures":{"@<USER_ONE>:potatoenergy.ru":{"ed25519:KDETVOBTKA":"<EDIT>"}}} | 1 | 6
(4 rows)
2024-11-13 09:26:43,595 - synapse.http.server - 130 - INFO - GET-213 - <XForwardedForRequest at 0xffff913f7050 method='GET' uri='/_matrix/client/v3/room_keys/version' clientproto='HTTP/1.1' site='8008'> SynapseError: 404 - No backup found
2024-11-13 09:26:43,599 - synapse.access.http.8008 - 473 - INFO - GET-213 - <EDIT> - 8008 - {@ponfertato:potatoenergy.ru} Processed request: 0.013sec/0.002sec (0.001sec, 0.002sec) (0.001sec/0.004sec/1) 67B 404 "GET /_matrix/client/v3/room_keys/version HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" [0 dbevts]
2024-11-13 09:26:43,764 - synapse.storage.SQL - 468 - DEBUG - GET-214 - [SQL] {get_e2e_room_keys_version_info-2b5} SELECT MAX(version) FROM e2e_room_keys_versions WHERE user_id=? AND deleted=0
2024-11-13 09:26:43,769 - synapse.storage.SQL - 468 - DEBUG - prune_old_user_ips-68 - [SQL] {_prune_old_user_ips-2b6} DELETE FROM user_ips WHERE last_seen IN ( SELECT last_seen FROM user_ips WHERE last_seen <= ? ORDER BY last_seen ASC LIMIT 5000 )
2024-11-13 09:26:43,775 - synapse.storage.SQL - 473 - DEBUG - GET-214 - [SQL values] {get_e2e_room_keys_version_info-2b5} ('@ponfertato:potatoenergy.ru',)
2024-11-13 09:26:43,776 - synapse.storage.SQL - 473 - DEBUG - prune_old_user_ips-68 - [SQL values] {_prune_old_user_ips-2b6} (1729070803759,)
2024-11-13 09:26:43,787 - synapse.storage.SQL - 494 - DEBUG - prune_old_user_ips-68 - [SQL time] {_prune_old_user_ips-2b6} 0.007188 sec
2024-11-13 09:26:43,799 - synapse.storage.SQL - 494 - DEBUG - GET-214 - [SQL time] {get_e2e_room_keys_version_info-2b5} 0.022402 sec
After looking at the tables, I did not find that it writes new users there at one point (apparently when configuring the configuration on a live server) I broke something, which is why indexing stopped working.
It seems like what I changed (and it was a test to disable the built-in login system, all sorts of encryption settings in the rooms, a test to connect workers to differentiate tasks) should not have affected this in any way, however, I'm not sure what can be done about it except to recreate the database. But I would not like to lose the rooms that have already been created.
In general, I went to desperate measures and decided to clean these tables with the following commands:
TRUNCATE TABLE e2e_room_keys_versions;
TRUNCATE TABLE e2e_room_keys;
Then on startup Synapse asked to correct some stream_ positions, I cleaned them up with the following commands:
DELETE FROM stream_positions WHERE stream_name = 'receipts';
DELETE FROM stream_positions WHERE stream_name = 'events';
DELETE FROM stream_positions WHERE stream_name = 'to_device';
DELETE FROM stream_positions WHERE stream_name = 'account_data';
DELETE FROM stream_positions WHERE stream_name = 'presence_stream';
After which the server started up and... As soon as I added the resource again:
...
listeners:
- bind_addresses: ['0.0.0.0'] # I've changed the configuration a little bit here
port: 8008
resources: # and here
- compress: false
names: [openid, keys]
- compress: true
names: [client, federation]
tls: false
type: http
x_forwarded: true
...
Deleting accounts via OIDC finally worked (using a token, but only from the web version for some reason), but the keys are still not written (I logged out of all my sessions, logged in again from Element Desktop, but when I tried to reset the keys, the situation repeated itself) I'm not sure what else the problem could be related to.....
Hmm, I'd expect that GET /room_keys/version
will return 404 once you've deleted the tables. Clients should then try and create a new backup via POST /room_keys/version
, so I'd be interested to know if you see any such requests?
What does your element web say about the status of key backups (in the security + privacy section of settings)?
Hmm, I'd expect that
GET /room_keys/version
will return 404 once you've deleted the tables. Clients should then try and create a new backup viaPOST /room_keys/version
, so I'd be interested to know if you see any such requests?
I reinstalled my Synapse instance again and faced the same problem, even slightly changing the configuration I switched to MAS + Anthelia and the problem continues to persist - the backup keys are not saved from the server side (at the same time, after resetting, even the Cross-signature should not be initialized, since the server keys cannot be obtained)
---
admin_contact: mailto:mail@potatoenergy.ru
admin_users:
- '@ponfertato:potatoenergy.ru'
- '@ponfertato:matrix.org'
alias_creation_rules:
- action: allow
allow_device_name_lookup_over_federation: false
allow_profile_lookup_over_federation: false
allow_public_rooms_over_federation: true
allow_public_rooms_without_auth: true
allowed_avatar_mimetypes: ["image/png", "image/jpeg", "image/gif"]
auto_join_rooms:
- '#channel:potatoenergy.ru'
- '#general:potatoenergy.ru'
- '#local:potatoenergy.ru'
- '#potatoenergy:matrix.org'
- '#room:potatoenergy.ru'
auto_join_rooms_for_guests: false
autocreate_auto_join_rooms: true
autocreate_auto_join_rooms_federated: false
background_updates:
sleep_enabled: false
caches:
cache_autotuning:
max_cache_memory_usage: 1024M
min_cache_ttl: 5m
target_cache_memory_usage: 758M
global_factor: 0.5
per_cache_factors:
get_users_who_share_room_with_user: 2
sync_response_cache_duration: 5m
database:
args:
cp_max: 20
cp_min: 10
database: synapse
host: postgres
password: <EDIT>
user: matrix
name: psycopg2
txn_limit: 20000
dynamic_thumbnails: true
email:
app_name: Matrix
client_base_url: https://chat.potatoenergy.ru/
enable_notifs: true
enable_tls: false
invite_client_location: https://chat.potatoenergy.ru/
notif_for_new_users: false
notif_from: Your %(app)s homeserver <noreply@potatoenergy.ru>
smtp_host: mailhog
smtp_port: 1025
subjects:
email_validation: '[%(server_name)s] Validate your email'
invite_from_person: '[%(app)s] %(person)s has invited you to chat on %(app)s...'
invite_from_person_to_room: '[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s...'
message_from_person: '[%(app)s] You have a message on %(app)s from %(person)s...'
message_from_person_in_room: '[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room...'
messages_from_person: '[%(app)s] You have messages on %(app)s from %(person)s...'
messages_from_person_and_others: '[%(app)s] You have messages on %(app)s from %(person)s and others...'
messages_in_room: '[%(app)s] You have messages on %(app)s in the %(room)s room...'
messages_in_room_and_others: '[%(app)s] You have messages on %(app)s in the %(room)s room and others...'
password_reset: '[%(server_name)s] Password reset'
validation_token_lifetime: 15m
enable_authenticated_media: true
enable_media_repo: true
enable_metrics: true
enable_registration: false
enable_registration_without_verification: false
enable_set_avatar_url: true
enable_set_displayname: true
encryption_enabled_by_default_for_room_type: invite
event_cache_size: 10K
experimental_features:
msc3266_enabled: true
msc3861:
account_management_url: http://mas:8080/account
admin_token: <EDIT>
client_auth_method: client_secret_basic
client_id: 0000000000000000000SYNAPSE
client_secret: <EDIT>
enabled: true
issuer: http://mas:8080/
msc4108_enabled: true
federation:
client_timeout: 180s
destination_max_retry_interval: 12h
destination_min_retry_interval: 1m
destination_retry_multiplier: 5
max_long_retries: 20
max_long_retry_delay: 100s
max_short_retries: 5
max_short_retry_delay: 7s
federation_client_minimum_tls_version: '1.2'
federation_sender_instances:
- synapse-federation
forget_rooms_on_leave: true
forgotten_room_retention_period: 1d
form_secret: <EDIT>
gc_thresholds: [700, 10, 10]
inhibit_user_in_use_error: false
instance_map:
main:
host: synapse
port: 9093
ip_range_blacklist:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 100.64.0.0/10
- 192.0.0.0/24
- 169.254.0.0/16
- 192.88.99.0/24
- 198.18.0.0/15
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- '::1/128'
- fe80::/10
- fc00::/7
- 2001:db8::/32
- ff00::/8
- fec0::/10
limit_remote_rooms:
admins_can_join: true
complexity: 0.5
enabled: true
listeners:
- port: 8008
resources:
- compress: true
names: [client, federation]
tls: false
type: http
x_forwarded: true
- port: 9000
type: metrics
- port: 9093
resources:
- names: [replication]
tls: false
type: http
log_config: /data/log.config
login_via_existing_session:
enabled: false
macaroon_secret_key: <EDIT>
max_event_delay_duration: 24h
max_image_pixels: 35M
max_upload_size: 100M
media_retention:
local_media_lifetime: 30d
remote_media_lifetime: 7d
media_store_path: /data/media
metrics_flags:
known_servers: true
password_config:
enabled: false
pid_file: /data/homeserver.pid
presence:
enabled: true
include_offline_users_on_sync: false
public_baseurl: https://matrix.potatoenergy.ru/
push:
enabled: true
include_content: false
jitter_delay: 10s
rc_message:
burst_count: 30
per_second: 0.5
redis:
enabled: true
host: redis
password: <EDIT>
registration_shared_secret: <EDIT>
remote_media_download_burst_count: 200M
remote_media_download_per_second: 40K
report_stats: false
retention:
allowed_lifetime_max: 1y
allowed_lifetime_min: 1d
default_policy:
max_lifetime: 1y
min_lifetime: 1d
enabled: true
purge_jobs:
- interval: 12h
longest_max_lifetime: 3d
- interval: 1d
shortest_max_lifetime: 3d
room_list_publication_rules:
- action: allow
room_prejoin_state:
additional_event_types:
- m.room.name
- m.room.avatar
disable_default_event_types: false
send_federation: false
serve_server_wellknown: true
server_name: potatoenergy.ru
signing_key_path: /data/signing.key
suppress_key_server_warning: true
thumbnail_sizes:
- height: 32
method: crop
width: 32
- height: 96
method: crop
width: 96
- height: 240
method: scale
width: 320
trusted_key_servers:
- server_name: potatoenergy.ru
- server_name: matrix.org
- server_name: vector.im
turn_allow_guests: false
turn_password: <EDIT>
turn_uris:
- stun:stun.cloudflare.com:3478
- turn:turn.cloudflare.com:3478?transport=udp
- turn:turn.cloudflare.com:3478?transport=tcp
- turns:turn.cloudflare.com:5349?transport=tcp
turn_user_lifetime: 1h
turn_username: <EDIT>
ui_auth:
session_timeout: 5m
url_preview_accept_language:
- ru-RU,ru;q=0.8
- en-US;q=0.5
- en;q=0.3
url_preview_enabled: true
url_preview_ip_range_blacklist:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 100.64.0.0/10
- 192.0.0.0/24
- 169.254.0.0/16
- 192.88.99.0/24
- 198.18.0.0/15
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- '::1/128'
- fe80::/10
- fc00::/7
- 2001:db8::/32
- ff00::/8
- fec0::/10
url_preview_url_blacklist:
- scheme: http
- netloc: ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
user_directory:
enabled: true
prefer_local_users: true
search_all_users: false
show_locked_users: false
web_client_location: https://chat.potatoenergy.ru/
worker_replication_secret: <EDIT>
#synapse-federation
---
worker_app: synapse.app.federation_sender
worker_log_config: /data/log.config
worker_name: synapse-federation
#synapse-worker
---
worker_app: synapse.app.generic_worker
worker_listeners:
- port: 8081
resources:
- compress: true
names: [client, federation]
tls: false
type: http
x_forwarded: true
worker_log_config: /data/log.config
worker_name: synapse-worker
---
account:
password_registration_enabled: false
branding:
imprint: null
logo_uri: null
policy_uri: null
service_name: null
tos_uri: null
clients:
- client_auth_method: client_secret_basic
client_id: 0000000000000000000SYNAPSE
client_secret: <EDIT>
database:
connect_timeout: 30
database: mas
host: postgres
idle_timeout: 600
max_connections: 10
max_lifetime: 1800
min_connections: 0
password: <EDIT>
username: matrix
email:
from: '"Matrix Authentication Service" <support@potatoenergy.ru>'
hostname: mailhog
mode: plain
port: 1025
reply_to: '"Matrix Authentication Service" <support@potatoenergy.ru>'
transport: smtp
experimental:
access_token_ttl: 86400
compat_token_ttl: 86400
http:
issuer: https://potatoenergy.ru/
listeners:
- binds:
- address: '[::]:8080'
name: web
proxy_protocol: false
resources:
- name: discovery
- name: human
- name: oauth
- name: compat
- name: graphql
- name: assets
- binds:
- host: localhost
port: 8081
name: internal
proxy_protocol: false
resources:
- name: health
public_base: https://mas.potatoenergy.ru/
trusted_proxies:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/10
- 127.0.0.1/8
- fd00::/8
- '::1/128'
matrix:
endpoint: http://synapse:8008
homeserver: potatoenergy.ru
secret: <EDIT>
passwords:
enabled: false
policy:
authorization_grant_entrypoint: authorization_grant/violation
client_registration_entrypoint: client_registration/violation
data:
admin_users:
- <EDIT>
client_registration:
allow_insecure_uris: true
allow_missing_contacts: true
email_entrypoint: email/violation
password_entrypoint: password/violation
register_entrypoint: register/violation
wasm_module: /usr/local/share/mas-cli/policy.wasm
templates:
assets_manifest: /usr/local/share/mas-cli/manifest.json
path: /usr/local/share/mas-cli/templates/
translations_path: /usr/local/share/mas-cli/translations/
upstream_oauth2:
providers:
- claims_imports:
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: suggest
set_email_verification: always
template: "{{ user.email }}"
localpart:
action: require
template: "{{ user.preferred_username }}"
client_id: matrix
client_secret: <EDIT>
discovery_mode: insecure
human_name: Authelia
id: 000000000000000000AVTHE11A
issuer: https://auth.potatoenergy.ru
scope: "openid profile email"
token_endpoint_auth_method: client_secret_basic
secrets:
encryption: <EDIT>
keys: <EDIT>
---
http:
routers:
...
mas:
entryPoints:
- websecure
middlewares:
- corsHeaders
- error-pages
- securityHeaders
rule: Host(`mas.potatoenergy.ru`) || Host(`potatoenergy.ru`) && PathPrefix(`/.well-known/openid-configuration`)
tls:
certResolver: letsencrypt
options: default
synapse:
entryPoints:
- websecure
middlewares:
- corsHeaders
- error-pages
- securityHeaders
rule: Host(`matrix.potatoenergy.ru`) || Host(`potatoenergy.ru`) && (PathPrefix(`/_matrix/`) || PathPrefix(`/_synapse/`) || PathPrefix(`/.well-known/matrix/`))
service: synapse
tls:
certResolver: letsencrypt
options: default
...
---
tls:
options:
...
default:
cipherSuites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
curvePreferences:
- X25519
- CurveP256
- CurveP384
- CurveP521
minVersion: VersionTLS12
sniStrict: true
...
---
http:
middlewares:
...
securityHeaders:
headers:
browserXssFilter: true
customResponseHeaders:
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
contentTypeNosniff: true
forceSTSHeader: true
frameDeny: true
hostsProxyHeaders:
- Host
- X-Real-IP
- X-Forwarded-Host
- X-Forwarded-For
- X-Forwarded-Proto
sslProxyHeaders:
X-Forwarded-Proto: https
sslRedirect: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 63072000
corsHeaders:
headers:
accessControlAllowCredentials: true
accessControlAllowOriginList:
- "*"
# accessControlAllowOriginListRegex:
# - ^(.*\.)?potatoenergy\.ru$
accessControlAllowHeaders:
- Accept
- Authorization
- Client-Security-Token
- Content-Type
- Origin
- X-Requested-With
accessControlAllowMethods:
- DELETE
- GET
- OPTIONS
- POST
- PUT
accessControlMaxAge: 100
addVaryHeader: true
...
...
What does your element web say about the status of key backups (in the security + privacy section of settings)?
I apologize for the stretched response, above is a screenshot of the requests, as you can see:
Accordingly, no encryption settings are saved (for some reason, because they are sent to the server...)
Description
Good afternoon, I encountered a problem when it is impossible to reserve keys between client and server, and the ability to create a backup copy of encryption keys does not work, but the ability to export and transfer them between devices works. Probably something is broken in my configuration, but I can't figure out what it is.... Having tried different third-party clients (ShildiChat, Cinny, Element Web Dev) the error is the same, but nothing abnormal is found in the logs (p.s. exactly the address /_matrix/client/v3/room_keys/version works, but, for some reason, when trying to access it gives error 404). Probably the problem with the OIDC authorization system is also because of this, because after the problem with keys it stopped allowing to manually reset sessions. I have attached the Synapse server log, no anomalies were encountered in the database logs.
It also constantly swears at the GET method /_matrix/client/unstable/org.matrix.msc2965/auth_issuer, but probably these problems are somehow interrelated...
Steps to reproduce
Homeserver
https://potatoenergy.ru
Synapse Version
{"server_version":"1.118.0"}
Installation Method
Other (Docker Compose)
Database
PostgreSQL (single, not ported, not restored)
Workers
Single process
Platform
distro: Armbian Bookworm (aarch64) hardware: Rockchip RK3566 OPi 3B (ARM Cortex-A55) container (docker): ghcr.io/element-hq/synapse:latest (sha256:713a1525d4d35892a9ebd82f0ffdbf9c82bfcd01add13b4cdc3d2fcac474d564)
Configuration
Synapse Config:
Self-hosted Element Web Config:
Traefik Config:
Relevant log output
Anything else that would be useful to know?
Screenshots