SSL Error | Third party certificate could not be checked - Githubissues

kamax-matrix / mxisd

Federated Matrix Identity Server

GNU Affero General Public License v3.0

223 stars 115 forks source link

SSL Error | Third party certificate could not be checked #111

Closed palmtown closed 5 years ago

palmtown commented 5 years ago

Hello,

I am getting an SSL error from mxisd stating that "third party certificate could not be checked" however, the certificate on the matrix synapse is install correctly, and I can verify the certificate chain via the browser just fine. Also, Riot is correcting to the synapse server fine as well.

Here's the error log:

Jan  7 05:52:22 identity mxisd[20416]: .617  INFO [       Thread-7]  i.k.m.invitation.InvitationManager : Posting onBind event to https://syn.domain.com:443/_matrix/federation/v1/3pid/onbind
Jan  7 05:52:22 identity mxisd[20416]: .663  INFO [       Thread-7]  i.k.m.invitation.InvitationManager : Answer code: 502
Jan  7 05:52:22 identity mxisd[20416]: .663  WARN [       Thread-7]  i.k.m.invitation.InvitationManager : Answer body: {"errcode":"M_UNKNOWN","error":"Third party certificate could not be checked"}

maxidorius commented 5 years ago

I'm seeing several issues here, possibly related.

First, the certificate issue is not actually from mxisd but from your homeserver as seen from Answer after calling the onBind endpoint. This means your Homeserver is having an issue with the certificate of something, mxisd most likely. You need to check your homeserver (synapse?) logs to see what domain is being called.

Your homeserver serves federation endpoint over the regular HTTPS port normally used for clients. If you are using synapse, this can lead to various issues. See https://github.com/matrix-org/synapse/issues/2438 for the recommended setup.

maxidorius commented 5 years ago

@palmtown Did you manage to resolve the issue in the end?

palmtown commented 5 years ago

Hello maxidor,

Yes, I was able to resolve the issue. While I am not 100% sure what caused it as I was setting things up and doing a lot of testing and changes, just to offer my best technical guess, it appeared to disappear when I matched the signing key in /var/lib/mxisd/signing.key with the signing key in on the synapse server homeserver.signing.key.

maxidorius commented 5 years ago

I matched the signing key in /var/lib/mxisd/signing.key with the signing key in on the synapse server homeserver.signing.key.

For the record, I want to make it clear that this is not supported and must never be done. We make it clear in the sample configuration as well.

Synapse and mxisd must use different signing keys and the file format is even different. We plan to add more checks for the v1.3.0 release which will break your setup per example.

palmtown commented 5 years ago

Ok, thanks for the update. I changed it on the mxisd server, seems to still be working. I just change the characters in the .key file, is that sufficient? Or is there a key generator I should be using?

maxidorius commented 5 years ago

The key is auto-generated if the file does not exist.

palmtown commented 5 years ago

Hey Maxidor,

Thanks again, I just switched it back to the original key it automatically generated. It seems to still be working. I'm currently still testing and getting things setup and will let you know if I run into any issues.

maxidorius commented 5 years ago

Glad it's all fine, thank you for the feedback now and any in the future!