search

matrix-org / dendrite

Dendrite is a second-generation Matrix homeserver written in Go!
https://matrix-org.github.io/dendrite/
Apache License 2.0
5.75k stars 676 forks source link

Unable to connect to dendrite HTTPS port locally #1562

Closed Coteh closed 3 years ago

Coteh commented 4 years ago

Background information

Description

I am extremely new to dendrite and Matrix in general, and I'm just trying out a local setup of dendrite to learn how it works. I am able to create a new account and login to my dendrite server using Element desktop client. However, when I try to access my local server from the HTTPS endpoint, I get these errors:

monolith_1  | 2020/10/23 18:29:33 http: TLS handshake error from 172.19.0.1:59292: remote error: tls: 
unknown certificate
monolith_1  | 2020/10/23 18:29:33 http: TLS handshake error from 172.19.0.1:59296: remote error: tls: 
unknown certificate
monolith_1  | 2020/10/23 18:29:33 http: TLS handshake error from 172.19.0.1:59300: remote error: tls: 
unknown certificate
monolith_1  | 2020/10/23 18:29:33 http: TLS handshake error from 172.19.0.1:59304: remote error: tls: 
unknown certificate
monolith_1  | 2020/10/23 18:29:33 http: TLS handshake error from 172.19.0.1:59308: remote error: tls: 
unknown certificate

Steps to reproduce

Follow the Configuration and Starting Dendrite as a monolith deployment sections on build/docker section of this repo.

Also set disable_tls_validation to true in build/docker/config/dendrite.yaml. (after copying or renaming it from dendrite-config.yaml)

Additionally, in docker-compose.monolith.yml, add the following under monolith service: (to expose HTTP and HTTPS ports respectively)

ports:
      - "8008:8008"
      - "8448:8448"

Expectation

I am expecting to be able to connect and login in the same way as I was able to with the HTTP endpoint, as I generated the self-signed keys using the generate-keys program as outlined in the steps. My understanding is that the key files generated by generate-keys will allow me to do local development without the overhead of getting properly signed certificates.

Other Notes

I also did some digging and found this post that mentions that getting a "remote error" may indicate that the error is on the client itself rather than with dendrite server itself. Perhaps I can switch clients and it would fix the issue? I've been unsuccessful connecting to local server using Element Web and weechat-matrix as well. The following are client errors I receive from each of these additional clients: (with corresponding server error underneath)

Let me know if there's anything else you need from me to better understand the issue I'm having, and if there's anything I'm missing please let me know. Additionally, if it turns out I actually do need a signed certificate in order to be able to do local development let me know.

Pestdoktor commented 4 years ago

Did you import the certificate to the system store?

I think that's the only way to tell element-desktop to trust the cert. With element-web it should work if you navigate to your homeserver URL directly and tell your browser to trust the cert.

Otherwise you could try troubleshooting the tls connection using f.e.

openssl s_client -connect localhost:8448 </dev/null | openssl x509 -text -noout
kegsay commented 3 years ago

You need to use a non-self-signed cert (e.g Let's Encrypt) if you want clients to trust your certificate. Otherwise, do as @Pestdoktor says and make your system trust your self-signed certificate if you really want to use HTTPS locally.