Can't generate self-signed certificates via go run

[melroy89]

As stated in the Configuration section of the Docker setup.

Running:

go run github.com/matrix-org/dendrite/cmd/generate-keys \
>   --private-key=matrix_key.pem \
>   --tls-cert=server.crt \
>   --tls-key=server.key

Should give generate the self signed certificates.

But instead the go package can't be found. Are you sure this is the right package name? Showing me:

package github.com/matrix-org/dendrite/cmd/generate-keys: cannot find package "github.com/matrix-org/dendrite/cmd/generate-keys" in any of:
    /usr/lib/go-1.13/src/github.com/matrix-org/dendrite/cmd/generate-keys (from $GOROOT)
    /home/melroy/go/src/github.com/matrix-org/dendrite/cmd/generate-keys (from $GOPATH)

Regards, Melroy

[carroarmato0]

I'm getting something different.

I first installed all the dependencies running go mod verify in the dendrite folder, but then get:

# go run github.com/matrix-org/dendrite/cmd/generate-keys --private-key=matrix_key.pem
go: github.com/yggdrasil-network/yggdrasil-go@v0.3.15-0.20201006093556-760d9a7fd5ee requires
    golang.zx2c4.com/wireguard@v0.0.20200320: reading golang.zx2c4.com/wireguard/go.mod at revision v0.0.20200320: unknown revision v0.0.20200320

[melroy89]

uh.. why would this package resolve to yggdrasil-network? I you may configured this a a go proxy or something?

[carroarmato0]

So just like you, I tried to execute go run github.com/matrix-org/dendrite/cmd/generate-keys, but it complained that there's a bunch of dependencies missing.

So, I thought I'd use go mod verify, which apparently starts pulling in all the dependencies, except for an issue with yggdrasil-go, which as far as I understand is some kind of crypto communication layer, but the real problem stems from its dependency on the go implementation of wireguard which seems to not be found.

[carroarmato0]

Interesting, I noticed that if I compile it on my laptop with go1.14.7, it works, but not on another computer with go1.15.5. I'm no go expert, but maybe the version of Go or some small detail we're missing makes it not compilable @danger89 ?

dendrite ±|master|→ go version
go version go1.14.7 linux/amd64
dendrite ±|master|→ go run cmd/generate-keys/main.go
go: downloading github.com/uber/jaeger-client-go v2.25.0+incompatible
go: downloading github.com/matrix-org/gomatrixserverlib v0.0.0-20210216163908-bab1f2be20d0
go: downloading github.com/sirupsen/logrus v1.7.0
go: downloading gopkg.in/yaml.v2 v2.3.0
go: downloading golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
go: downloading github.com/uber/jaeger-lib v2.2.0+incompatible
go: downloading golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
go: downloading github.com/tidwall/gjson v1.6.7
go: downloading github.com/matrix-org/gomatrix v0.0.0-20200827122206-7dd5e2a05bcd
go: downloading github.com/tidwall/sjson v1.1.4
go: downloading github.com/matrix-org/util v0.0.0-20200807132607-55161520e1d4
go: downloading github.com/opentracing/opentracing-go v1.2.0
go: downloading github.com/pkg/errors v0.9.1
go: downloading go.uber.org/atomic v1.6.0
go: downloading github.com/tidwall/match v1.0.3
go: downloading github.com/tidwall/pretty v1.0.2
Usage: /tmp/go-build443259007/b001/exe/main

Generate key files which are required by dendrite.

Arguments:

  -private-key string
        An Ed25519 private key to generate for use for object signing
  -tls-cert string
        An X509 certificate file to generate for use for TLS
  -tls-key string
        An RSA private key file to generate for use for TLS

[carroarmato0]

Turns out that my problem was a way too old version of Git (1.8)

@danger89 could you retry building after pulling in the latest changes in the repo? The devs have made some new commits

[melroy89]

Sorry, but it's about the docker image. It's unclear from the docs that I need to clone this whole archive just for generating keys.

I expect the listed command to work out of the box.

[carroarmato0]

Sorry, but it's about the docker image. It's unclear from the docs that I need to clone this whole archive just for generating keys.

I expect the listed command to work out of the box.

Ah yes, I thought so too initially, but the Docker image seems to be hardwired to start the server, and as far as I could tell, the generate-key command is not included (though I didn't look too thoroughly around).

[melroy89]

Ideally generating the keys should indeed be done via docker.

Even then you can still submit the correct go package to a go proxy/package manager. Allowing to run this go command, without docker & without git cloning of the archive. As long as the user has go installed.

[neilalexander]

Ideally generating the keys should indeed be done via docker.

generate-keys is now included in the Docker image, which it wasn't originally, therefore something like this should work:

docker exec [containername] /usr/bin/generate-keys -private-key /etc/dendrite/matrix_key.pem

... but where this gets complicated is that you would need /etc/dendrite to be mapped to a persistent volume, which is the case in our sample Dockerfile, but might not be terribly apparent otherwise?

It's extremely bad news if you can accidentally lose your signing keys, hence why I haven't updated the documentation to do it that way yet.

[melroy89]

@neilalexander Thanks! This is great news the binary is part of the docker container.

maybe also add --rm, to the container gets removed again after executing in this case. You can pass mount volumes via -v parameter.

[benyanke]

What about something like this?

docker run -it --rm --entrypoint="" \
  -v $(pwd):/mnt \
  matrixdotorg/dendrite-monolith:latest \
  /usr/bin/generate-keys \
  -private-key /mnt/matrix_key.pem \
  -tls-cert /mnt/server.crt \
  -tls-key /mnt/server.key

It's functionally the same as the go run command, but taking advantage of the docker container to do so.