Closed r3k2 closed 5 years ago
ok your documentation has a typo. https://github.com/matrix-org/synapse/blob/master/docs/ACME.md
location /.well-known/acme-challenge {
proxy_pass http://localhost:8009/;
}
remove the / at the end of 8009 then works!
as you can see now I get 200's
52.29.173.72 - - [23/Mar/2019:04:18:02 +0000] "GET /.well-known/acme-challenge/UML1HDjWS0qYNAaIhYV6qa_PiOWCF-1pKDY9FSaBU58 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
13.58.30.69 - - [23/Mar/2019:04:18:02 +0000] "GET /.well-known/acme-challenge/UML1HDjWS0qYNAaIhYV6qa_PiOWCF-1pKDY9FSaBU58 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.213.106.112 - - [23/Mar/2019:04:18:02 +0000] "GET /.well-known/acme-challenge/UML1HDjWS0qYNAaIhYV6qa_PiOWCF-1pKDY9FSaBU58 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [23/Mar/2019:04:18:05 +0000] "GET /.well-known/acme-challenge/UML1HDjWS0qYNAaIhYV6qa_PiOWCF-1pKDY9FSaBU58 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
now im getting another totally diff error..
2019-03-23 04:24:03,458 - synapse.config.tls - 315 - INFO - - Loading TLS key from /etc/matrix-synapse/matrix.hispagatos.org.tls.key
2019-03-23 04:24:03,459 - synapse.config.tls - 292 - INFO - - Loading TLS certificate from /etc/matrix-synapse/matrix.hispagatos.org.tls.crt
2019-03-23 04:24:03,462 - twisted - 240 - ERROR - - Traceback (most recent call last):
2019-03-23 04:24:03,462 - twisted - 240 - ERROR - - File "/opt/venvs/matrix-synapse/lib/python3.6/site-packages/twisted/internet/defer.py", line 1418, in _inlineCallbacks
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - - result = g.send(result)
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - - StopIteration
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - -
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - - During handling of the above exception, another exception occurred:
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - -
2019-03-23 04:24:03,464 - twisted - 240 - ERROR - - Traceback (most recent call last):
2019-03-23 04:24:03,464 - twisted - 240 - ERROR - - File "/opt/venvs/matrix-synapse/lib/python3.6/site-packages/synapse/app/_base.py", line 273, in start
2019-03-23 04:24:03,464 - twisted - 240 - ERROR - - hs.start_listening(listeners)
2019-03-23 04:24:03,464 - twisted - 240 - ERROR - - File "/opt/venvs/matrix-synapse/lib/python3.6/site-packages/synapse/app/homeserver.py", line 259, in start_listening
2019-03-23 04:24:03,465 - twisted - 240 - ERROR - - self._listener_http(config, listener)
2019-03-23 04:24:03,465 - twisted - 240 - ERROR - - File "/opt/venvs/matrix-synapse/lib/python3.6/site-packages/synapse/app/homeserver.py", line 97, in _listener_http
2019-03-23 04:24:03,465 - twisted - 240 - ERROR - - for res in listener_config["resources"]:
2019-03-23 04:24:03,465 - twisted - 240 - ERROR - - KeyError: 'resources'
2019-03-23 04:24:03,481 - twisted - 240 - INFO - - (TCP Port 8009 Closed)
ok I was missing another piece because the howto I am following does not have it..
resources:
- names: [client]
compress: true
- names: [federation] # Federation APIs
compress: false
This also needs to go into the port 8448 config
# will also need to give Synapse a TLS key and certificate: see the TLS section
# below.)
#
- port: 8448
type: http
tls: true
bind_addresses:
- '0.0.0.0'
x_forwarded: false
resources:
- names: [client]
compress: true
- names: [federation] # Federation APIs
compress: false
this documentation here does not show any of that... https://www.howtoforge.com/tutorial/how-to-install-matrix-synapse-on-ubuntu-1804/ in fact in the screenshot has almost nothing.. Also using 127.0.0.1 for federation port 8448 when this other howto here: clearly states:
Now check if the HTTP and HTTPS listener port '8008' and the federation port '8448' are bound to the IP address 0.0.0.0 (and not to 127.0.0.1)
https://www.natrius.eu/dokuwiki/doku.php?id=digital:server:matrixsynapse So whats going on? who is right? I found 4 diff documents with diff information this is a big mess.
Thanks for the note about proxy_pass in ACME.md: fixed in #4923.
I'm afraid I don't understand what the problem was with your configuration, but please note that we cannot be responsible for random documentation you find on the Internet: please take up any issues with the relevant authors. If you need help setting up your server correctly, please seek support in #synapse:matrix.org.
Closing this as I believe all the relevant issues have been addressed.
By further testing my synapse behind a reverse proxy I came to the following conclusions (devs, kindly correct me on any point)
@killua-eu thank you. I think the certs are working now.. but still have a question.. for what I read in the documentation if using like example.com for server_name and having SRV dns record for example.com to subdomain.example.com(this is the actual synapse server) I do not need /.well-known/matrix but what is not clear is what the certs should me? as of now I have subdomain.example.com on my certs because thats where letsencrypt needs to check... is this corret?
@ReK2Fernandez , my setup has:
For these two domains a ssl cert is required. Riot needs it so that users don't send their login and password unencrypted to Riot. Synapse needs it for federation and to provide encrypted communication between riot and synapse.
Personally, on example.com, i just serve a website, but since I want it to have a valid cert too, I generate one for that domain as well. In other words: you need a valid certificate only there, where its required. Letsencrypt allows you to have one certificate valid for multiple domains (and subdomains), so it all boils down to your setup. You can also have, i.e., synapse manage your certificate for subdomain.example.com and i.e. the certbot client to manage it for you on example.com.
Im trying to confitre the ACME feature but I keep getting
my nginx config:
seems to be doing the proxy_pass ok, but when it gets to synapse port 8009 it cant find the random string made for ACME request authorization.. NOTE: only reason I have two similar entries on nginx is because I saw some people say you need a ending / so for testing I just added the two.