ACME not working [resolved but mayor documentation issues between them]

[r3k2]

Im trying to confitre the ACME feature but I keep getting

 txacme.client.AuthorizationFailed: AuthorizationFailed(<Status(invalid) Identifier(typ=IdentifierType(dns), value='matrix.hispagatos.org') [Error(typ='urn:acme:error:unauthorized', title=None, detail='Invalid response from http://matrix.hispagatos.org/.well-known/acme-challenge/QqoXra18rEeTNfmpqr9zEY5UrpIvHCQEIeasB-X7srg [157.230.109.18]: "\\n<html>\\n  <head><title>404 - No Such Resource</title></head>\\n  <body>\\n    <h1>No Such Resource</h1>\\n    <p>No such child resourc"')]>)
2019-03-23 03:37:46,073 - twisted - 240 - INFO - - (TCP Port 8009 Closed)

my nginx config:

server {
       listen 80;
       server_name matrix.hispagatos.org;

       location /.well-known/acme-challenge/ {
                default_type "text/plain";
                proxy_pass http://127.0.0.1:8009/;
                allow all;
        }

        location /.well-known/acme-challenge {
                default_type "text/plain";
                proxy_pass http://127.0.0.1:8009/;
                allow all;
        }

       location / {
                return 301 https://$server_name$request_uri;
        }

}

seems to be doing the proxy_pass ok, but when it gets to synapse port 8009 it cant find the random string made for ACME request authorization.. NOTE: only reason I have two similar entries on nginx is because I saw some people say you need a ending / so for testing I just added the two.

[r3k2]

ok your documentation has a typo. https://github.com/matrix-org/synapse/blob/master/docs/ACME.md

location /.well-known/acme-challenge {
    proxy_pass http://localhost:8009/;
}

remove the / at the end of 8009 then works!

as you can see now I get 200's

52.29.173.72 - - [23/Mar/2019:04:18:02 +0000] "GET /.well-known/acme-challenge/UML1HDjWS0qYNAaIhYV6qa_PiOWCF-1pKDY9FSaBU58 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
13.58.30.69 - - [23/Mar/2019:04:18:02 +0000] "GET /.well-known/acme-challenge/UML1HDjWS0qYNAaIhYV6qa_PiOWCF-1pKDY9FSaBU58 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.213.106.112 - - [23/Mar/2019:04:18:02 +0000] "GET /.well-known/acme-challenge/UML1HDjWS0qYNAaIhYV6qa_PiOWCF-1pKDY9FSaBU58 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [23/Mar/2019:04:18:05 +0000] "GET /.well-known/acme-challenge/UML1HDjWS0qYNAaIhYV6qa_PiOWCF-1pKDY9FSaBU58 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

[r3k2]

now im getting another totally diff error..

2019-03-23 04:24:03,458 - synapse.config.tls - 315 - INFO - - Loading TLS key from /etc/matrix-synapse/matrix.hispagatos.org.tls.key
2019-03-23 04:24:03,459 - synapse.config.tls - 292 - INFO - - Loading TLS certificate from /etc/matrix-synapse/matrix.hispagatos.org.tls.crt
2019-03-23 04:24:03,462 - twisted - 240 - ERROR - - Traceback (most recent call last):
2019-03-23 04:24:03,462 - twisted - 240 - ERROR - -   File "/opt/venvs/matrix-synapse/lib/python3.6/site-packages/twisted/internet/defer.py", line 1418, in _inlineCallbacks
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - -     result = g.send(result)
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - - StopIteration
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - -
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - - During handling of the above exception, another exception occurred:
2019-03-23 04:24:03,463 - twisted - 240 - ERROR - -
2019-03-23 04:24:03,464 - twisted - 240 - ERROR - - Traceback (most recent call last):
2019-03-23 04:24:03,464 - twisted - 240 - ERROR - -   File "/opt/venvs/matrix-synapse/lib/python3.6/site-packages/synapse/app/_base.py", line 273, in start
2019-03-23 04:24:03,464 - twisted - 240 - ERROR - -     hs.start_listening(listeners)
2019-03-23 04:24:03,464 - twisted - 240 - ERROR - -   File "/opt/venvs/matrix-synapse/lib/python3.6/site-packages/synapse/app/homeserver.py", line 259, in start_listening
2019-03-23 04:24:03,465 - twisted - 240 - ERROR - -     self._listener_http(config, listener)
2019-03-23 04:24:03,465 - twisted - 240 - ERROR - -   File "/opt/venvs/matrix-synapse/lib/python3.6/site-packages/synapse/app/homeserver.py", line 97, in _listener_http
2019-03-23 04:24:03,465 - twisted - 240 - ERROR - -     for res in listener_config["resources"]:
2019-03-23 04:24:03,465 - twisted - 240 - ERROR - - KeyError: 'resources'
2019-03-23 04:24:03,481 - twisted - 240 - INFO - - (TCP Port 8009 Closed)

[r3k2]

ok I was missing another piece because the howto I am following does not have it..

resources:
      - names: [client]
        compress: true
      - names: [federation] # Federation APIs
        compress: false

This also needs to go into the port 8448 config

# will also need to give Synapse a TLS key and certificate: see the TLS section
  # below.)
  #
  - port: 8448
    type: http
    tls: true
    bind_addresses:
      - '0.0.0.0'
    x_forwarded: false
    resources:
      - names: [client]
        compress: true
      - names: [federation] # Federation APIs
        compress: false

this documentation here does not show any of that... https://www.howtoforge.com/tutorial/how-to-install-matrix-synapse-on-ubuntu-1804/ in fact in the screenshot has almost nothing.. Also using 127.0.0.1 for federation port 8448 when this other howto here: clearly states:

Now check if the HTTP and HTTPS listener port '8008' and the federation port '8448' are bound to the IP address 0.0.0.0 (and not to 127.0.0.1) 

https://www.natrius.eu/dokuwiki/doku.php?id=digital:server:matrixsynapse So whats going on? who is right? I found 4 diff documents with diff information this is a big mess.

[richvdh]

Thanks for the note about proxy_pass in ACME.md: fixed in #4923.

I'm afraid I don't understand what the problem was with your configuration, but please note that we cannot be responsible for random documentation you find on the Internet: please take up any issues with the relevant authors. If you need help setting up your server correctly, please seek support in #synapse:matrix.org.

Closing this as I believe all the relevant issues have been addressed.

[killua-eu]

By further testing my synapse behind a reverse proxy I came to the following conclusions (devs, kindly correct me on any point)

• You do not have to let synapse manage your certs. If you already have a proven mechanism in place (in my case the certbot client + required haproxy configuration + relevant renew cron entry), don't even try.
• If the above applies to you, just turn off the secured federation listener on port 8448, properly configure the unsecured one (8008). Ensure that 8008 is not exposed directly.
• Do proper tls termination at your reverse proxy and set up all the new stuff, such as
  • /.well-known/matrix
  • all /_matrix/* subpaths used by other services then synapse (i.e. mxisd, etc.)
• Enjoy the day or two extra that you will save that way ;)

[r3k2]

@killua-eu thank you. I think the certs are working now.. but still have a question.. for what I read in the documentation if using like example.com for server_name and having SRV dns record for example.com to subdomain.example.com(this is the actual synapse server) I do not need /.well-known/matrix but what is not clear is what the certs should me? as of now I have subdomain.example.com on my certs because thats where letsencrypt needs to check... is this corret?

[killua-eu]

@ReK2Fernandez , my setup has:

• matrix.example.com (where I have synapse running)
• chat.example.com (where I serve riot from)

For these two domains a ssl cert is required. Riot needs it so that users don't send their login and password unencrypted to Riot. Synapse needs it for federation and to provide encrypted communication between riot and synapse.

Personally, on example.com, i just serve a website, but since I want it to have a valid cert too, I generate one for that domain as well. In other words: you need a valid certificate only there, where its required. Letsencrypt allows you to have one certificate valid for multiple domains (and subdomains), so it all boils down to your setup. You can also have, i.e., synapse manage your certificate for subdomain.example.com and i.e. the certbot client to manage it for you on example.com.