search

progval / matrix2051

A Matrix gateway for IRC: connect to Matrix from your favorite IRC client.
GNU Affero General Public License v3.0
77 stars 12 forks source link

Matrix server with a local PKI #75

Open Astaoth opened 1 month ago

Astaoth commented 1 month ago

Hi !

I've attempted to connect my znc bouncer to my home matrix-synapse through M51. On my LAN, I've made a local PKI, with the CA imported to all my servers, and each service which require TLS has a certificate made from this PKI. From any servers I can make a curl to any local webUI and get no tls issue (they are valid, the local CA is properly imported on the OS store). This is also the case of my synapse server, and I can make a curl on the https://synapse.local/_matrix/static/ page with no issue.

When I launch my M51 service, I get this logs : 

15:22:18.601 [info] Listening on port 2051
15:22:18.601 [info] Matrix2051 started.
15:22:45.978 [info] Incoming connection from ::ffff:127.0.0.1:45536
15:22:47.241 [notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA
15:22:47.243 [error] GenServer {M51.Registry, {#PID<0.1073.0>, :matrix_client}} terminating

If I get it right, elixir has its own CA store ? How would I be able to use my local CA with M51 ?

progval commented 1 month ago

You may be able to load them by calling this function at the beginning of matrix2051.exs: https://www.erlang.org/docs/26/man/public_key#cacerts_load-0

Astaoth commented 1 month ago

Hi, I've made few tests by adding :public_key.cacerts_load() and :public_key.cacerts_load("/path/to/cert.pem") in the matrix2051.exs file and made a test with mix run matrix2051.exs and I have the same error. Would you have an other suggestion ?

progval commented 1 month ago

Hmm... you could try this: https://hexdocs.pm/httpoison/readme.html#options

in the various functions in https://github.com/progval/matrix2051/blob/main/lib/matrix/raw_client.ex, add [ssl: [cacerts: :public_key.cacerts_load("/path/to/cert.pem"]] or something to the options passed to HTTPoison

Astaoth commented 1 month ago

I've attempted the suggested changes, by calling the function with and without specifying my custom CA, with and without the extra line in the matrix2051.exs file, and by launching M51 with mix run matrix2051.exs.

That changed nothing, I still have the same error sent by M51.

progval commented 1 month ago

Then sorry, I don't know

Astaoth commented 1 month ago

I guess I'll have to find an alternate way. In any case thank you for your help and your time :)