search

spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.92k stars 1.05k forks source link

own webserver - certificate is valid for matrix.XXX, not XXX #1186

Closed JokerGermany closed 3 years ago

JokerGermany commented 3 years ago

Matrix Server - Ubuntu Server 18.04 Ansible - Ubuntu Mate 20.04 The Server is behind a Router IPv4+IPv6

Because i am using nextcloud, i use a separate nginx Server which includes the files from /matrix/nginx-proxy/conf.d/*.conf

When I try to use federation with tchncs.de: When i invite a user from my Server: The room is created with the title Inviting j...@j...

When i invite a user from tchncs.de:

The invited user don't exist or is invalid

Error Federation tester:

There was an error looking up homeserver version information: Get "matrix://XXX.dynv6.net/_matrix/federation/v1/version": x509: certificate is valid for matrix.XXX.dynv6.net, not XXX.dynv6.net WARN: Could not find a valid certificate for ipv4adress:8448. See this documentation for instructions on how to fix this. ERROR: on IPv4adress:8448: x509: certificate is valid for matrix.XXX.dynv6.net, not XXX.dynv6.net

I don't understand why the tester expect XXX.dynv6.net for the port 8448

vars.yml:

# The bare domain name which represents your Matrix identity.
#   Matrix user ids for your server will be of the form (user:<matrix-domain>).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: XXX.dynv6.net

# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: someone@example.com
#matrix_ssl_retrieval_method: manually-managed
matrix_ssl_lets_encrypt_support_email: 'XXX'

matrix_nginx_proxy_base_domain_serving_enabled: true
# A shared secret (between Coturn and Synapse) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: 'XXX'

# A secret used to protect access keys issued by the server.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_synapse_macaroon_secret_key: 'XXX'

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
matrix_postgres_connection_password: 'XXX'

#matrix_mx_puppet_skype_enabled: true
#matrix_mautrix_telegram_enabled: true
#matrix_mautrix_whatsapp_enabled: true
#matrix_mautrix_facebook_enabled: true
#matrix_mx_puppet_instagram_enabled: true
#matrix_mautrix_signal_enabled: true
#matrix_mx_puppet_skype_enabled: true
#matrix_mx_puppet_instagram_enabled: true
#matrix_mx_puppet_discord_enabled: true
#matrix_mx_puppet_groupme_enabled: true
#matrix_mx_puppet_slack_enabled: true
#matrix_mx_puppet_twitter_enabled: true
#matrix_mx_puppet_discord_enabled: true
#matrix_mx_puppet_steam_enabled: true
#matrix_etherpad_enabled: true
#ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.matrix-reminder-bot password=XXX admin=no' --tags=register-user
#matrix_bot_matrix_reminder_bot_enabled: true

# Adjust this to whatever password you chose when registering the bot user
#matrix_bot_matrix_reminder_bot_matrix_user_password: XXX

# Adjust this to your timezone
#matrix_bot_matrix_reminder_bot_reminders_timezone: Europe/Germany
#matrix_synapse_admin_enabled: true

#configs
#matrix_dynamic_dns_enabled: true

matrix_prometheus_enabled: true

matrix_prometheus_node_exporter_enabled: true

matrix_grafana_enabled: true

matrix_grafana_anonymous_access: false

#matrix_synapse_federation_domain_whitelist:
#- tchncs.de

#sensitiv data:
# This has no relation to your Matrix user id. It can be any username you'd like.
# Changing the username subsequently won't work.
matrix_grafana_default_admin_user: "jokergermany"

# Changing the password subsequently won't work.
matrix_grafana_default_admin_password: "XXX"

#disable the integrated nginx server
matrix_nginx_proxy_enabled: false

matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: XXX

#matrix_nginx_proxy_http_additional_server_configuration_blocks:
#  - |

#http {
#include /nextcloud/nginx-proxy/conf.d/*.conf;
#}
# - |
# These lines will be included in the nginx configuration.
# This is at the top level of the file, so you will need to define all of the `server { ... }` blocks.
# For advanced use, have a look at the template files in `roles/matrix-nginx-proxy/templates/nginx/conf.d`

/matrix/nginx-proxy/conf.d/matrix-base-domain.conf

server {
        listen 80;

        server_name XXX.dynv6.net;
        server_tokens off;

                location /.well-known/acme-challenge {
                                proxy_pass http://127.0.0.1:2402;
                }

                location / {
                        return 301 https://$http_host$request_uri;
                }
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name XXX.dynv6.net;
        server_tokens off;

        ssl_certificate /matrix/ssl/config/live/XXX.dynv6.net/fullchain.pem;
        ssl_certificate_key /matrix/ssl/config/live/XXX.dynv6.net/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

                ssl_stapling on;
                ssl_stapling_verify on;
                ssl_trusted_certificate /matrix/ssl/config/live/XXX.dynv6.net/chain.pem;

                ssl_session_tickets off;
        ssl_session_cache shared:MozSSL:10m;
        ssl_session_timeout 1d;

                root /nginx-data/matrix-domain;

        gzip on;
        gzip_types text/plain application/json;

                add_header Permissions-Policy interest-cohort=() always;

                add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        add_header X-XSS-Protection "1; mode=block";

        location /.well-known/matrix {
                root /matrix/static-files;
                expires 4h;
                default_type application/json;
                add_header Access-Control-Allow-Origin *;
        }

}

/matrix/nginx-proxy/conf.d/matrix-domain.conf

server {
        listen 80;
        server_name matrix.XXX.dynv6.net;

        server_tokens off;
        root /dev/null;

                location /.well-known/acme-challenge {
                                proxy_pass http://127.0.0.1:2402;
                }

                location / {
                        return 301 https://$http_host$request_uri;
                }
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name matrix.XXX.dynv6.net;

        server_tokens off;
        root /dev/null;

        ssl_certificate /matrix/ssl/config/live/matrix.XXX.dynv6.net/fullchain.pem;
        ssl_certificate_key /matrix/ssl/config/live/matrix.XXX.dynv6.net/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

                ssl_stapling on;
                ssl_stapling_verify on;
                ssl_trusted_certificate /matrix/ssl/config/live/matrix.XXX.dynv6.net/chain.pem;

                ssl_session_tickets off;
        ssl_session_cache shared:MozSSL:10m;
        ssl_session_timeout 1d;

                gzip on;
        gzip_types text/plain application/json;

                add_header Permissions-Policy interest-cohort=() always;

                add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        add_header X-XSS-Protection "1; mode=block";

        location /.well-known/matrix {
                root /matrix/static-files;
                expires 4h;
                default_type application/json;
                add_header Access-Control-Allow-Origin *;
        }

        location ^~ /_matrix/identity {
                        proxy_pass http://127.0.0.1:8090;

                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

        location ^~ /_matrix/client/r0/user_directory/search {
                        proxy_pass http://127.0.0.1:8090;

                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $remote_addr;
        }

        location ~* ^(/_matrix|/_synapse/client) {
                        proxy_pass http://127.0.0.1:12080;

                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;

                client_body_buffer_size 25M;
                client_max_body_size 50M;
                proxy_max_temp_file_size 0;
        }

        location ~* ^/$ {
                        return 302 $scheme://element.XXX.dynv6.net$request_uri;
        }

}

server {
                listen 8448 ssl http2;
                listen [::]:8448 ssl http2;

        server_name matrix.XXX.dynv6.net;
        server_tokens off;

        root /dev/null;

        gzip on;
        gzip_types text/plain application/json;

                ssl_certificate /matrix/ssl/config/live/matrix.XXX.dynv6.net/fullchain.pem;
                ssl_certificate_key /matrix/ssl/config/live/matrix.XXX.dynv6.net/privkey.pem;

                ssl_protocols TLSv1.2 TLSv1.3;
                        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
                ssl_prefer_server_ciphers off;

                        ssl_stapling on;
                        ssl_stapling_verify on;
                        ssl_trusted_certificate /matrix/ssl/config/live/matrix.XXX.dynv6.net/chain.pem;

                        ssl_session_tickets off;
                ssl_session_cache shared:MozSSL:10m;
                ssl_session_timeout 1d;

        location / {
                        proxy_pass http://127.0.0.1:12088;

                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;

                client_body_buffer_size 25M;
                client_max_body_size 150M;
                proxy_max_temp_file_size 0;
        }
}

If you need more informations, let me know.

JokerGermany commented 3 years ago

The Problem occours, when you use a own webserver. Look which user your webserver use. For nginx e.G. it's in the nginx.conf user www-data;

Then add this user to the matrix group: usermod -a -G matrix www-data