Can't get Matrix back on working :-(

[M3m0r3X]

Hi all,

first of all thank you so much for that great project. I had running my Matrix instance for a while including federation fronted by Traefik. Unfortunately since the playbook change I can't get it working back. Unfortunately since i have running different containtainers on my server (mailcow, grafana) I am not able to change to traefik-managed-playbook. So I tried do get it working with my current traefik instannce. Since I tried different configurations over the last weekend I reach out to you guys to have a look at my vars and maybe I just oversee some stupid things. My DNS Configuration is the same as in the docu + some configs for mailcow (it also worked before the change).

The main problem on my side is, that just install-all runs fine without any error but no (sub)domain is reachable and I get back an ERR_SSL_UNRECOGNIZED_NAME_ALERT or DNS-PROBE_POSSIBLE (depending on the webbrowser)

Regarding traefik: I made the necessary entrypoint configuraions and as you can see in myvars I tried it with the old lable configs ("under Traefik 2.0 Fronting") and i tried it without... (Do i still need the lables)

I am really despairing and be thankful for everyboudy who helps me get a bit further on my installation.

Playbook Configuration:

My vars.yml file looks like this:

---
### Base Configurations
matrix_domain: "ctf-0x72e.com"
matrix_homeserver_implementation: synapse
matrix_homeserver_generic_secret_key: '***hidden***'

matrix_playbook_reverse_proxy_type: other-traefik-container
matrix_playbook_reverse_proxyable_services_additional_network: traefik
devture_traefik_certs_dumper_ssl_dir_path: "/opt/docker/traefik/data/"
devture_traefik_config_certificatesResolvers_acme_email: 'm3m0r3x@ctf-0x72e.com'

devture_postgres_connection_password: '***hidden***

### Dimensiom
matrix_dimension_admins:
  - "@user1:matrix.ctf-0x72e.com"
  - "@user2:matrix.ctf-0x72e.com"

matrix_dimension_access_token: "***hidden***"

### Jitsi
matrix_jitsi_enabled: true

matrix_jitsi_jicofo_auth_password: "***hidden***"
matrix_jitsi_jvb_auth_password: "***hidden***"
matrix_jitsi_jibri_recorder_password: "***hidden***"
matrix_jitsi_jibri_xmpp_password: "***hidden***"

# If you get an error like this: "Error: Account creation/modification not supported.", it's likely that you had                                             # previously installed Jitsi without auth/guest support. In such a case, you should look into Rebuilding your Jitsi
# installation.
#matrix_jitsi_enable_auth: true
#matrix_jitsi_enable_guests: true
#matrix_jitsi_prosody_auth_internal_accounts:
#  - username: "user1"
#    password: "***hidden***"
#  - username: "user2"
#    password: "***hidden***"

# You may want to limit the number of video feeds forwarded to each client, to save up resources on both server 
# and clients. As clients’ bandwidth and CPU may not bear the load, use this setting to avoid lag and crashes. 
# This feature is found by default in other webconference applications such as Office 365 Teams 
# (limit is set to 4). Read how it works here and performance evaluation on this study.
#matrix_jitsi_web_custom_config_extension: |
#  config.enableLayerSuspension = true;
#
#  config.disableAudioLevels = true;
#
#  // Limit the number of video feeds forwarded to each client
#  config.channelLastN = 4;
#
#matrix_jitsi_web_config_resolution_width_ideal_and_max: 480
#matrix_jitsi_web_config_resolution_height_ideal_and_max: 240

### Etherpad                                        
etherpad_enabled: true

etherpad_admin_username: User
etherpad_admin_password: ***hidden***

### Traefik 2.0 Fronting
# No matter which external webserver you decide to go with, you'll need to:

#    1. Make sure your web server user (something like http, apache, www-data, nginx) is part of the matrix group.
#       You should run something like this: usermod -a -G matrix nginx. This allows your webserver user to access
#       files owned by the matrix group. When using an external nginx webserver, this allows it to read configuration
#       files from /matrix/nginx-proxy/conf.d. When using another server, it would make other files, such as
#       /matrix/static-files/.well-known, accessible to it.

#    2. Edit your configuration file (inventory/host_vars/matrix.<your-domain>/vars.yml) to disable the integrated nginx server:
#matrix_nginx_proxy_enabled: false

#    3. If you'll manage SSL certificates by yourself, edit your configuration file to disable SSL certificate retrieval:
matrix_ssl_retrieval_method: none

# This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with
# the information it needs to proxy matrix.DOMAIN, element.DOMAIN, dimension.DOMAIN and jitsi.DOMAIN. Some static
# configuration is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver.

# Note that this configuration on its own does not redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which
# may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik,
# it can be added to Traefik in a file provider.

# Don't bind any HTTP or federation port to the host
# (Traefik will proxy directly into the containers)
matrix_nginx_proxy_container_http_host_bind_port: ''
matrix_nginx_proxy_container_federation_host_bind_port: ''

# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
matrix_nginx_proxy_trust_forwarded_proto: true

# Trust and use the other reverse proxy's `X-Forwarded-For` header.
matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'

# Disable Coturn because it needs SSL certs
# (Clients can, though exposing IP address, use Matrix.org TURN)
matrix_coturn_enabled: false

# All containers need to be on the same Docker network as Traefik
# (This network should already exist and Traefik should be using this network)
matrix_docker_network: 'traefik'

matrix_nginx_proxy_container_extra_arguments:
  # May be unnecessary depending on Traefik config, but can't hurt
  - '--label "traefik.enable=true"'

  # The Nginx proxy container will receive traffic from these subdomains
  - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`ctf-0x72e.com`,`matrix.ctf-0x72e.com`,`element.ctf-0x72e.com`,`dimension.ctf-0x72e.com`,`jitsi.ctf-0x72e.com`)"'

  # (The 'web-secure' entrypoint must bind to port 443 in Traefik config)
  - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=websecure"'

  # (The 'default' certificate resolver must be defined in Traefik config)
  - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=lets-encr"'

  # The Nginx proxy container uses port 8080 internally
  - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"'

matrix_synapse_container_extra_arguments:

# May be unnecessary depending on Traefik config, but can't hurt
  - '--label "traefik.enable=true"'

  # The Synapse container will receive traffic from this subdomain
  - '--label "traefik.http.routers.matrix-synapse.rule=Host(`matrix.ctf-0x72e.com`) || (Host(`ctf-0x72.com`) && PathPrefix(`/_matrix/`))"'

  # (The 'synapse' entrypoint must bind to port 8448 in Traefik config)
  - '--label "traefik.http.routers.matrix-synapse.entrypoints=synapse"'

  # (The 'default' certificate resolver must be defined in Traefik config)
  - '--label "traefik.http.routers.matrix-synapse.tls.certResolver=lets-encr"'

  # The Synapse container uses port 8048 internally
  - '--label "traefik.http.services.matrix-synapse.loadbalancer.server.port=8048"'

# This stops the federation port on the Synapse side (normally `matrix-synapse:8048` on the container network).
#matrix_synapse_federation_port_enabled: false

# This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server.
#matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false

Matrix_well_known_matrix_server_enabled: false
matrix_nginx_proxy_base_domain_serving_enabled: true
matrix_nginx_proxy_https_enabled: false
#matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live/ctf-0x72e/fullchain.pem
#matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live/ctf-0x72e.com/privkey.pem

### Stats                                     
matrix_prometheus_enabled: true

# You can remove this, if unnecessary.
prometheus_node_exporter_enabled: true

# You can remove this, if unnecessary.
prometheus_postgres_exporter_enabled: true

# You can remove this, if unnecessary.
matrix_prometheus_nginxlog_exporter_enabled: true
grafana_enabled: true
grafana_anonymous_access: false

grafana_default_admin_user: "user"

# Changing the password subsequently won't work.
grafana_default_admin_password: "***hidden***"                                     

### Synapse
matrix_synapse_workers_enabled: true
matrix_synapse_workers_preset: one-of-each
devture_postgres_process_extra_arguments: [
  "-c 'max_connections=200'"
]

### Element
matrix_client_element_themes_enaled: true

### Federation                                                             
### Base Domain
###############
matrix_nginx_proxy_base_domain_serving_enabled: true

matrix_well_known_matrix_support_enabled: true

# Homeserver admin contacts as per MSC 1929 https://github.com/matrix-org/matrix-spec-proposals/pull/1929
matrix_homeserver_admin_contacts:
  - matrix_id: "@admin1:{{ matrix_domain }}"
    email_address: ***hidden***
    role: admin

matrix_homeserver_support_url: "https://matrix.ctf-0x72e.com/support"

### SMTP Settings

matrix_mailer_sender_address: "***hidden***"
matrix_mailer_relay_use: true
matrix_mailer_relay_host_name: "mail.ctf-072e.com"
matrix_mailer_relay_host_port: 587 #If doesn't work, maybe change to 587
matrix_mailer_relay_auth: true
matrix_mailer_relay_auth_username: "***hidden***"
matrix_mailer_relay_auth_password: "***hidden***"

### ma1sd
matrix_ma1sd_enabled: true
matrix_ma1sd_matrixorg_forwarding_enabled: true

### Synapse Admin
matrix_synapse_admin_enabled: true

### Shared Secret Auth

matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ***hidden***

### Bridging Networks

### Mautrix Discord
###################

matrix_mautrix_discord_enabled: true

### Mautrix Slack
#################

matrix_mautrix_slack_enabled: true

### Mautrix WhatsApp
####################

matrix_mautrix_whatsapp_enabled: true
matrix_mautrix_whatsapp_bridge_relay_enabled: true

### Mautrix Twitter
###################

matrix_mautrix_twitter_enabled: true

### Mautrix Signal
##################

matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_relaybot_enabled: true

### Postmoogle
##############
# Interfers with mailcow as it uses Port 578/TCP so can't use it.
matrix_bot_postmoogle_enabled: false

### Heisenbridge (IRC)
######################

matrix_heisenbridge_enabled: true
# to enable identd on host port 113/TCP (optional)
#matrix_heisenbridge_identd_enabled: true

### Bots
### ChatGPT
###########

matrix_bot_chatgpt_enabled: true
matrix_bot_chatgpt_openai_api_key: '***hidden***'

# This is the default username
#matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt'

matrix_bot_chatgpt_matrix_access_token: '***hidden***'

### Matrix Reminder Bot
#######################

matrix_bot_matrix_reminder_bot_enabled: true

# Uncomment and adjust this part if you'd like to use a username different than the default
# matrix_bot_matrix_reminder_bot_matrix_user_id_localpart: bot.matrix-reminder-bot

matrix_bot_matrix_reminder_bot_matrix_user_password: ***hidden***
matrix_bot_matrix_reminder_bot_reminders_timezone: Europe/London

### Matrix Registration Bot
###########################

#matrix_bot_matrix_registration_bot_enabled: true

# Token obtained via logging into the bot account (see above)
#matrix_bot_matrix_registration_bot_bot_access_token: "***hidden***"

# Enables registration
#matrix_synapse_enable_registration: true

### MauBot
##########

matrix_bot_maubot_enabled: true
#matrix_bot_maubot_admins:
#  - user: ***hidden***

### Notification Service
### NTFY

ntfy_enabled: true

# This is the default hostname.
# Uncomment the line below and change it, if you'd like.
# matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"

### Backup
##############################
# To do:                     #
#   * Setting up borg backup #
##############################

##########   #########   #########
###EOF####   ###EOF###   ###EOF###
##########   #########   #########

[michDeca]

Do you have a message or something, whats going wrong?

[M3m0r3X]

When I do the just install-all the ansible script ends without any error. Also the services semms starting correctly due to the ansible output. What I have not checked now if the services are running correct (sysctrl status *.matrix I guess). I will check tzhis after work.

But to be honest I am thinking something with traefik or more precise with let's encrypt is not working well. Because I didn't get aworking service on my corresponding subdomins nor I get the 404 or any other error from the containers. I just get browser messages:

• ERR_SSL_UNRECOGNIZED_NAME_ALERT

But I don't understand why. devture_traefik_certs_dumper_ssl_dir_path: "/opt/docker/traefik/data/" is the correct path to my acme.json which is working fine on my own traefik instance....

I guess that I overlook something really stupid simple....

[michDeca]

I'm not sure if I get your goal right: everything is done by traefik, no nginx should be involved, right?

(It's hard to say; However what I see:) There is a nginx-server responding. The line #matrix_nginx_proxy_enabled: false is not active. For me, this is a problem.

[rltas]

Your config looks outdated to me, from what I see it still assumes that services like Element are handled by nginx-proxy for example. Did you read https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md ?

[M3m0r3X]

Thank you sooo much @rltas and @michDeca. This pointed me towards the right direction. It is not working fine but it makes some steps forward. I hope i can figure out the rest by my self. Again, many thanks to you guys.