matrix2051 icon indicating copy to clipboard operation
matrix2051 copied to clipboard

Published 20 hours ago verified publisher icon progval

Matrix server with a local PKI

Open Astaoth opened this issue 1 year ago • 6 comments
trafficstars

Hi !

I've attempted to connect my znc bouncer to my home matrix-synapse through M51. On my LAN, I've made a local PKI, with the CA imported to all my servers, and each service which require TLS has a certificate made from this PKI. From any servers I can make a curl to any local webUI and get no tls issue (they are valid, the local CA is properly imported on the OS store). This is also the case of my synapse server, and I can make a curl on the https://synapse.local/_matrix/static/ page with no issue.

When I launch my M51 service, I get this logs :

15:22:18.601 [info] Listening on port 2051
15:22:18.601 [info] Matrix2051 started.
15:22:45.978 [info] Incoming connection from ::ffff:127.0.0.1:45536
15:22:47.241 [notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA
15:22:47.243 [error] GenServer {M51.Registry, {#PID<0.1073.0>, :matrix_client}} terminating

If I get it right, elixir has its own CA store ? How would I be able to use my local CA with M51 ?

Astaoth avatar Oct 14 '24 22:10 Astaoth

You may be able to load them by calling this function at the beginning of matrix2051.exs: https://www.erlang.org/docs/26/man/public_key#cacerts_load-0

progval avatar Oct 15 '24 05:10 progval

Hi, I've made few tests by adding :public_key.cacerts_load() and :public_key.cacerts_load("/path/to/cert.pem") in the matrix2051.exs file and made a test with mix run matrix2051.exs and I have the same error. Would you have an other suggestion ?

Astaoth avatar Oct 15 '24 18:10 Astaoth

Hmm... you could try this: https://hexdocs.pm/httpoison/readme.html#options

in the various functions in https://github.com/progval/matrix2051/blob/main/lib/matrix/raw_client.ex, add [ssl: [cacerts: :public_key.cacerts_load("/path/to/cert.pem"]] or something to the options passed to HTTPoison

progval avatar Oct 15 '24 18:10 progval

I've attempted the suggested changes, by calling the function with and without specifying my custom CA, with and without the extra line in the matrix2051.exs file, and by launching M51 with mix run matrix2051.exs.

That changed nothing, I still have the same error sent by M51.

Astaoth avatar Oct 16 '24 13:10 Astaoth

Then sorry, I don't know

progval avatar Oct 16 '24 13:10 progval

I guess I'll have to find an alternate way. In any case thank you for your help and your time :)

Astaoth avatar Oct 16 '24 13:10 Astaoth