Stuck on "syncing" after closing and reopening

[iz4tow]

Steps to reproduce

1. Login to a private server with private CA
2. Send some messages
3. Close app
4. Open app
5. Stuck on syncing....I can't send or receive messages or calls

Reboot phone does not solve the problem. I have to logout and login again

Outcome

What did you expect?

I'm expecting the app will work after closing and reipening

What happened instead?

The app is not working

Your phone model

IPhone 13

Operating system version

IOS 16

Application version

1.9.7

Homeserver

Private

Will you send logs?

No

[iz4tow]

I tried also on iphone 14 with 1.9.8, same issue. Instead on iphone 7 is working

[iz4tow]

Any update? Thx

[ismailgulek]

Is this issue still visible?

[iz4tow]

Yes

[iz4tow]

I think the issue is related to iOS 16, because on a non updated iphone was working. After system upgrade to 16.x....same issue

[iz4tow]

Any update?

[iz4tow]

Any news? The issue is very annoying for private servers

[ksofix]

Looks like https://github.com/vector-im/element-ios/issues/6315 issue.

[pixlwave]

@iz4tow @ksofix @aeroxs17 Could you confirm, do you all have the Refresh Tokens feature enabled on your homeservers?

[iz4tow]

How can I check? Thanks

[ksofix]

@pixlwave I have the Refresh Tokens feature disabled on my homeserver. All configuration options related to Refresh Tokens are commented out. But i have enabled Message retention policies and some rooms are completely empty.

Here is my homeserver yaml config file:

modules: []
server_name: "*"
pid_file: /home/user/synapse/homeserver.pid
public_baseurl: https://*/
presence:
  enabled: false
require_auth_for_profile_requests: true
limit_profile_requests_to_users_who_share_rooms: false
include_profile_data_on_invite: true
allow_public_rooms_without_auth: false
allow_public_rooms_over_federation: false
filter_timeline_limit: 5000
enable_search: false
listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    bind_addresses: ['127.0.0.1']
    resources:
      - names: [client]
        compress: false
require_membership_for_aliases: true
allow_per_room_profiles: false
redaction_retention_period: 1m
user_ips_max_age: 4m
request_token_inhibit_3pid_errors: true
next_link_domain_whitelist: []
retention:
  enabled: true
  default_policy:
    min_lifetime: 1d
    max_lifetime: 4w
  purge_jobs:
    - longest_max_lifetime: 3d
      interval: 12h
    - shortest_max_lifetime: 3d
      interval: 1d
federation_domain_whitelist: []
federation_metrics_domains: []
allow_profile_lookup_over_federation: false
allow_device_name_lookup_over_federation: false
database:
  name: psycopg2
  args:
    user: *
    password: *
    database: *
    host: 127.0.0.1
    port: 5432
    cp_min: 5
    cp_max: 10
log_config: "/home/user/synapse/*.log.config"
media_store_path: "/home/user/synapse/media_store"
max_upload_size: 100M
max_image_pixels: 32M
dynamic_thumbnails: false
url_preview_enabled: false
url_preview_accept_language: []
turn_uris: ["turn:*", "turn:*?transport=udp"]
turn_shared_secret: "*"
turn_user_lifetime: 1h
turn_allow_guests: false
enable_registration: false
disable_msisdn_registration: true
enable_3pid_lookup: false
allow_guest_access: false
account_threepid_delegates: {}
report_stats: false
form_secret: "*"
signing_key_path: "/home/user/synapse/*.signing.key"
trusted_key_servers: []
push:
  include_content: false
user_directory:
  enabled: false
enable_room_list_search: false
redis:
  enabled: false

[aeroxs17]

@pixlwave It was unchanged from default state - referenced options were commented out Changing session_lifetime; refreshable_access_token_lifetime; nonrefreshable_access_token_lifetime; refresh_token_lifetime to 30 years and then re-authenticating in the app doesnt fix the problem

But it looks like the root of the problem is indeed linked to access tokens - users who didnt reauthenticated since ~october doesnt have this issue, and were working fine for about 3 years now. Any fresh login from now on causes this bug to happen.

Here is my config file:

Details

pid_file: "/var/run/matrix-synapse.pid"
require_auth_for_profile_requests: true
limit_profile_requests_to_users_who_share_rooms: true
include_profile_data_on_invite: false
default_room_version: "6"
listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    bind_addresses: ['127.0.0.1']
    resources:
      - names: [client]
        compress: false
redaction_retention_period: null
retention:
  enabled: true
  default_policy:
    min_lifetime: 1h
    max_lifetime: 1d
  allowed_lifetime_min: 1h
  allowed_lifetime_max: 12h
  purge_jobs:
    - longest_max_lifetime: 12h
      interval: 30m
    - shortest_max_lifetime: 13h
      interval: 30m
event_cache_size: 1024K
database:
  name: psycopg2
  args:
    user: *
    password: *
    database: *
    host: 127.0.0.1
    cp_min: 5
    cp_max: 10
log_config: "/etc/matrix-synapse/log.yaml"
media_store_path: "/var/lib/matrix-synapse/media"
max_upload_size: 2048M
url_preview_enabled: false
turn_uris: ["turn:*:5349?transport=udp"]
turn_shared_secret: *
turn_user_lifetime: 1h
turn_allow_guests: true
enable_registration: false
registration_requires_token: true
registration_shared_secret: *
signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
trusted_key_servers:
  - server_name: "*"
push:
 include_content: false
encryption_enabled_by_default_for_room_type: all

[iz4tow]

Yes I confirm. Users that does not re-login after the second half of September still works. I have no refresh token configuration in homeserver.yaml

[iz4tow]

Here my homeserver.yaml:

`server_name: chat.server.local pid_file: "/var/run/matrix-synapse.pid" allow_public_rooms_without_auth: false allow_public_rooms_over_federation: false federation_ip_range_blacklist:

• '172.16.0.0/12'
• '192.168.0.0/16'
• '100.64.0.0/10'
• '169.254.0.0/16'
• '::1/128'
• 'fe80::/64'
• 'fc00::/7' listeners:
• port: 8448 type: http tls: true x_forwarded: false bind_addresses:
  • '192.168.0.11' resources:
    • names: [federation]
• port: 8009 tls: false type: http x_forwarded: true bind_addresses: ['127.0.0.1'] resources:
  • names: [client] compress: false retention: enabled: true default_policy: min_lifetime: 5d max_lifetime: 60d allowed_lifetime_min: 5d allowed_lifetime_max: 60d purge_jobs:
  • shortest_max_lifetime: 1d longest_max_lifetime: 10d interval: 1h tls_certificate_path: "/etc/matrix-synapse/certs/chat.server.local.crt" tls_private_key_path: "/etc/matrix-synapse/certs/chat.server.local.key" federation_custom_ca_list:
• '/etc/matrix-synapse/certs/CA.pem' acme: enabled: false port: 80 bind_addresses: ['::', '0.0.0.0'] reprovision_threshold: 30 domain: server.example.com account_key_file: /var/lib/matrix-synapse/acme_account.key database: name: "psycopg2" args: user: db password: PWD database: chatdb host: 192.168.0.20 cp_min: 5 cp_max: 10 log_config: "/etc/matrix-synapse/log.yaml" media_store_path: "/var/lib/matrix-synapse/media" max_upload_size: 100M enable_registration_captcha: true turn_uris: [ "turn:chat.server.local:3478?transport=udp" ] turn_shared_secret: PWD turn_user_lifetime: 1h turn_allow_guests: true enable_registration: true account_validity: registration_shared_secret: PWD account_threepid_delegates: metrics_flags: signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" old_signing_keys: "ed25519:a_Ocab": { key: PWD expired_ts: 1587558035604 } trusted_key_servers:
  • server_name: "chat.server.local" saml2_config: user_mapping_provider: config: sso: password_config: email: push: include_content: false server_notices: system_mxid_localpart: notices system_mxid_display_name: "Server Notices" room_name: "Server Notices" enable_room_list_search: false opentracing:

`

But I think maybe is .well-known the problem... Here the well-known/client. { "im.vector.riot.jitsi": { "preferredDomain": "vtc.server.local" } } How can I correct? Thx

[pixlwave]

Thanks for the info. I asked because in the logs from @aeroxs17 I see issues saying that the token has an expiry date in the past and wondered if that was a common problem. I have tested running Element iOS against synapse using the demo script that spins up a self-signed instance. I saw the issue once (a syncing banner at the top with an activity indicator), but when I went to debug it I couldn't reproduce it after that.

We're going to need reliable steps to reproduce the issue to be able to look into it properly.

[pixlwave]

I've tagged the issue as uncommon, as this isn't a regular setup for using Synapse in production.

[aeroxs17]

@pixlwave In my case it is enough to force close an app (as described in this article https://support.apple.com/en-us/HT201330) at any point More rarely this issue can occur after not using the app for quite a while (12 hours - a day)

I sent another log file with link of this issue in description. Is there any way to view those logs locally / by myself?

Experementing with refresh_tokens and manually setting them to None in registration.py (disabling them if i understood correctly) doesnt affect this issue

I've set synapse to run on debug level logging I can see in firewall logs that my device sending requests to synapse server, but synapse logs doesnt show any entries at all. Nginx debug logs shows that my device closes connection while ssl handshaking - recent ios verison of element either forgets exceptions made for self-signed certificate or treats them as another certifcate That certificate is issued for 10 years

[aeroxs17]

Any update on this? Is this issue indeed linked to self-signed certificate or is it not related?

[pixlwave]

I checked my app running against the mentioned demo with a self-signed certificate and it still happily connects 24 hours later.

forgets exceptions made for self-signed certificate

This definitely appears to be the case - I was wondering if it was the refresh of a token that caused it to happen, but without a way to reproduce this issue on our side it is hard to understand what is causing it.

[aeroxs17]

The only other notable diffrence is that my certificate was issued for 10 years (2020.11.9-2030.11.7). Maybe this triggers security violation?

[iz4tow]

Same situation. Certificate for 10 years

[ksofix]

I have same situation. My certificate starts in 2022 and expires in 2032. Are we affected by these changes: Apple to Enforce 1-Year Limit on SSL/TLS Certificate Lifetimes ?

[aeroxs17]

Any updates on this issue? are such certs not supported anymore

[iz4tow]

Honestly I think it's element-ios bug, because it works for some time then it stops.

[iz4tow]

I tried to use another server with NGINX as proxy with a self signed cert valid for 365 days. But SAME ISSUE...it works at first, then after some hours or closing and reopening Element on iOS stuck on syncing. On Android and PC works fine

[aeroxs17]

@pixlwave hi there. If this issue can't be fixed could you please mark it as such? we'll just install valid wildcard certificate in our homeserver if fixing this problem in app will take considerable time

[iz4tow]

Maybe you can try to reproduce the issue using matrix behind a VPN server. Maybe is VPN on iOS that is the issue. You may try with Wireguard and OpenVPN

[pascbeck]

@iz4tow have you somehow managed to fix it? I seem to encounter the same issue, and I am really going crazy.

[iz4tow]

No. I tried everything. I'm still waiting for a solution from developers

[aerolene]

I’ve managed to solve it. By buying domain and using letsencrypt to issue valid certs via cloudflare dns verification It now costs me around 100 dollars a year but at least it works

seems like „uncommon“ tag means that devs won’t do anything bout it