synapse icon indicating copy to clipboard operation
synapse copied to clipboard

Published 20 hours ago verified publisher icon element-hq

Synapse Homeserver Installation fails the Matrix Federation Test

Open mherfurt opened this issue 1 year ago • 4 comments

Description

I am trying to run a synapse server on my kubernetes cluster. Therefore, I am using the currently latest official container (Version 1.109.0) from docker hub in combination with an official postgresql container. The server is reverse-proxied by HAProxy (with SSL Offloading) using a lets-encrypt certificate.

After being able to register a user on this server using the flatpak version of the Element client on Linux, I tried logging in with the Android Element app from the Google Play store. On Android, the Element client rejects the server name claiming that the entered server name "is not a valid matrix server address".

From what I found out is that the Android version of the Element App relies on the Federation API, which brought me to the Matrix Federation Tester website, where my server fails the test. In the json-report of the test, it is stated that the server which seems to be addressed with its IP address, does not respond with HTTP response code 200, which might have to do with the fact, that lets-encrypt does not issue SSL-certificates for IP addresses and therefore a connection to the server via its IP address fails due to certificate validation.

Next thing I tried was to switch from serving wellknown info to having a SRV record for the server... same negative result.

Is it even possible to host a federated synapse homeserver with letsencrypt certificates?

Please find a slightly obfuscated json report from the tester below: { "WellKnownResult": { "m.server": "mydomain.com:443", "CacheExpiresAt": 0 }, "DNSResult": { "SRVSkipped": true, "SRVCName": "", "SRVRecords": null, "SRVError": null, "Hosts": { "hxz.one": { "CName": "mydomain.com.", "Addrs": [ "1.2.3.4" ], "Error": null } }, "Addrs": [ "1.2.3.4:443" ] }, "ConnectionReports": {}, "ConnectionErrors": { "1.2.3.4:443": { "Message": "Non-200 response 404 from remote server" } }, "Version": { "name": "Synapse", "version": "1.109.0" }, "FederationOK": false }

Steps to reproduce

  • deploy latest synapse container behind haprox with ssl offloading, using lets-encrypt certificates
  • try to register/log in with the Element client on Android
  • run the Matrix Federation Tester

Homeserver

another homeserver

Synapse Version

1.109.0

Installation Method

Docker (matrixdotorg/synapse)

Database

I am using a single PostgreSQL server

Workers

Single process

Platform

The deployment is done on a microk8s cluster running Ubuntu Server 24.04 LTS

Configuration

No response

Relevant log output

2024-06-26 16:26:56,750 - synapse.access.http.8008 - 473 - INFO - GET-28 - 94.237.61.73 - 8008 - {None} Processed request: 0.000sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 26B 200 "GET /.well-known/matrix/server HTTP/1.1" "Go-http-client/2.0" [0 dbevts]
2024-06-26 16:26:56,924 - synapse.access.http.8008 - 473 - INFO - GET-29 - 94.237.61.73 - 8008 - {None} Processed request: 0.000sec/0.001sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 49B 200 "GET /_matrix/federation/v1/version HTTP/1.1" "Go-http-client/2.0" [0 dbevts]

Anything else that would be useful to know?

The firewall log shows a third connection from 94.237.61.73, that is not passed to the haproxy backend due to the issues described above.

mherfurt avatar Jun 26 '24 16:06 mherfurt

Hi @mherfurt, I'm in the same situation, did you manage to solve this?

stephanedupont avatar Sep 23 '24 08:09 stephanedupont

Nope... did give up, eventually.

mherfurt avatar Sep 24 '24 17:09 mherfurt

I fixed it by adding the following line to homeserver.yaml:

public_baseurl: https://matrix.mydomain.com/

Without it, the well-known returned a "404".

stephanedupont avatar Sep 24 '24 18:09 stephanedupont

Unfortunately, this didn't fix the issue I am having.

mherfurt avatar Sep 25 '24 08:09 mherfurt

Since you haven't given us your configured server name in the issue template, I can't really tell, but am I right in saying it sounds like you are using an IP address as your server name, whilst not configuring a valid TLS cert for that address? In that case, that's kinda working as intended — federation needs a valid TLS certificate.

That said, clients don't need federation. You can configure .well-known/matrix/client and that should suffice for them.

Anyway, since this is most likely a configuration problem, please see the message about support not being offered on the issue tracker; either see the Synapse Admins room or open an issue with enough information to reproduce.

reivilibre avatar Jun 06 '25 15:06 reivilibre