ejabberd icon indicating copy to clipboard operation
ejabberd copied to clipboard
verified publisher icon processone

mod_matrix_gw_s2s: Failed authentication request on non the first vhost

Open catap opened this issue 1 year ago • 1 comments

Environment

  • ejabberd version: 24.10
  • Erlang version: Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 14.2.5.3
  • OS: OpenBSD 7.6
  • Installed from: source

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

hosts:
  - kcry.pt
  - korins.ky
...
listen:
...
  -
    port: 8448
    ip: "0.0.0.0"
    module: ejabberd_http
    tls: true
    request_handlers:
      "/_matrix": mod_matrix_gw
  -
    port: 8448
    ip: "::"
    module: ejabberd_http
    tls: true
    request_handlers:
      "/_matrix": mod_matrix_gw
s2s_use_starttls: optional
s2s_access: s2s # to allow Matrix federation
...
access_rules:
  local:
    allow: local
  c2s:
    deny: blocked
    allow: all
  s2s:
    - allow # to allow Matrix federation
...
modules:
...
  mod_matrix_gw:
    key_name: "REDACTED"
    key: "REDACTED"
...

Errors from error.log/crash.log

2024-11-16 18:25:30.169607+01:00 [warning] <0.1051.0>@mod_matrix_gw_s2s:check_auth/5:162 Failed authentication: #{<<"destination">> => <<"kcry.pt">>,
                         <<"method">> => <<"GET">>,
                         <<"origin">> => <<"matrix.org">>,
                         <<"signatures">> =>
                             #{<<"matrix.org">> =>
                                   #{<<"ed25519:a_RXGa">> =>
                                         <<"7oCcYGQHfeMv9mr9MmyCyVUnkozbUGbwrs/zPVsoqWA2ZadlLzQ4It5ZCBYQ/b1LdCHBcXLsGZRNKGYlbEosDQ">>}},
                         <<"uri">> =>
                             <<"/_matrix/federation/v1/query/profile?user_id=%40test%3Akorins.ky&field=displayname">>}

Bug description

When I try to start a new conversation with some suer on my server via https://app.cinny.in/ it says that such user doesn't exist and logs contains "failed authentication". It always pass for the first virtual host, but always fails on the least.

So, as soon as I reorder host list, I was able to discover an account via cinny.

catap avatar Nov 16 '24 17:11 catap

So, as soon as I reorder host list, I was able to discover an account via cinny.

Thank you so extremely much for this! Literally found this after ten hours of debugging.

I first added a virtual host when trying out ejabberd, decided I liked it and then migrated from Prosody. Suddenly the Matrix support would no longer work and it seemed to make no sense as everything else was the same, I just added another domain.

Thank you for mentioning that!

erebion avatar May 18 '25 22:05 erebion