matrix-docker-ansible-deploy icon indicating copy to clipboard operation
matrix-docker-ansible-deploy copied to clipboard
verified publisher icon spantaleev

Traefik Managed by You: Wildcard certs causing Traefik certs dumper to stall, instead of finishing installation.

Open Handrail9 opened this issue 1 year ago • 4 comments

Describe the bug A clear and concise description of what the bug is. After doing a basic setup where the only deviation is "Using your own webserver"/using traefik I manage, it seems that the cert dumper does not recognize the wildcard cert (*.mydomain.tld) that is provided in acme.json. I do not make individual certs for every subdomain I manage because it would drive me insane. I'm not sure if this cert dumper was made specifically for this project, or if its from another upstream project. Here is the error log from Ansible

failed: [matrix.mydomain.tld] (item={'name': 'matrix-coturn.service', 'priority': 4000, 'groups': ['matrix', 'coturn']}) => changed=false 
  ansible_loop_var: item
  item:
    groups:
    - matrix
    - coturn
    name: matrix-coturn.service
    priority: 4000
  msg: |-
    Unable to start service matrix-coturn.service: A dependency job for matrix-coturn.service failed. See 'journalctl -xe' for details.

Upon checking I noticed there was a stopped service called matrix-traefik-certs-dumper-wait-for-domain with the error "Failed to start matrix-traefik-certs-dumper-wait-for-domain@matrix.mydomain.tld.service - Traefik certs dumper waiter (matrix-traefik-certs-dumper-wait-for-domain) for matrix.mydomain.tld", which is why I'm assuming that the cert dumper is the issue.

To Reproduce My vars.yml file looks like this: e

# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: mydomain.tld

# The Matrix homeserver software to install.
# See:
#  - `roles/custom/matrix-base/defaults/main.yml` for valid options
# - the `docs/configuring-playbook-IMPLEMENTATION_NAME.md` documentation page, if one is available for your implementation choice
matrix_homeserver_implementation: synapse

# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: 'Removed'

# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
# It will retrieve SSL certificates for you on-demand and forward requests to all other components.
# For alternatives, see `docs/configuring-playbook-own-webserver.md`.
matrix_playbook_reverse_proxy_type: other-traefik-container
matrix_playbook_reverse_proxyable_services_additional_network: traefik
devture_traefik_certs_dumper_ssl_dir_path: "/traefik/certs/acme.json"
# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: [email protected]
devture_traefik_config_certificatesResolvers_acme_email: ''

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
devture_postgres_connection_password: Removed

# By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file.
# If this value is an external IP address, you can skip this section.
#
# If `ansible_host` is not the server's external IP address, you have 2 choices:
# 1. Uncomment the line below, to allow IP address auto-detection to happen (more on this below)
# 2. Uncomment and adjust the line below to specify an IP address manually
#
# By default, auto-detection will be attempted using the `https://ifconfig.co/json` API.
# Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the Coturn role
# (see `roles/custom/matrix-coturn/defaults/main.yml`).
#
# If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses.
# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
#
# matrix_coturn_turn_external_ip_address: ''

Using premade wildcard cert from my traefik container. Expected behavior A clear and concise description of what you expected to happen. It uses the wildcard cert Matrix Server:

  • OS: Fedora 39
  • Architecture x86-64 Ansible: If your problem appears to be with Ansible, tell us:
  • where you run Ansible -- e.g. on the Matrix server itself; on another computer (which OS? distro? standard installation or containerized Ansible?)
  • Fedora 39 baremetal Laptop that connects to Fedora 39 baremetal Server on same network
  • what version of Ansible you're running (see ansible --version) ansible [core 2.14.11]

Handrail9 avatar Dec 22 '23 13:12 Handrail9

I have the same error. I think we have to be patient.

failed: [matrix.mydomain.tld] (item={'name': 'matrix-coturn.service', 'priority': 4000, 'groups': ['matrix', 'coturn']}) => changed=false ansible_loop_var: item item: groups: - matrix - coturn name: matrix-coturn.service priority: 4000 msg: |- Unable to start service matrix-coturn.service: A dependency job for matrix-coturn.service failed. See 'journalctl -xe' for details.

xantrino avatar Jan 08 '24 17:01 xantrino

Ran into the same issue, followed this and coturn can start normally: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/howto-srv-server-delegation.md#adjust-coturns-configuration

ppkhoa avatar Jan 14 '24 15:01 ppkhoa

Ran into the same issue, followed this and coturn can start normally: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/howto-srv-server-delegation.md#adjust-coturns-configuration

What specifically did you change? I ask because those instructions specifically say they are outdated. Was it only the "matrix_coturn_container_additional_volumes" in matrix-coturn/defaults/main.yml?

For others facing this problem #3085 appears to be the same.

nnickthomas avatar Feb 08 '24 17:02 nnickthomas

For me, I added the following to my vars.yml:

matrix_coturn_systemd_required_services_list: ['docker.service']
matrix_coturn_container_additional_volumes: |
  {{
    (
      [
       {
         'src': (matrix_ssl_config_dir_path + '/live/' + matrix_domain + '/fullchain.pem'),
         'dst': '/fullchain.pem',
         'options': 'ro',
       },
       {
         'src': (matrix_ssl_config_dir_path + '/live/' + matrix_domain + '/privkey.pem'),
         'dst': '/privkey.pem',
         'options': 'ro',
       },
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
    )
    +
    (
      [
       {
         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/' + matrix_domain + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/' + matrix_domain + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
    )
  }}

ppkhoa avatar Feb 08 '24 17:02 ppkhoa