matrix-docker-ansible-deploy icon indicating copy to clipboard operation
matrix-docker-ansible-deploy copied to clipboard
verified publisher icon spantaleev

Hookshot configuration widget fails with odd error

Open aine-etke opened this issue 1 year ago • 4 comments

Describe the bug

Hookshot configuration widget fails with the following error in UI:

image

And the following errors in logs (DOMAIN is matrix server's base domain):

WARN 12:01:44:809 [ProvisioningApi] Failed to fetch the server URL for DOMAIN ApiError: API error M_AS_BAD_OPENID: Server is disallowed
    at BridgeWidgetApi.checkIpBlacklist (/usr/bin/matrix-hookshot/node_modules/matrix-appservice-bridge/lib/provisioning/api.js:255:19)
    at async BridgeWidgetApi.postExchangeOpenId (/usr/bin/matrix-hookshot/node_modules/matrix-appservice-bridge/lib/provisioning/api.js:279:17) {
  error: 'Server is disallowed',
  errcode: 'M_AS_BAD_OPENID',
  statusCode: 500,
  additionalContent: {}
}
ERROR 12:01:44:809 [ProvisioningApi] ApiError: API error M_AS_BAD_OPENID: Could not identify server url
    at BridgeWidgetApi.postExchangeOpenId (/usr/bin/matrix-hookshot/node_modules/matrix-appservice-bridge/lib/provisioning/api.js:284:19) {
  error: 'Could not identify server url',
  errcode: 'M_AS_BAD_OPENID',
  statusCode: 500,
  additionalContent: {}
}

To Reproduce My vars.yml file looks like this:

devture_postgres_connection_password: REDACTED
matrix_domain: DOMAIN
matrix_admin: REDACTED
devture_traefik_config_certificatesResolvers_acme_email: REDDACTED
matrix_static_files_file_matrix_support_enabled: yes
matrix_static_files_file_matrix_support_property_m_contacts:
  - matrix_id: REDACTED
    email_address: REDACTED
    role: m.role.admin
matrix_user_creator_users_additional:
 - username: READACTED
   initial_password: REDACTED
   initial_type: admin
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: yes
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: REDACTED
matrix_synapse_macaroon_secret_key: READACTED
matrix_synapse_password_config_pepper: READACTED
matrix_coturn_turn_static_auth_secret: REDACTED
matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_static_files_container_labels_base_domain_enabled: yes
exim_relay_dkim_privkey_contents: REDACTED
matrix_client_element_enabled: yes
matrix_synapse_admin_enabled: yes
matrix_bot_postmoogle_enabled: yes
matrix_bot_postmoogle_password: READACTED
matrix_bot_postmoogle_data_secret: REDACTED
matrix_mautrix_meta_messenger_enabled: yes
matrix_mautrix_gmessages_enabled: yes
matrix_mautrix_googlechat_enabled: yes
matrix_mautrix_meta_instagram_enabled: yes
matrix_beeper_linkedin_enabled: yes
matrix_mautrix_slack_enabled: yes
matrix_hookshot_enabled: yes
  1. !hookshot setup-widget
  2. Try to open the new widget

Expected behavior

Widget is shown

Matrix Server:

  • OS: Ubuntu 22.04.5 LTS
  • Architecture: amd64

Additional Context

Freshly installed server, hookshot v5.4.1

aine-etke avatar Sep 26 '24 09:09 aine-etke

Seems like the error is raised by matrix-appservice-bridge here: https://github.com/matrix-org/matrix-appservice-bridge/blob/09980903eb24993211771acf24a7d75d194b5144/src/provisioning/api.ts#L356-L382

It seems like the logic ultimately intends to call the /_matrix/federation/v1/openid/userinfo endpoint, which is a federation endpoint.

I'm not sure what the resolving logic (this.wellknown.resolveMatrixServer(server)) does, but.. given that this.checkIpBlacklist(url) fails with "Server is disallowed" makes me think that:

  • either the resolving logic resulted in a local IP address which is not whitelisted in DefaultDisallowedIpRanges here. This may be because a lookup for matrix.DOMAIN for the given host resulted in a local IP address (possibly a container IP address) due to some DNS resolution problem or "feature" that makes matrix.DOMAIN resolve locally
  • or no such DNS lookup is done and Hookshot passes the bridge.url configuration value (coming from matrix_hookshot_homeserver_address). In most configurations, this goes to http://matrix-traefik:8008 (the Matrix internal Client-Server API). Yes, this is an internal/local IP address.. Even if it's whitelisted, it won't be of much use, because it only serves the Client-Server API there, not federation APIs.

Checking this.wellknown.resolveMatrixServer(server), it seems to be MatrixHostResolver::resolveMatrixServer. Looking at this class, it does seem like it's only doing well-known lookups and DNS resolution, not looking at configuration (like bridge.url which is potentially pointed to an in-container address).

So.. it seems like the well-known lookup and DNS resolution indeed resulted in a local (possibly container) IP.

Debugging can continue with figuring out why nslookup matrix.example.com in the Hookshot container resulted in a local IP address.

One possibility may be that /etc/resolv.conf on the host defines a matrix.example.com entry and points it to 127.0.0.1 or something, and then.. Docker containers (which go through Docker's internal DNS server) provide this result as-is.

spantaleev avatar Nov 21 '24 13:11 spantaleev

@aine-etke Did you manage to solve the issue ? I have exactly the same problem with my instance

AngeloFrangione avatar Jul 03 '25 12:07 AngeloFrangione

No, the hookshot was replaced on that instance because it lacked some other features

But take a look at the Slavi's suggestion - /etc/hosts and /etc/resolv.conf definitely could be the culprit (confirmed for other components and use-cases)

aine-etke avatar Jul 04 '25 11:07 aine-etke

I managed to fix it by adding the disallowedIpRange configuration and removing the ip range of my synapse server (in my case 10.0.0.0/8)

AngeloFrangione avatar Jul 04 '25 12:07 AngeloFrangione