TASK [matrix-mxisd : Check mxisd Identity Service] fails. Reverse Proxy or SSL issue?

[vilyaua]

Hello!

First of all, I'd like to thank you for your work!

Would you please help me to find out where things go wrong.

The first task I'd like to solve is to make a Matrix-Keycloak connection. I suppose there is a module mxisd that could help me with that.

Got synapse installed. Can successfully connect via Riot mobile client and via web-based client as well:
https://matrix.perfsys.io
https://riot.perfsys.io
So I assume that Server Delegation via a DNS SRV record (https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/howto-server-delegation.md) was made in the right way.
But I can't get JSON file neither visiting https://perfsys.io/.well-known/matrix/server nor https://perfsys.io/.well-known/matrix/client, I get "Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP" instead.

Got mxisd enabled. But self-check (ansible-playbook -i inventory/hosts setup.yml --tags=self-check) returns:

TASK [matrix-mxisd : Check mxisd Identity Service]
fatal: [matrix.perfsys.io -> 127.0.0.1]: FAILED! => {"changed": false, "connection": "close", "content": "\n\n <title>404 - No Such Resource</title>\n \n

No Such Resource

\n

Sorry. No luck finding that resource.

\n \n\n", "content_length": "167", "content_type": "text/html; charset=utf-8", "date": "Thu, 07 Feb 2019 15:22:37 GMT", "msg": "Status code was 404 and not [200]: HTTP Error 404: Not Found", "redirected": false, "server": "nginx", "status": 404, "url": "https://matrix.perfsys.io/_matrix/identity/api/v1"}

So is it Reverse Proxying or incompatible SSL issue?
Thanks in advance for your help

[spantaleev]

Hi!

Congrats on successfully setting up your Matrix server!

It seems like it's configured correctly and should work.. Besides the fact that Federation with other servers may be having problems, because https://perfsys.io/.well-known/matrix/server does not serve a file.

---

It appears that your SSL certificates on perfsys.io are not configured correctly.

Judging by http://perfsys.io/ (note the HTTP protocol), it seems like the main perfsys.io domain leads to CloudFlare. I guess you have configured Amazon CloudFlare for your domain and that HTTPS doesn't work?

You will need working HTTPS for the base domain (perfsys.io) to be able to serve the well-known files from there (using one of the 2 methods described here)

---

If you cannot arrange to have HTTPS for the base domain (perfsys.io), you can switch to the other method for Server Delegation: Server Delegation via a DNS SRV record (advanced).

Doing that, you won't be required to set up a /.well-known/matrix/server on the base domain. Running a self-check would still report a failure because /.well-known/matrix/client is not configured, but that's not very important. It's an optional thing that can be skipped.

[vilyaua]

perfsys.io is located at AWS

Judging by http://perfsys.io/ (note the HTTP protocol), it seems like the main perfsys.io domain leads to CloudFlare. I guess you have configured Amazon CloudFlare for your domain and that HTTPS doesn't work?

There's an alias that I can change

I'll try to make a copy of /.well-known/matrix/server and /.well-known/matrix/client to S3 bucket and point perfsys.io on it

Where do I get these files?

[spantaleev]

You can find these files at these URLs:

• https://matrix.perfsys.io/.well-known/matrix/server -- although, this file is not accessible right now
• https://matrix.perfsys.io/.well-known/matrix/client

They are also in the /matrix/static-files/.well-known/matrix directory on the server.

Looks like the server file is missing for you now, which means you've either not used an up-to-date playbook (us generating the server file is a fairly new thing) or you've intentionally disabled the generation of the server file by using matrix_well_known_matrix_server_enabled: false.

[vilyaua]

Can't find the matrix_well_known_matrix_server_enabled variable in my inventory's vars.yml file. Looks like I miss something. Would you take a brief look at it, please:

`host_specific_matrix_ssl_lets_encrypt_support_email: vperminov@perfsys.net
host_specific_hostname_identity: perfsys.io

matrix_coturn_turn_static_auth_secret: "some_key"
matrix_synapse_macaroon_secret_key: "some_key"

#-------------------- nginx
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
matrix_nginx_proxy_systemd_wanted_services_list: []
matrix_nginx_proxy_container_additional_volumes: []

matrix_nginx_proxy_proxy_riot_enabled: true
matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}"

matrix_nginx_proxy_proxy_matrix_enabled: true
matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}"

matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"

matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"

matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"

matrix_nginx_proxy_proxy_synapse_metrics: false
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""

matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25

matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 50 }}"

matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []

matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"

matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"

matrix_ssl_retrieval_method: "lets-encrypt"

matrix_ssl_domains_to_obtain_certificates_for: []

matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"

matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"

#-------------------- mxisd
matrix_mxisd_enabled: true

matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"

matrix_mxisd_container_expose_port: false

matrix_mxisd_systemd_required_services_list: ['docker.service']

matrix_mxisd_systemd_wanted_services_list: []

matrix_mxisd_matrixorg_forwarding_enabled: false

matrix_mxisd_synapsesql_enabled: false
matrix_mxisd_synapsesql_type: ""
matrix_mxisd_synapsesql_connection: ""

matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ hostname_identity }}"
matrix_mxisd_threepid_medium_email_connectors_smtp_host: "smtp.gmail.com"
matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587
matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1
matrix_mxisd_threepid_medium_email_connectors_smtp_login: "vperminov@perfsys.net"
matrix_mxisd_threepid_medium_email_connectors_smtp_password: "some_passwd"

matrix_mxisd_dns_overwrite_enabled: false
matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ hostname_matrix }}"
matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008"

matrix_mxisd_configuration_yaml: |
matrix:
domain: {{ hostname_identity }}

server:
name: {{ hostname_matrix }}

key:
path: /var/mxisd/sign.key

storage:
provider:
sqlite:
database: /var/mxisd/mxisd.db

{% if matrix_mxisd_dns_overwrite_enabled %}
dns:
overwrite:
homeserver:
client:
- name: {{ matrix_mxisd_dns_overwrite_homeserver_client_name }}
value: {{ matrix_mxisd_dns_overwrite_homeserver_client_value }}
{% endif %}

{% if matrix_mxisd_matrixorg_forwarding_enabled %}
forward:
servers: ['matrix-org']
{% endif %}

threepid:
medium:
email:
identity:
from: {{ matrix_mxisd_threepid_medium_email_identity_from }}
connectors:
smtp:
host: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_host }}
port: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_port }}
tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }}
login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }}
password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }}

synapseSql:
enabled: {{ matrix_mxisd_synapsesql_enabled }}
type: {{ matrix_mxisd_synapsesql_type }}
connection: {{ matrix_mxisd_synapsesql_connection }}

matrix_mxisd_configuration_extension_yaml: |
matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"`

[spantaleev]

You should be able to see matrix_well_known_matrix_server_enabled and its default value (true) in roles/matrix-base/defaults/main.yml.

If you don't see it in that file, it means you are running an old version of this playbook.

If so, you should update the playbook. Either git pull to update (if you got the source code using git), or download a new archive of the source code and bring your vars.yml and hosts files over.

[vilyaua]

I've cloned the spantaleev/matrix-docker-ansible-deploy a few days ago, so it should be fresh enough )
And being shelled on the EC2 instance that hosts the synapse, I can't get into /matrix directory even through sudo

[vilyaua]

Ok, I'll try to PULL tomorrow. Thanks for your time, Slavi

[spantaleev]

If it's from a few days ago, it's not very fresh, because there was a big upgrade just yesterday.

See this changelog entry: Synapse v0.99 support and preparation for Synapse v1.0.

The /.well-known/matrix/server file is only available from that update, because it's a brand new thing.

That's why you don't have the file. On the other hand, you are reading the most recent docs online, which is confusing. Your setup (made by the old version of the playbook) is outdated compared to the docs.

---

The solution is to just update the playbook and re-run it.

You can then proceed to figure out how to set up HTTPS at your base domain.. Or go with an alternative method for Server Delegation: Server Delegation via a DNS SRV record (advanced).

[eorlovsky]

@spantaleev What would you suggest as a final solution to use Keycloak/SSO together with a Matrix ?

We see several auth options on the link
https://github.com/spantaleev/matrix-docker-ansible-deploy

• (optional, default) an mxisd Matrix Identity server
• (optional, advanced) the matrix-synapse-rest-auth REST authentication password provider module

Another words do we to deploy mxisd or we need matrix-synapse-rest-auth ?

[vilyaua]

You should be able to see matrix_well_known_matrix_server_enabled and its default value (true) in roles/matrix-base/defaults/main.yml.

If you don't see it in that file, it means you are running an old version of this playbook.

If so, you should update the playbook. Either git pull to update (if you got the source code using git), or download a new archive of the source code and bring your vars.yml and hosts files over.

Hello, Slavi!

Playbook is updated, now I'm working on Main Domain's SSL certificate
I think we can close this issue for now

Thanks again!

P.S.: I'm going to move the question about Matrix-Keycloak combination in another issue, if you don't mind