Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Matrix server with a local PKI #75

Open
Astaoth opened this issue Oct 14, 2024 · 6 comments
Open

Matrix server with a local PKI #75

Astaoth opened this issue Oct 14, 2024 · 6 comments
Labels
help wanted Extra attention is needed

Comments

@Astaoth
Copy link

Astaoth commented Oct 14, 2024

Hi !

I've attempted to connect my znc bouncer to my home matrix-synapse through M51. On my LAN, I've made a local PKI, with the CA imported to all my servers, and each service which require TLS has a certificate made from this PKI. From any servers I can make a curl to any local webUI and get no tls issue (they are valid, the local CA is properly imported on the OS store). This is also the case of my synapse server, and I can make a curl on the https://synapse.local/_matrix/static/ page with no issue.

When I launch my M51 service, I get this logs :

15:22:18.601 [info] Listening on port 2051
15:22:18.601 [info] Matrix2051 started.
15:22:45.978 [info] Incoming connection from ::ffff:127.0.0.1:45536
15:22:47.241 [notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA
15:22:47.243 [error] GenServer {M51.Registry, {#PID<0.1073.0>, :matrix_client}} terminating

If I get it right, elixir has its own CA store ? How would I be able to use my local CA with M51 ?
@progval
Copy link
Owner

progval commented Oct 15, 2024

You may be able to load them by calling this function at the beginning of matrix2051.exs: https://www.erlang.org/docs/26/man/public_key#cacerts_load-0

@Astaoth
Copy link
Author

Astaoth commented Oct 15, 2024

Hi,
I've made few tests by adding :public_key.cacerts_load() and :public_key.cacerts_load("/path/to/cert.pem") in the matrix2051.exs file and made a test with mix run matrix2051.exs and I have the same error. Would you have an other suggestion ?

@progval
Copy link
Owner

progval commented Oct 15, 2024

Hmm... you could try this: https://hexdocs.pm/httpoison/readme.html#options

in the various functions in https://github.com/progval/matrix2051/blob/main/lib/matrix/raw_client.ex, add [ssl: [cacerts: :public_key.cacerts_load("/path/to/cert.pem"]] or something to the options passed to HTTPoison

@Astaoth
Copy link
Author

Astaoth commented Oct 16, 2024

I've attempted the suggested changes, by calling the function with and without specifying my custom CA, with and without the extra line in the matrix2051.exs file, and by launching M51 with mix run matrix2051.exs.

That changed nothing, I still have the same error sent by M51.

@progval
Copy link
Owner

progval commented Oct 16, 2024

Then sorry, I don't know

@progval progval added the help wanted Extra attention is needed label Oct 16, 2024
@Astaoth
Copy link
Author

Astaoth commented Oct 16, 2024

I guess I'll have to find an alternate way. In any case thank you for your help and your time :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@progval @Astaoth