Accessing room or inviting user from other homeserver gives 401 Unauthorized [aka duckdns.org is broken] #5882
Comments
Federation between my server and martenbe.duckdns.org works (I was able to join a room on martenbe.duckdns.org and @MartenBE was able to join a room on my server) so it seems to be a matrix.org specific issue. |
matrix.org seems to be having trouble decoding the response from the DNS server for the SRV record:
which is because we get an error when looking up your SRV record:
(note SERVFAIL) which I think is because you have an A record where there should be a SRV record (or nothing):
|
I use duckdns.org, which allows for random subdomains. This is probably the cause then. As I cannot alter this, is there any workaround possible? |
The presence of the A record was indeed the problem. I went for a memberschip with dynu.com where I could use a ddns with wild cards and added an SRV record to prevent matrix from getting confused from the wildcard A record. Now everything works!
|
Glad you got it sorted. To reiterate, it's google's public DNS servers (8.8.8.8) which were flagging the error here, rather than synapse itself. In theory we could make the matrix protocol treat a DNS error the same as the absence of a DNS record, but I'm not sure that's the right thing to do. |
That indeed doen't seem to be the best solution. It would help enough if the matrix federation tester could detect this as an error. I have opened an issue at matrix-org/matrix-federation-tester#92. |
Hi, I have exactly the same issue, I have setup the federation, and https://federationtester.matrix.org/ says everything is fine, but I am not able to list the rooms on the matrix.org server, or invite someone from this server, I get an error, and on my server the logs indicate I have tried to set a SRV field
My apache configuration for this port is
Am I missing something obvious here ? Thanks a lot for the help ! |
Try setting _matrix._tcp.mydomain.com as an SRV field (notice the underscore in _matrix) |
Sorry, bad copy paste, my SRV field is indeed on _matrix._tcp |
Hi think it was an issue with DNS propagation, now it works ! I can correctly federate with matrix.org :D |
I have a similar Problem: I also get 401 Unauthorized when trying to enter a room on matrix.org; the federation tester says that everything is ok. I do not have an SRV record and cannot create one. ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @8.8.8.8 -t SRV _matrix._tcp.servername.internet-box.ch ;; OPT PSEUDOSECTION: ;; AUTHORITY SECTION: ;; Query time: 13 msec The Output of the normal dig, without the SRV option, is: ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @8.8.8.8 servername.internet-box.ch ;; OPT PSEUDOSECTION: ;; ANSWER SECTION: ;; Query time: 17 msec Actually, according to the section "Resolving server names" in https://matrix.org/docs/spec/server_server/latest, it should work; it should fall back to 5., as the .well-known will not be found because I have a Nextcloud instance running on port 443. And as there is an A record for my address, 5. should work.
Either I have missed something or matrix.org is not following it's own specifications. In case anyone with access to the matrix.org-logs wants to take a look at it, please tell me how you would like me to send it to you (I don't want it to be on a webpage that everyone can see). |
@Faberix I suggest you file a separate issue if you're having a problem, but you should be able to check if federation is working using the federation tester (https://federationtester.matrix.org/), additionally it might help to ask in #synapse:matrix.org. |
It turned out that all DNS servers return NXDomain; there is at least one that returns a SERVEFAIL, so it is probably exactly the same problem. See in https://community.swisscom.ch/t5/HomepageTool-Hosting/SRV-Eintrag/m-p/613261?campID=NL_CMY_SUBSCNOT_CTA#M715 for more information (it is in German, if you don't understand it, use a translator). |
I have found a solution: Using /.well-known/server, it is possible to bypass the check for the SRV record, if you explicitly state the port number in the .well-known response (even if it is the default port). Now federation works. Just for completeness, this is the relevant part of the matrix specification:
|
I have a very similar problem, with duckdns, I don't know wich on of these fixes to try:
What should I do ? |
Description
I have put up a homeserver with port 8448. This port is forwarded through the NAT and allowed through the firewall. I can login, use and register users using the Riot Web App. However, when trying to access rooms or invite users from other homeservers, the server errors.
https://federationtester.matrix.org/ shows everything OK for the server.
Steps to reproduce
homeserver.log
Version information
If not matrix.org:
Version: 1.2.1
Install method: dnf install matrix-synapse
Platform: Fedora Server 30
The text was updated successfully, but these errors were encountered: