Federation Not Working

[DeadSeeds]

Playbook Configuration:

My vars.yml file looks like this:

Standard vars.yml with my server info

Matrix Server:

• OS: Ubuntu 22.04
• Architecture AMD64

Problem description:

Federation isn't working, and I'm not sure why. When I run the setup.yml script, I get the following error:

fatal: [matrix.server]: FAILED! => changed=false 
  content: ''
  elapsed: 30
  msg: 'Status code was -1 and not [200]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)>'
  redirected: false
  status: -1
  url: https://[matrix.server]/.well-known/matrix/client
...ignoring

TASK [custom/matrix-nginx-proxy : Fail if .well-known not working on the identity hostname] ************************************************************************************************************************
fatal: [matrix.server]: FAILED! => changed=false 
  msg: 'Failed checking that the well-known file for Client Discovery is configured at `[matrix.server]` (checked endpoint: `https://[matrix.server]/.well-known/matrix/client`). Is port 443 open in your firewall? Full error: {''content'': '''', ''redirected'': False, ''url'': ''https://[matrix.server]/.well-known/matrix/client'', ''status'': -1, ''elapsed'': 30, ''changed'': False, ''failed'': True, ''msg'': ''Status code was -1 and not [200]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)>''}'

Obviously the error has something to do with port 443, but port 443 is open to both inbound and outbound TCP traffic in my firewall. Do I also need to open it to UDP traffic?

I've set everything up by following the installation instructions, and everything else seems to be working. The only non-standard thing I've added is the web GUI for admins. Any help would be appreciated! Thanks!

EDIT: Port 8448 is also open to inbound/outbound traffic per the installation guide.

[DeadSeeds]

I think I fixed the issue by adding matrix_nginx_proxy_base_domain_serving_enabled: true to the vars.yml file. I hadn't been serving the base domain, and therefore didn't have an SSL cert setup for it. This seems to have solved the issue.

More info here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-base-domain-serving.md

[spantaleev]

Port 80 is also required for obtaining SSL certificates from Let's Encrypt

[gitayam]

also you have https://[matrix.domain]/.well-known/matrix/client

isn't the federation server https://[domain]/.well-known/matrix/client

[DeadSeeds]

Port 80 is also required for obtaining SSL certificates from Let's Encrypt

Port 80 is/was also open. I think the problem was that I wasn't serving the base domain, which I resolved by doing the above. The issue seems to be resolved; thank you for the reply!

[spantaleev]

Good to hear it's solved now!

For completeness, I'll mention here that serving the base domain is only one of the ways to achieve server delegation. If you have an HTTPS-enabled server handling the base domain elsewhere already, you can continue handling it there and set up some well-known redirects on it.