Matrix Synapse behind reverse proxy spawns "Fingerprint issue" errors

Question

I want to set up an instance of Synapse behind an nginx for reverse proxying. Since the nginx is set up with TLS for HTTPS, this somewhat outdated blogpost recommends to set up matrix-synapse with the TLS stuff already used in the nginx vhost, since this is the TLS stuff other servers will see when talking to my instance.

So far i have managed to set up the server so that it is running on its own, and users on this instance can talk to each other. The main problem is the server-2-server-communication, or as the matrix guys calls it, "federation".

This is my TLS setup in matrix-synapse:

tls_certificate_path: "/var/lib/acme/live/matrix.simonszu.de/fullchain"

# PEM encoded private key for TLS
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"

# PEM dh parameters for ephemeral keys
tls_dh_params_path: "/etc/ssl/dhparams/matrix.simonszu.de_dhparams.pem"

# Don't bind to the https port
no_tls: True

The blogpost above states that you can completely comment out the tls_private_key_path, since you have set no_tlsto True (since every TLS stuff is managed by the nginx instance). I have noticed that this does not really work, because in this case, matrix-synapse will search for a key file in obscure places. I cannot link to the associated key file to the certificate, because key management is done by acmetool to obtain certificates from Let's Encrypt, and the automatic renewal process fails if any other file permission than 0600 is set to the key file. But since TLS stuff is managed by nginx anyway, synapse does need this certificate only for the fingerprint presentation for other synapse instances, and effectively ignores the key_path.

I have made sure that this synapse instance is reachable via browser, and that one can fetch the signatures manually. But unfortunately, the initial handshake when communicating with other instances fail.

I have access to another host with its own synapse instance (which is not behind a reverse proxy) and i am able to look at its log files during the handshake process. I get the following errors in its log file: SynapseError: 401: No key for matrix.simonszu.de with id ['ed25519:a_LiWb'].

Further googling led me to a tool called matrixtool, installable via cpan App::MatrixTool so i could check federation communication via command line. The result was also a hint that led me to the idea that there is still something wrong with my TLS setup:

$ matrixtool server-key matrix.simonszu.de
[INFO] Connected to 5.189.143.28:443
[FAIL] TLS fingerprint does not match any listed
[OK] Verified using origin=matrix.simonszu.de key_id=ed25519:a_LiWb
v2 keys from matrix.simonszu.de:

Key id ed25519:a_LiWb
  base64::VF2Cxq3wVEe8NIplwnHK+yKIhdBkgBmzqUfT1k0aMgg
[INFO] Matches cached key

So, i am effectively running out of ideas. During the all the research i realized that i was not the only one with this problem, but the main solution for other users was to give up, and create a matrix-synapse installation without reverse-proxying. So i went, and wrote this question here, to make it clear for once and all times: How do you properly set up matrix-synapse behind a TLS enabled reverse proxy?

Answer 1

Nginx reverse proxying synapse should look something like this:

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name matrix.example.com;

        location /_matrix {
            proxy_pass http://localhost:8008;
            proxy_set_header X-Forwarded-For $remote_addr;
        }
    }

    server {
        listen 8448 ssl default_server;
        listen [::]:8448 ssl default_server;
        server_name example.com;

        location / {
            proxy_pass http://localhost:8008;
            proxy_set_header X-Forwarded-For $remote_addr;
        }
    }

https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md