1

So I am working on matrix.org synapse homeserver and trying to federate.

I got the certificate for my homeserver.It had 3 files inside it chain.crt(binary),server.crt(non-binary) and server.key(non-binary).

server.crt had begin certificate and server.key has the private key. I am reverse proxying my homeserver with Nginx webserver and in the config of Nginx I have pointed SSl certificate to server.crt and SSl key to server.key.

The problem I am getting in https://federationtester.matrix.org/ is it shows x509: certificate signed by unknown authority.

Do i need to include chain.crt(binary file) some where as well?

curious_21
  • 39
  • 1
  • 6

2 Answers2

1

It is generally good practise to include intermediate certificates in your TLS configuration. But the certificate should normally validate correctly anyway, because clienta normally also have various intermediate certificates in their store and can build the chain that way.

Is your certificate signed by a public CA? Synapse requires such a certificate since a couple of versions. The default certificate is probably self-signed, except you configured the built-in ACME client to retrieve one fron Let's Encrypt.

One way to check it is opening the federation URL in your browser and see if it is throwing a validation error.

lub
  • 136
  • 2
  • The certificate is signed by public CA thawte.I am not using built-in ACME as I have got the certificate from CA. – curious_21 Nov 20 '19 at 16:57
  • Is chain.crt intermediate certificate and if it is intermediate then how to include it in nginx web server? – curious_21 Nov 20 '19 at 16:58
  • 1
    Only browsers have intermediate certs in their store. Pretty much everything else will require the proper chain cert to be set up. – Tulir Nov 20 '19 at 18:16
  • 1
    Its working now.I used whatsmychaincert.com site to get chain certificate and appended it.Thanks lub and Tulir – curious_21 Nov 20 '19 at 20:11
  • @ShreyasPandey Thanks for recommending that website! I was stuck setting up my Matrix server (Construct instead of Synapse) for days. – jobukkit Feb 05 '21 at 11:52
0

nginx wants the server (leaf) cert and the chain (intermediate) cert(s), both in PEM format (what you call non-binary) in the same file but what you call binary is almost certainly what a lot of software calls DER (which is a specific binary encoding of ASN.1, which X.509 uses). If you have OpenSSL available (or get it), use

openssl x509 -in chain.binary -inform der -out chain.pem

then append chain.pem to the end of server.crt; or you can do this in one step by

openssl x509 -in chain.binary -inform der >>server.crt

If this doesn't work it is possible your chain.crt is something odder, like a PKCS7/CMS in binary/DER. Post a hex dump, or make the exact file available someplace like pastebin.

If you don't have/get OpenSSL there are other tools that can be used depending on your environment. Specify your operating system(s) and any major tools that are present like Java.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • Thanks for the help dave! So I used https://whatsmychaincert.com/ this site to get the chain certificate and then append this at the end of server.crt and it worked.Just had a doubt so as far as I know linux will read the server.crt file from bottom to top so does that mean server.crt previous content is intermediate and the chain certificate that I got is root certificate?If no then which is root and which is intermediate or end certificate? – curious_21 Nov 20 '19 at 19:52
  • 'Linux' doesn't read cert files at all; some programs on Linux and on other systems, like nginx, do, but I don't know _any_ (anywhere) that reads 'bottom to top' -- where did you get that? I'd have to look if nginx does any preprocessing before giving it to OpenSSL, but it's safest if you have server=leaf=End-Entity first and chain=intermediate second; you don't need root at all. (SSL/TLS server never needs to send root because client always must have it already, although some do send it unnecessarily because its convenient and allowed.) – dave_thompson_085 Nov 22 '19 at 10:55