continuwuation/continuwuity

Fork 0

Failed to fetch signing keys - No federation possible #736

New issue

Open

opened 2025-04-08 12:25:59 +00:00 by Vibeshibe · 3 comments

Vibeshibe commented

2025-04-08 12:25:59 +00:00

(Migrated from github.com)

Fresh install, according to documentation. .well-known JSON hosted on main website shibabox.eu with redirect to conduwuit instance at chat.shibabox.eu. Using Traefik as a reverse proxy.

Error:
WARN conduwuit_api::router::auth: Failed to fetch signing keys: Failed to fetch federation signing-key key_id="key here" origin="federation instance here"

My docker-compose.yml:

services:
  homeserver:
    ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image,
    ### then you are ready to go.
    image: girlbossceo/conduwuit:latest
    restart: unless-stopped
    volumes:
      #- ./data/var/lib/conduwuit:/var/lib/conduwuit
      #- ./data/etc:/etc
     - db:/var/lib/conduwuit
    networks:
      - proxy
    environment:
      CONDUWUIT_SERVER_NAME: 'shibabox.eu'
      CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
      CONDUWUIT_PORT: 6167
      CONDUWUIT_MAX_REQUEST_SIZE: 60000000
      CONDUWUIT_ALLOW_REGISTRATION: 'true'
      CONDUWUIT_REGISTRATION_TOKEN: '[EXPUNGED]'
      #CONDUWUIT_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
      CONDUWUIT_ALLOW_FEDERATION: 'true'
      CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
      CONDUWUIT_TRUSTED_SERVERS: '["matrix.org", "phenjara.de", "puppygock.gay"]'
      #CONDUWUIT_LOG: warn,state_res=warn
      CONDUWUIT_ADDRESS: 0.0.0.0
      #CONDUWUIT_CONFIG: '/etc/conduwuit.toml'

      # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
      # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
      # see the override file for more information about delegation
      CONDUWUIT_WELL_KNOWN: |
        {
         client=https://chat.shibabox.eu,
         server=chat.shibabox.eu:443
        }
    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
    ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
      nofile:
        soft: 1048567
        hard: 1048567

    ### Uncomment if you want to use your own Element-Web App.
    ### Note: You need to provide a config.json for Element and you also need a second
    ###       Domain or Subdomain for the communication between Element and conduwuit
    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
    # element-web:
    #     image: vectorim/element-web:latest
    #     restart: unless-stopped
    #     volumes:
    #         - ./element_config.json:/app/config.json
    #     networks:
    #         - proxy
    #     depends_on:
    #         - homeserver

volumes:
  db:

networks:
  # This is the network Traefik listens to, if your network has a different
  # name, don't forget to change it here and in the docker-compose.override.yml
  proxy:
    external: true

My docker-compose-override.yml:


services:
  homeserver:
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network

      - "traefik.http.routers.to-conduwuit.rule=Host(`chat.shibabox.eu`)"  # Change to the address on which conduwuit is hosted
      - "traefik.http.routers.to-conduwuit.tls=true"
      - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt"
      - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker"
      - "traefik.http.services.to_conduwuit.loadbalancer.server.port=6167"

      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"

Fresh install, according to documentation. .well-known JSON hosted on main website shibabox.eu with redirect to conduwuit instance at chat.shibabox.eu. Using Traefik as a reverse proxy. Error: `WARN conduwuit_api::router::auth: Failed to fetch signing keys: Failed to fetch federation signing-key key_id="key here" origin="federation instance here"` My docker-compose.yml: ``` services: homeserver: ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image, ### then you are ready to go. image: girlbossceo/conduwuit:latest restart: unless-stopped volumes: #- ./data/var/lib/conduwuit:/var/lib/conduwuit #- ./data/etc:/etc - db:/var/lib/conduwuit networks: - proxy environment: CONDUWUIT_SERVER_NAME: 'shibabox.eu' CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit CONDUWUIT_PORT: 6167 CONDUWUIT_MAX_REQUEST_SIZE: 60000000 CONDUWUIT_ALLOW_REGISTRATION: 'true' CONDUWUIT_REGISTRATION_TOKEN: '[EXPUNGED]' #CONDUWUIT_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true' CONDUWUIT_ALLOW_FEDERATION: 'true' CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true' CONDUWUIT_TRUSTED_SERVERS: '["matrix.org", "phenjara.de", "puppygock.gay"]' #CONDUWUIT_LOG: warn,state_res=warn CONDUWUIT_ADDRESS: 0.0.0.0 #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate # see the override file for more information about delegation CONDUWUIT_WELL_KNOWN: | { client=https://chat.shibabox.eu, server=chat.shibabox.eu:443 } #cpuset: "0-4" # Uncomment to limit to specific CPU cores ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it nofile: soft: 1048567 hard: 1048567 ### Uncomment if you want to use your own Element-Web App. ### Note: You need to provide a config.json for Element and you also need a second ### Domain or Subdomain for the communication between Element and conduwuit ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md # element-web: # image: vectorim/element-web:latest # restart: unless-stopped # volumes: # - ./element_config.json:/app/config.json # networks: # - proxy # depends_on: # - homeserver volumes: db: networks: # This is the network Traefik listens to, if your network has a different # name, don't forget to change it here and in the docker-compose.override.yml proxy: external: true ``` My docker-compose-override.yml: ``` services: homeserver: labels: - "traefik.enable=true" - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network - "traefik.http.routers.to-conduwuit.rule=Host(`chat.shibabox.eu`)" # Change to the address on which conduwuit is hosted - "traefik.http.routers.to-conduwuit.tls=true" - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt" - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker" - "traefik.http.services.to_conduwuit.loadbalancer.server.port=6167" - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*" - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization" - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS" ```

idanoo commented

2025-04-11 03:01:14 +00:00

(Migrated from github.com)

The only difference I can see comparing to my instance, is the content-type response headers (on shibabox.eu main website) aren't set to application/json which could be breaking it

➜  ~ curl  https://shibabox.eu/.well-known/matrix/server
{"m.server":"chat.shibabox.eu:443"}%
➜  ~ curl https://deadnet.nz/.well-known/matrix/server
{"m.server":"chat.deadnet.nz:443"}%

➜  ~ curl -I https://shibabox.eu/.well-known/matrix/server
content-type: application/octet-stream
➜  ~ curl -I https://deadnet.nz/.well-known/matrix/server
content-type: application/json

The only difference I can see comparing to my instance, is the content-type response headers (on shibabox.eu main website) aren't set to `application/json` which could be breaking it ``` ➜ ~ curl https://shibabox.eu/.well-known/matrix/server {"m.server":"chat.shibabox.eu:443"}% ➜ ~ curl https://deadnet.nz/.well-known/matrix/server {"m.server":"chat.deadnet.nz:443"}% ➜ ~ curl -I https://shibabox.eu/.well-known/matrix/server content-type: application/octet-stream ➜ ~ curl -I https://deadnet.nz/.well-known/matrix/server content-type: application/json ```

Jade added the

Matrix/Federation

label 2025-04-14 21:01:24 +00:00

nex added the

Inherited

label 2025-04-14 23:37:06 +00:00

nex commented

2025-04-15 23:59:40 +00:00

Owner

from what I remember, the application/octet-stream is an issue with Cloudflare, which the mentioned domain is under, but not the other ones they tested.

Jade commented

2025-04-16 00:09:10 +00:00

Owner

There's no need for the cors-headers middleware AFAICT unless perhaps the .well-known files don't set it?
Otherwise that traefik config looks perfectly OK to me.

There's no need for the `cors-headers` middleware AFAICT unless perhaps the .well-known files don't set it? Otherwise that traefik config looks perfectly OK to me.

No milestone

No project

No assignees

3 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: continuwuation/continuwuity#736

No description provided.

Rows
Columns