Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
75d4f4e02b3ec115e8ca98ccd0baf1b052b2cb28
homelab-optimized/docs/troubleshooting/matrix-ssl-authentik-incident-2026-03-19.md
Gitea Mirror Bot 75d4f4e02b
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m0s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-03-29 13:33:25 UTC
2026-03-29 13:33:25 +00:00

207 lines
9.0 KiB
Markdown
Raw Blame History

# Matrix SSL + Authentik + Portainer OAuth Incidents — 2026-03-19/21
---
## Issues Addressed
### 1. mx.vish.gg "Not Secure" Warning
**Symptom:** Browser showed "Not Secure" on `https://mx.vish.gg`.
**Root cause:** NPM was serving the **Cloudflare Origin Certificate** (cert ID 1, `*.vish.gg`) for `mx.vish.gg`. Cloudflare Origin certs are only trusted by Cloudflare's edge — since `mx.vish.gg` is **unproxied** (required for Matrix federation), browsers hit the origin directly and don't trust the cert.
**Fix:**
1. Got a proper Let's Encrypt cert for `mx.vish.gg` via Cloudflare DNS challenge on matrix-ubuntu:
```bash
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /etc/cloudflare.ini \
-d mx.vish.gg --email your-email@example.com --agree-tos
```
2. Copied cert to NPM as `npm-6`:
```
/volume1/docker/nginx-proxy-manager/data/custom_ssl/npm-6/fullchain.pem
/volume1/docker/nginx-proxy-manager/data/custom_ssl/npm-6/privkey.pem
```
3. Updated NPM proxy host 10 (`mx.vish.gg`) to use cert ID 6
4. Set up renewal hook: `/etc/letsencrypt/renewal-hooks/deploy/copy-to-npm.sh`
**Same fix applied for:** `livekit.mx.vish.gg` (cert `npm-7`, proxy host 47)
---
### 2. kuma.vish.gg Redirect Loop (`ERR_TOO_MANY_REDIRECTS`)
**Symptom:** `kuma.vish.gg` (Uptime Kuma) caused infinite redirect loop via Authentik Forward Auth.
**Root cause (two issues):**
**Issue A — Missing `X-Original-URL` header:**
The Authentik outpost returned `500` for Forward Auth requests because NPM wasn't passing the `X-Original-URL` header. The outpost log showed:
```
failed to detect a forward URL from nginx
```
**Fix:** Added to NPM advanced config for `kuma.vish.gg` (proxy host 41):
```nginx
auth_request /outpost.goauthentik.io/auth/nginx;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
```
**Issue B — Empty `cookie_domain` on all Forward Auth providers:**
After login, Authentik couldn't set the session cookie correctly because `cookie_domain` was empty on all proxy providers. This caused the auth loop to continue even after successful authentication.
**Fix:** Set `cookie_domain: vish.gg` on all proxy providers via Authentik API:
| PK | Provider | Was | Now |
|----|----------|-----|-----|
| 4 | Paperless Forward Auth | `''` | `vish.gg` |
| 5 | vish.gg Domain Forward Auth | `vish.gg` | ✅ already set |
| 8 | Scrutiny Forward Auth | `''` | `vish.gg` |
| 12 | Uptime Kuma Forward Auth | `''` | `vish.gg` |
| 13 | Ollama Forward Auth | `''` | `vish.gg` |
| 14 | Wizarr Forward Auth | `''` | `vish.gg` |
```bash
AK_TOKEN="..."
for pk in 4 8 12 13 14; do
PROVIDER=$(curl -s "https://sso.vish.gg/api/v3/providers/proxy/$pk/" -H "Authorization: Bearer $AK_TOKEN")
UPDATED=$(echo "$PROVIDER" | python3 -c "import sys,json; d=json.load(sys.stdin); d['cookie_domain']='vish.gg'; print(json.dumps(d))")
curl -s -X PUT "https://sso.vish.gg/api/v3/providers/proxy/$pk/" \
-H "Authorization: Bearer $AK_TOKEN" -H "Content-Type: application/json" -d "$UPDATED"
done
```
---
### 3. TURN Server External Verification
**coturn** was verified working externally from Seattle VPS (different network):
| Test | Result |
|------|--------|
| UDP port 3479 reachable | ✅ |
| STUN Binding request | ✅ `0x0101` success, returns `184.23.52.14:3479` |
| TURN Allocate (auth required) | ✅ `0x0113` (401) — server responds, relay functional |
Config: `/etc/turnserver.conf` on matrix-ubuntu
- `listening-port=3479`
- `use-auth-secret`
- `static-auth-secret` = same as `turn_shared_secret` in Synapse homeserver.yaml
- `realm=matrix.thevish.io`
---
## NPM Certificate Reference
| Cert ID | Nice Name | Domain | Type | Expires | Notes |
|---------|-----------|--------|------|---------|-------|
| 1 | Cloudflare Origin - vish.gg | `*.vish.gg`, `vish.gg` | Cloudflare Origin | 2041 | Only trusted by CF edge — don't use for unproxied |
| 2 | Cloudflare Origin - thevish.io | `*.thevish.io` | Cloudflare Origin | 2026 | Same caveat |
| 3 | Cloudflare Origin - crista.love | `*.crista.love` | Cloudflare Origin | 2026 | Same caveat |
| 4 | git.vish.gg (LE) | `git.vish.gg` | Let's Encrypt | 2026-05 | |
| 5 | headscale.vish.gg (LE) | `headscale.vish.gg` | Let's Encrypt | 2026-06 | |
| 6 | mx.vish.gg (LE) | `mx.vish.gg` | Let's Encrypt | 2026-06 | Added 2026-03-19 |
| 7 | livekit.mx.vish.gg (LE) | `livekit.mx.vish.gg` | Let's Encrypt | 2026-06 | Added 2026-03-19 |
> **Rule:** Any domain that is **unproxied** in Cloudflare (DNS-only, orange cloud off) must use a real Let's Encrypt cert, not the Cloudflare Origin cert.
---
## Renewal Automation
Certs 6 and 7 are issued by certbot on `matrix-ubuntu` and auto-renewed via systemd timer. Deploy hooks copy renewed certs to NPM on Calypso:
```
/etc/letsencrypt/renewal-hooks/deploy/copy-to-npm.sh
```
To manually renew and deploy:
```bash
ssh matrix-ubuntu
sudo certbot renew --force-renewal -d mx.vish.gg
# hook runs automatically and copies to NPM
```
---
## Issue 4 — Portainer OAuth Hanging (2026-03-21)
**Symptom:** Clicking "Sign in with SSO" on `https://pt.vish.gg` would redirect to Authentik, authenticate successfully, but then hang on `https://pt.vish.gg/?code=...&state=...#!/auth`.
**Root causes (three layered issues):**
### A — NPM migrated to matrix-ubuntu (missed in session context)
NPM was migrated from Calypso to matrix-ubuntu (`192.168.0.154`) on 2026-03-20. All cert and proxy operations needed to target the new NPM instance.
### B — AdGuard wildcard DNS `*.vish.gg → 100.85.21.51` (matrix-ubuntu Tailscale IP)
The Calypso AdGuard had a wildcard rewrite `*.vish.gg → 100.85.21.51` (matrix-ubuntu's Tailscale IP) intended for LAN clients. This caused:
- `pt.vish.gg` → `100.85.21.51` — Portainer OAuth redirect went to matrix-ubuntu instead of Atlantis
- `sso.vish.gg` → `100.85.21.51` — Portainer's token exchange request to Authentik timed out
- `git.vish.gg` → `100.85.21.51` — Portainer GitOps stack polling timed out
**Fix:** Added specific overrides before the wildcard in AdGuard (`/opt/adguardhome/conf/AdGuardHome.yaml`):
```yaml
- domain: pt.vish.gg
answer: 192.168.0.154 # NPM on matrix-ubuntu (proxies to Atlantis:10000)
enabled: true
- domain: sso.vish.gg
answer: 192.168.0.154 # NPM on matrix-ubuntu (proxies to Authentik)
enabled: true
- domain: git.vish.gg
answer: 192.168.0.154 # NPM on matrix-ubuntu (proxies to Gitea)
enabled: true
- domain: '*.vish.gg'
answer: 100.85.21.51 # wildcard — matrix-ubuntu for everything else
```
### C — Cloudflare Origin certs not trusted by Synology/Atlantis
Even with correct DNS, Atlantis couldn't verify the Cloudflare Origin cert on `sso.vish.gg` and `pt.vish.gg` since they're unproxied (DNS-only in Cloudflare).
**Fix:** Issued Let's Encrypt certs for each domain via Cloudflare DNS challenge on matrix-ubuntu:
| Domain | NPM cert ID | Expires |
|--------|------------|---------|
| `sso.vish.gg` | `npm-12` | 2026-06 |
| `pt.vish.gg` | `npm-11` | 2026-06 |
All certs auto-renew via certbot on matrix-ubuntu with deploy hook at:
`/etc/letsencrypt/renewal-hooks/deploy/copy-to-npm.sh`
The hook copies renewed certs to `/opt/npm/data/custom_ssl/npm-N/` and reloads nginx.
---
## Issue 5 — npm-8 cert overwrite caused mass cert mismatch (2026-03-21)
**Symptom:** All `*.vish.gg` services showing `Hostname/IP does not match certificate's altnames: DNS:sso.vish.gg` — Kuma, Homarr, NTFY, Mastodon, NPM, Ollama all down.
**Root cause:** When issuing the LE cert for `sso.vish.gg`, it was copied into `npm-8` which was the Cloudflare Origin wildcard cert `*.vish.gg` that ALL other `*.vish.gg` services relied on.
**Fix:**
1. Created `npm-12` for `sso.vish.gg` LE cert
2. Restored `npm-8` from `/opt/npm/data/custom_ssl/x-vish-gg/` (the CF Origin wildcard backup)
3. Updated `sso.vish.gg` proxy host to use `npm-12`
4. Updated certbot renewal hook to use `npm-12` for `sso.vish.gg`
**Prevention:** When adding a new LE cert, always use the **next available npm-N ID**, never reuse an existing one.
---
### Current NPM cert reference (matrix-ubuntu) — FINAL
| Cert ID | Domain | Type | Used by |
|---------|--------|------|---------|
| npm-1 | `*.vish.gg` + `vish.gg` (CF Origin) | Cloudflare Origin | Legacy — don't use for unproxied |
| npm-2 | `*.thevish.io` (CF Origin) | Cloudflare Origin | Legacy |
| npm-3 | `*.crista.love` (CF Origin) | Cloudflare Origin | Legacy |
| npm-6 | `mx.vish.gg` | Let's Encrypt | `mx.vish.gg` (Matrix) |
| npm-7 | `livekit.mx.vish.gg` | Let's Encrypt | `livekit.mx.vish.gg` |
| npm-8 | `*.vish.gg` (CF Origin) | Cloudflare Origin | All `*.vish.gg` Cloudflare-proxied services |
| npm-9 | `*.thevish.io` | Let's Encrypt | All `*.thevish.io` services |
| npm-10 | `*.crista.love` | Let's Encrypt | All `*.crista.love` services |
| npm-11 | `pt.vish.gg` | Let's Encrypt | `pt.vish.gg` (Portainer) |
| npm-12 | `sso.vish.gg` | Let's Encrypt | `sso.vish.gg` (Authentik) |
> **Rule:** Any unproxied domain accessed by internal services (Portainer, Synology, Kuma) needs a real LE cert (npm-6+). Never overwrite an existing npm-N — always use the next available number.
**Last updated:** 2026-03-21
Reference in New Issue View Git Blame Copy Permalink