RC Federation - Problems with Self Signed Certificates?

Description

Hello Guys,
i am trying to set up RC Federation Mode in my Home Lab for University project for several day.
I am using two Ubuntu 20.04 Server virtuell machines for that.
VM1: 192.168.0.233
VM2: 192.168.0.244

I set up RC on both Client with Docker containers.
I configured a DNS server on VM1 with Bind9.

When i click “Test” in the Federation Tab, it tells me it should work on both servers.
But when i am searching for the user in another server i get following message:

I am using self created certificates created like it is mentioned here:
https://docs.rocket.chat/installation/docker-containers

VM1: rc1.test.home
VM2: rc2.test.home

Server Setup Information

  • Version of Rocket.Chat Server: 3.5.0
  • Operating System: Ubuntu 20.04 Server
  • Deployment Method: Docker
  • Number of Running Instances: 1 on each VM
  • DB Replicaset Oplog: Enabled
  • NodeJS Version: 12.16.1 x64
  • MongoDB Version: 4.0.19
  • Proxy: Nginx
  • Firewalls involved: No firewall is used

Any additional Information

So these are the error logs i get:

I20200730-10:29:31.893(0) server.js:204 Federation ➔ dns.error Error: failed [404] Not Found at Object.exports.makeErrorByStatus (packages/http.js:177:10) at Request._callback (packages/http.js:141:24) at Request.self.callback (/app/bundle/programs/server/npm/node_modules/meteor/http/node_modules/request/request.js:185:22) at Request.emit (events.js:311:20) at Request.EventEmitter.emit (domain.js:482:12) at Request. (/app/bundle/programs/server/npm/node_modules/meteor/http/node_modules/request/request.js:1161:10) at Request.emit (events.js:311:20) at Request.EventEmitter.emit (domain.js:482:12) at IncomingMessage. (/app/bundle/programs/server/npm/node_modules/meteor/http/node_modules/request/request.js:1083:12) at Object.onceWrapper (events.js:417:28) at IncomingMessage.emit (events.js:323:22) at IncomingMessage.EventEmitter.emit (domain.js:482:12) at endReadableNT (_stream_readable.js:1204:12) at processTicksAndRejections (internal/process/task_queues.js:84:21) { response: { statusCode: 404, content: ‘Not Found’, headers: { ‘content-length’: ‘9’, ‘content-type’: ‘text/plain; charset=utf-8’, date: ‘Thu, 30 Jul 2020 10:29:31 GMT’, etag: ‘W/“9-0gXL1ngzMqISxa6S1zx3F4wtLyg”’, ‘x-powered-by’: ‘Express’, connection: ‘close’ }, data: null } }
I20200730-10:29:33.484(0) server.js:204 Federation ➔ http.error Error Error: self signed certificate I20200730-10:29:51.798(0) server.js:204 Federation ➔ http.error Error Error: self signed certificate

The first error i got while typing the address.
The self singed certificate error appears, when im done typing.

Do you know if Federation mode is possible with a self singed certificate?
Has anyone here been able to do this?

Or could the error be in my configuration? (DNS config or something like that)

I am grateful for any kind of help.

-Sven

This is my Bind9 config:

This is the output of using “dig” comment:
dig

And this is how the Federation Config looks like:

Just a few things jump out at me…
in my bind9 config I have a protocol entry:

rocketchat-protocol.mydomain.com. IN TXT “https”

The only other thing… Is it because you are using the same domain for both servers? Federation is tied very much to the domain and I wonder if each box things it has sole ownership of the domain hence does not look to federation?

Hello, thank you for your answer.

as far as i unterstood, that protocol entry is only for legacy support.

" Legacy Support: If your DNS provider does not support SRV records with _http or _https" (from here: https://docs.rocket.chat/guides/administrator-guides/federation)

i just tested it by using the legacy syntax . Unfortunately it still doenst work.

Well yes, im using two subdomains for the servers:
rc1.test.home --> 192.168.0.233
rc2.test.home --> 192.168.0.244
So you think i should try it with complete differnent domains?

Did you manage to get federation working on your system?

BTW: when im using HTTP, i can see the user of the other server, but i am getting an error when im trying to chat with that user

Im pretty sure it’s a certificate problem.

The detailed logs show, that the DNS process is successful:

@SvenE I had a similar problem with RC from docker and federation as we use our own CA for certificates.

For me the workaroud was to add NODE_TLS_REJECT_UNAUTHORIZED=0 to the environment variables in the docker-compose.yml.

I’m still looking for another solution besides building the docker image myself and adding the CA certs there und running update-ca-certificates. But maybe there is no way “out-of-the-box”.

@alan.sikora so this is still the status of this! :sleepy:

No I didn’t actually get it working either.
You seem to have got further than me. I have two identical servers on different domains.
One passes the DNS test and the other doesn’t! Both behind the same reverse proxy.
Given up on that now!!

Thank you for your reply.

i will definitely try this in the next days.

Thank you, this actually worked. I can find the user now. There is no more certificate error.

But when im trying to message the user, im getting the next error.

@klepptor Did you have that problem, too?

Frankly, I don’t know. :wink:

I got federation “working”, but it was very, very unreliable. Sometimes messaging a user from another server worked, sometime not, even in my test setup and only a few local users. So for the moment I gave up getting further into it and setting it up on my production instances with some hundret LDAP users.

Maybe I will give it another chance when the is, someday, officially stable.

Okay :pensive:
But Thank you anyway.

So I found my error:
The problem was in the Federation Tab.
In the field “Domain” I actually wrote down my Counterpart
(for example: In RC-Server “rc1.test.home” i wrote down “rc2.test.home”)

You actually have to specify the server on which you are.
(for example: in RC-Server “rc1.test.home” --> In Domain you have to specify “rc1.test.home” too)

Well, but now i have the same problem as mentioned in this topic :expressionless::

In any Active Directory Federation Services (AD FS) design, various certificates must be used to secure communication and facilitate user authentications between Internet clients and federation servers.