Dendrite Server TLS Certificate Renewal Issue #122
Comments
|
Thank you for your investigation. Please share the full log leading up to the error you quoted. Whose log is it, by the way? I see no reason for Let's Encrypt certificate renewal to complain about Dendrite. For Dendrite to complain about certificates, well, I do realize one might need a service restart to reload the certificates. (Which is not coded). Using a reverse proxy is indeed the way to go. I have a vague remembrance that Dendrite was falling during initial packaging if it was not directly fed a certificate and key. Hopefully this has changed since then. |
|
Here's the log exported by using Can confirm that there errors are generated by Golang's http lib, since I didn't find these errors in Dendrite's log files. |
|
It happened again. |
|
Is this the reason the dendrite app is marked as broken? |
I've identified an issue with Dendrite server during Let's Encrypt certificate renewal. The logs show a local error:
tls: bad record MACerror, indicating a failure to read the updated certificates properly.Upon investigation, it seems the problem lies in the use of
--tls-cert/--tls-keyparameters in the startup command. These parameters are utilized by the Golang http library'sListenAndServeTLSfunction (which won't update cert/key), which seems to be designed more for self-signed certificate testing rather than production use, preventing Dendrite from properly picking up renewed certificates.A potential solution is to reverse proxy the server-side port through Nginx, letting Nginx manage SSL certificates instead of relying on local HTTPS options. This should facilitate a smoother certificate renewal process and resolve TLS errors after Let's Encrypt certificate expiration.
Let me know if you need more details or if there's a preferred approach to address this issue.
The text was updated successfully, but these errors were encountered: