We should give a better error message when a join-over-federation request is rejected by the remote server

[benparsons]

Description

When trying to join #junta:junta.pl from matrix.org I get the following error:

Invalid signature for server matrix.org with key ed25519:auto: Unable to verify signature for matrix.org 

Steps to reproduce

• peek at #junta:junta.pl in Riot
• click to Join
• get error above
• complain to @erikjohnston

Possible dup of : #3387 #3294

[richvdh]

Yup it's likely that junta.pl has an incorrectly-configured reverse proxy, making this a dup of #3387 and #3294. https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.rst should explain the right thing to do.

[richvdh]

Logs from the matrix.org side:

2019-03-14 11:51:11,673 - synapse.http.matrixfederationclient - 304 - INFO - POST-23265939 - {GET-O-400942} [junta.pl] Sending request: GET matrix://junta.pl/_matrix/federation/v1/make_join/%21scluwrvYffWOgbHBNp%3Ajunta.pl/%40benpa%3Amatrix.org?ver=1&ver=3&ver=2&ver=state-v2-test; timeout 20.000000s
2019-03-14 11:51:11,742 - synapse.http.matrixfederationclient - 336 - INFO - POST-23265939 - {GET-O-400942} [junta.pl] Got response headers: 401 Unauthorized

I don't think this is a synapse bug per se, so I'm going to close this. Feel free to reopen if you think differently

[turt2live]

Reopening because claiming the server has a signature error with itself when the remote end is misconfigured is scary.

[richvdh]

What if instead of just forwarding the message, we instead said something like "<server> rejected our request: <msg>"

So in this case:

junta.pl rejected our request: Invalid signature for server matrix.org with key ed25519:auto: Unable to verify signature for matrix.org.

Or should we instead look for specifically this error and say something different?

[turt2live]

Prefixing it is probably all that's needed. I have Opinions on clients relying on the messages as is, and would probably advocate that at least Riot display something more user friendly.

[haslersn]

I also ran into this issue. My homeserver is behind nginx with (among others) the following config:

location /_matrix {
    proxy_pass http://localhost:8008/_matrix;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

Using the following instead solved my problem:

location /_matrix {
    proxy_pass http://localhost:8008;
    proxy_set_header X-Forwarded-For $remote_addr;
}

[richvdh]

removed reports from unrelated problems. If you need support please take it to #synapse:matrix.org rather than posting on issues which appear superficially related.