CAS not working after migration to ynh 12

[Thatoo]

Describe the bug

After migrating to ynh 12, I can't connect to matrix account. When I click on "Continue with CAS", it goes to the ynh user app list only.

Context

• Hardware: Old laptop or computer
• YunoHost version: 12.0.7
• I have access to my server: Through SSH | through the webadmin | direct access via keyboard / screen
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no

Steps to reproduce

Connect to ynh SSO.
Go to app.element.io
Choose synapse server address
Click on "Continue with CAS"
Reach to the user ynh app list screen

Also, if I go on https://domain.tld/_matrix/cas_server.php, then I get a "Bad URL" page.

Expected behavior

Be able to click on continue/accept and be connected to matrix account within Element.

Logs

[Thatoo]

Well, I discover that if I'm not already logged in when I click on "Continue with CAS" but I login after then it works.

[Josue-T]

Hello,

Can you try from testing to see if it solve the issue.

[Thatoo]

Still the same.
If I'm not logged in (private browser window), CAS is working and I can connect but if I'm already logged in as a user to ynh portal then CAS isn't working, I reach to the ynh user app list and I can't connect to Matrix in Element web app.

[Josue-T]

So if I understand correctly the issue is with the session on which you are already logged in. If it's the case can you try to logout then login and try again. I would like to be sure that you have the correct cookie when you send the request.

[Thatoo]

No, it's the same. If I'm logged in (even if I first logout and then login again) when I click on the button "continue with CAS" then it goes to the ynh user app list instead of asking me to "accept".
If I'm logged out when I click on the button "continue with CAS", then I reach to the ynh login screen and after login, I have the page to "accept" and then it works.

I tried app.element.io on both Firefox private page and Firefox dev (not private, without any addons).

[Josue-T]

Ok, maybe it coule be a crash of the php part. Can you share me the content of you php and nginx log ?

[Thatoo]

I could not find anything relevant in /var/log/php8.3-fpm.log nor in /var/log/nginx/:

• error.log
• ssowat.log
• matrix.domain.tld-error.log

The only error I could find in logs when I repeat the action was in /var/log/domain.tld-error.log :

2024/11/23 20:02:25 [error] 264350#264350: *292189 open() "/usr/share/yunohost/portal/customassets/domain.tld.custom.css" failed (2: No such file or directory), client: 89.234.177.94, server: domain.tld, request: "GET /yunohost/sso/customassets/custom.css HTTP/2.0", host: "hamdel.in", referrer: "https://domain.tld/yunohost/sso/?r=aHR0cHM6Ly9tYXRyaXguaGFtZGVsLmluL19tYXRyaXgvY2FzX3NlcnZlci5waHAvbG9naW4/c2VydmljZT1odHRwczovL21hdHJpeC5oYW1kZWwuaW4vX21hdHJpeC9jbGllbnQvcjAvbG9naW4vY2FzL3RpY2tldD9yZWRpcmVjdFVybD1odHRwcyUzQSUyRiUyRmFwcC5lbGVtZW50LmlvJTJG"

[Josue-T]

Can you share me the log that you have while do try a login in /var/log/nginx/<synapse domain>-access.log ?

[Thatoo]

xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:32 +0100] "GET /.well-known/matrix/client HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:32 +0100] "GET /_matrix/client/versions HTTP/2.0" 200 1063 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:32 +0100] "GET /_matrix/client/unstable/org.matrix.msc2965/auth_issuer HTTP/2.0" 404 59 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
::1 - - [25/Nov/2024:11:36:32 +0100] "GET /_matrix/client/v3/sync?timeout=30000&since=s51095_3444130_247_54547_10614_34_5635_29148_0_7&filter=0&set_presence=online HTTP/1.1" 200 225 "-" "mautrix-telegram/0.15.1+dev.unknown mautrix-python/0.20.6 aiohttp/3.11.0 Python/3.11.2"
yyy.yyy.yyy.yyy - - [25/Nov/2024:11:36:46 +0100] "GET /_matrix/client/v3/sync?filter=2&timeout=30000&set_presence=unavailable&since=s51095_3444134_247_54547_10614_34_5635_29148_0_7 HTTP/2.0" 200 252 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Element/1.11.86 Chrome/130.0.6723.59 Electron/33.0.2 Safari/537.36"
yyy.yyy.yyy.yyy - - [25/Nov/2024:11:36:46 +0100] "OPTIONS /_matrix/client/v3/sync?filter=2&timeout=30000&set_presence=unavailable&since=s51095_3444134_247_54547_10614_34_5635_29148_0_7 HTTP/2.0" 204 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Element/1.11.86 Chrome/130.0.6723.59 Electron/33.0.2 Safari/537.36"
yyy.yyy.yyy.yyy - - [25/Nov/2024:11:36:46 +0100] "GET /_matrix/client/v3/sync?filter=2&timeout=30000&set_presence=unavailable&since=s51095_3444134_247_54547_10614_34_5635_29148_0_7 HTTP/2.0" 200 402 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Element/1.11.86 Chrome/130.0.6723.59 Electron/33.0.2 Safari/537.36"
yyy.yyy.yyy.yyy - - [25/Nov/2024:11:36:47 +0100] "OPTIONS /_matrix/client/v3/sync?filter=2&timeout=30000&set_presence=unavailable&since=s51095_3444138_247_54547_10614_34_5635_29148_0_7 HTTP/2.0" 204 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Element/1.11.86 Chrome/130.0.6723.59 Electron/33.0.2 Safari/537.36"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /.well-known/matrix/client HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /_matrix/client/versions HTTP/2.0" 200 1063 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /_matrix/client/unstable/org.matrix.msc2965/auth_issuer HTTP/2.0" 404 59 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /.well-known/matrix/client HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /_matrix/client/versions HTTP/2.0" 200 1063 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /_matrix/client/unstable/org.matrix.msc2965/auth_issuer HTTP/2.0" 404 59 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /_matrix/client/versions HTTP/2.0" 200 1063 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /_matrix/client/unstable/org.matrix.msc2965/auth_issuer HTTP/2.0" 404 59 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:50 +0100] "GET /_matrix/client/v3/login HTTP/2.0" 200 170 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:52 +0100] "GET /_matrix/client/v3/login/sso/redirect/cas?redirectUrl=https%3A%2F%2Fapp.element.io%2F&org.matrix.msc3824.action=login HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
xxx.xxx.xxx.xxx - - [25/Nov/2024:11:36:52 +0100] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.domain.tld%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"
^C

[Josue-T]

So after some (long) investigation I confirm that it's a regression and it's an upstream issue. cf YunoHost/yunohost#2018

One important clarification of how to reproduce this issue is that this happen when the Yunohost portal domain is completely different than the element app domain. So by example we can easily reproduce the issue if we use element from https://app.element.io

So the current known workaround is to install on the Yunohost instance the element app and login on matrix from this app.

[stepcellwolf]

I'm having the same issue after upgrading to yunohost 12. Additionally, I'm also getting the following error:

Can't connect to homeserver - please check your connectivity, ensure your homeserver's SSL certificate is trusted, and that a browser extension is not blocking requests.
Cannot reach homeserver
Ensure you have a stable internet connection, or get in touch with the server admin

In Safari I was able to login to element with username and password, but with Element app I'm not.
Did anyone managed to solve the issue?

[croulibri]

Hello,

Server on small computer at home.

YunoHost 12.0.10
Synapse 1.121.1~ynh1
Element 1.11.89~ynh1

On my side, Synapse and Element are on the same server.
I have Synapse installed on zzzz.mydomain.com
and Element installed on yyyy.mydomain.com/element

When I want to login, Element ask me to "Continue with CAS"
Clicking on it, it leads me to the Yunohost connexion SSO page. I enter login and password. Then nothing happen.

I face the same situation with Element or Schildichat application.
And also with Cinny app installed on yyyy.mydomain.com/cinny (see YunoHost-Apps/cinny_ynh#78)

This is a serious issue for my users as they can't login with new device or new application.
Have you identified a workaround to allow login with a new application?

[Josue-T]

Well the known solution could be also to apply the related patch of YunoHost/yunohost#2018 manually.

and also ask for a merge as quick as possible because it impact a lot of user 😉

[croulibri]

Thanks @Josue-T for your always quick and sharp answers!
How can we gently ask for a merge? Should we make a comment on the pull request you mentioned?
I am always afraid the request can hurt people already doing their best to improve our great Yunohost 😉

[Josue-T]

Well yes it's a bit complicated for the merge because, as you said, doing a review and merging take time and we need somebody which take time for this on his free time. From my point of view the reason why this is not already merged is probably because we make the thing less secure with this PR. Maybe @alexAubin know more why this was not merged for now.

So what could help:

• doing a review, it's a one line fix so the review question is more for cookie expert which can say what is the impact of this change in term of security. And if there are an alternative solution which is more secure.
• Having an estimate of how many user are impacted by this issue and so need the fix could also help to take a decision. Note that I suppose maybe some other app can have a same issue.

[Thatoo]

Could it be the same issue as in searx YunoHost-Apps/searxng_ynh#363 ?

[croulibri]

@Josue-T , I think this issue affect all people using Synapse. Of course, "old" synapse users may not have noticed yet this bug as previously connected devices remain connected. But all synapse users my be affected sooner or later.
I guess this make quite a lot of people.

@alexAubin , is this information enough for you to mobilize dev of Yunohost to consider this merge as an important question? Do you need additional information?

All the best to both of you 🤗

[croulibri]

Hello @Josue-T 👋
I have the impression Alex is not available these days as I don't see any Github activity.
Would you mind telling me how to apply this patch manually to my current Yunohost install? Can I only modify a file, even if the change is not permanent? Or should I do something else?

Once I have apply a tested the change, I could make a review here and on your merge request to inform on the potential to solve this specific issue and indeed to solve a problem affecting potentially a large number of Yunohost users.

[Josue-T]

Would you mind telling me how to apply this patch manually to my current Yunohost install? Can I only modify a file, even if the change is not permanent? Or should I do something else?

Yes, I put the process here: YunoHost/yunohost#2018 (comment)

[croulibri]

Hello,
I have applied the patch following your instruction.
But I still can't connect either to Element or to Cinny, both installed on the same server but on different subdomains than Synapse.

Currently, when on Element or Cinny, I click on "connect trough SSO", I am redirected to the portal of Yunohost on the Synapse subdomain. I enter my ID and password but nothing happen and I am still on the connexion page of Yunohost portal on the Synapse subdomain (stlight change of the connexion page). Before moving to Yunohost 12, I was then redirected to Element or Cinny webapp, but now nothing happen. 🙁

FYI, I am still connected with Element webapp to my Synapse account but on a browser connected 2 month ago (without clearing the cache). Similarly, new connexion to Shildichat or Element desktop apps doesn't work. But desktop apps already connected continue to work very well. So Synapse and Element works well 🙂

[Josue-T]

Hello, I have applied the patch following your instruction. But I still can't connect either to Element or to Cinny, both installed on the same server but on different subdomains than Synapse.

Currently, when on Element or Cinny, I click on "connect trough SSO", I am redirected to the portal of Yunohost on the Synapse subdomain. I enter my ID and password but nothing happen and I am still on the connexion page of Yunohost portal on the Synapse subdomain (stlight change of the connexion page). Before moving to Yunohost 12, I was then redirected to Element or Cinny webapp, but now nothing happen. 🙁

FYI, I am still connected with Element webapp to my Synapse account but on a browser connected 2 month ago (without clearing the cache). Similarly, new connexion to Shildichat or Element desktop apps doesn't work. But desktop apps already connected continue to work very well. So Synapse and Element works well 🙂

Dis you apply the upstream patch manually ?

[croulibri]

Yes, I applied the patch manually.

I edit with nano /usr/lib/python3/dist-packages/yunohost/authenticators/ldap_ynhuser.py , changing strict by lax in the 2 locations you mentionned.
Save your changes and close the editor
Run this command: systemctl restart yunohost-portal-api.service

But I have not seen any change. I will check again tonight if the change is still on the file, but it was.

Should have I done other modification?

Edit : I checked, modification is done on the ldap_ynhuser.py file (on line 273 and 326) but connection doesn't work 🙁

[Josue-T]

Maybe you need to try with a clean browser session or clean your cookie for your domain because if the previous cookie with the strict rule is still stored on your browser it might be the reason of the issue.

[croulibri]

Cookies are cleaned when I close Firefox. Si it should be fine.
Even with another browser (that I never use for this purpose) it doesn't work.

I get stuck on the SSO login page, at my synapse subdomain address (synapse.mydomain.com/yunohost/sso/login?r=aHR0cHM6Ly9kZXMu5dW5vaG9zdC8=), not my element subdomain address (yuno.mydomain.com/element)).
It is strange because after first try, when I go back to my main Yunohost domain address (yuno.mydomain.com), it doesn't ask again password as I already entered them. But it has no impact when I go to Synapse subdomain SSO page (synapse.mydomain.com/yunohost), it always ask me credential. Why one address recognize my credential, and not the other?
Once again, I am connected to this synapse account through webapp and desktop application connected before the transition to Yunohost 12, this account has account on Synapse and permission.

EDIT :
(1) Additional information. In terms of permission, I have for anonymous visitors :

• Synapse (Server access for client apps.)
• Synapse (Server info for clients. (well-known))
• Element
• Element (bundles)

And for the users having a Matrix account:

• Synapse

Is this correct?

(2) I don't see any suspicious log. Only coturn is regularly down but I don't think this is related. And restart always works. Error log says:

 turnserver[1251]: 0: : DTLS cipher suite: DEFAULT
 turnserver[1251]: 0: : NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
 turnserver[1251]: 0: : ===========Discovering listener addresses: =========
 turnserver[1251]: 0: : Listener address to use: 127.0.0.1
 turnserver[1251]: 0: : Listener address to use: ::1
 turnserver[1251]: 0: : ERROR: main: Cannot configure any meaningful IP listener address
 systemd[1]: synapse-coturn.service: Main process exited, code=exited, status=255/EXCEPTION
 systemd[1]: synapse-coturn.service: Failed with result 'exit-code'.
 systemd[1]: Failed to start synapse-coturn.service - Coturn.
 systemd[1]: synapse-coturn.service: Scheduled restart job, restart counter is at 5.
 systemd[1]: Stopped synapse-coturn.service - Coturn.
 systemd[1]: synapse-coturn.service: Start request repeated too quickly.
 systemd[1]: synapse-coturn.service: Failed with result 'exit-code'.
 systemd[1]: Failed to start synapse-coturn.service - Coturn.

[croulibri]

@Thatoo ans @stepcellwolf, have you found a solution for this critical issue?
I have to say I am quite bothered by this issue. My Matrix server is almost unusable 😟 as the users of my server need to be very careful not to disconnect from any client. And this isn't always possible.

[stepcellwolf]

@croulibri I actually did found a solution. Together with the yunohost community via IRC chat support, we fixed the issue. I had an issue with renewing the SSL certificate, and then after I renewed it and forced it I restart the nginx, and I was not able to boot the yunoshot any more as I had some json structure. Let me try if I found the steps I did. Will add them here in this thread.

[croulibri]

Thank you @stepcellwolf
I have been in direct contact with Josue who helped me narrowing the root cause of the problem. We are investigating...

[croulibri]

Dear @Josue-T ,
My problem is solved following I think these two steps :

(1) I did applied the patch you advised at #497 (comment)
(2) then I moved the main domain to Yunohost server, so not only subdomain are managed by Yunohost server, but also main domain (only A records)

This was enough for being able to connect again to my Matrix account 🎉
Not sure to fully understand to core problem and the key solution, but it's working.
Please do not hesitate to tell me if I need to do additional steps to secure this change.

... and a huge thanks again for your support again this time 🤗

[autra]

FWIW, I have the same bug with the android app.