From 45bb55c6de8b50fdd00893a6ef86623d2f34b864 Mon Sep 17 00:00:00 2001 From: Brendan Abolivier Date: Mon, 18 Feb 2019 15:46:23 +0000 Subject: [PATCH] Use a configuration parameter to give the domain to generate a certificate for --- synapse/config/tls.py | 7 +++++++ synapse/handlers/acme.py | 29 ++++------------------------- 2 files changed, 11 insertions(+), 25 deletions(-) diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 5fb3486db..a3a5ece68 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -42,6 +42,7 @@ class TlsConfig(Config): self.acme_port = acme_config.get("port", 80) self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0']) self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30) + self.acme_domain = acme_config.get("domain", config.get("server_name")) self.tls_certificate_file = self.abspath(config.get("tls_certificate_path")) self.tls_private_key_file = self.abspath(config.get("tls_private_key_path")) @@ -229,6 +230,12 @@ class TlsConfig(Config): # # reprovision_threshold: 30 + # What domain the certificate should be for. Only useful if + # delegation via a /.well-known/matrix/server file is being used. + # Defaults to the server_name configuration parameter. + # + # domain: matrix.example.com + # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that # make HTTPS requests to this server will check that the TLS diff --git a/synapse/handlers/acme.py b/synapse/handlers/acme.py index ca5b7257d..f8a786a4d 100644 --- a/synapse/handlers/acme.py +++ b/synapse/handlers/acme.py @@ -27,8 +27,6 @@ from twisted.web import server, static from twisted.web.resource import Resource from synapse.app import check_bind_error -from synapse.crypto.context_factory import ClientTLSOptionsFactory -from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent logger = logging.getLogger(__name__) @@ -125,34 +123,15 @@ class AcmeHandler(object): @defer.inlineCallbacks def provision_certificate(self): - # Retrieve .well-known if it's in use. We do so through the federation - # agent, because that's where the .well-known logic lives. - agent = MatrixFederationAgent( - tls_client_options_factory=ClientTLSOptionsFactory(None), - reactor=self.reactor, - ) - delegated = yield agent._get_well_known(bytes(self.hs.hostname, "ascii")) - - # If .well-known is in use, use the delegated hostname instead of the - # homeserver's server_name. - if delegated: - cert_name = delegated.decode("ascii") - logger.info( - ".well-known is in use, provisioning %s instead of %s", - cert_name, self.hs.hostname, - ) - else: - cert_name = self.hs.hostname - - logger.warning("Reprovisioning %s", cert_name) + logger.warning("Reprovisioning %s", self.hs.config.acme_domain) try: - yield self._issuer.issue_cert(cert_name) + yield self._issuer.issue_cert(self.hs.config.acme_domain) except Exception: logger.exception("Fail!") raise - logger.warning("Reprovisioned %s, saving.", cert_name) - cert_chain = self._store.certs[cert_name] + logger.warning("Reprovisioned %s, saving.", self.hs.config.acme_domain) + cert_chain = self._store.certs[self.hs.config.acme_domain] try: with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: