diff options
| author | Brendan Abolivier <contact@brendanabolivier.com> | 2019-02-19 11:15:38 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-02-19 11:15:38 +0000 |
| commit | a288bdf0b139dd2adbcf2145bf98a11d448ea96c (patch) | |
| tree | 3d2356836c3a1f04f0e556f55886404ab5d5c7d2 | |
| parent | Merge pull request #4670 from matrix-org/erikj/register_login_split (diff) | |
| parent | Improve config documentation (diff) | |
| download | synapse-a288bdf0b139dd2adbcf2145bf98a11d448ea96c.tar.xz | |
Merge pull request #4652 from matrix-org/babolivier/acme-delegated
Support .well-known delegation when issuing certificates through ACME
| -rw-r--r-- | changelog.d/4652.feature | 1 | ||||
| -rw-r--r-- | synapse/config/tls.py | 15 | ||||
| -rw-r--r-- | synapse/handlers/acme.py | 9 |
3 files changed, 21 insertions, 4 deletions
diff --git a/changelog.d/4652.feature b/changelog.d/4652.feature new file mode 100644 index 0000000000..ebe6880b21 --- /dev/null +++ b/changelog.d/4652.feature @@ -0,0 +1 @@ +Support .well-known delegation when issuing certificates through ACME. diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 5fb3486db1..38425bb056 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -42,6 +42,7 @@ class TlsConfig(Config): self.acme_port = acme_config.get("port", 80) self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0']) self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30) + self.acme_domain = acme_config.get("domain", config.get("server_name")) self.tls_certificate_file = self.abspath(config.get("tls_certificate_path")) self.tls_private_key_file = self.abspath(config.get("tls_private_key_path")) @@ -229,6 +230,20 @@ class TlsConfig(Config): # # reprovision_threshold: 30 + # The domain that the certificate should be for. Normally this + # should be the same as your Matrix domain (i.e., 'server_name'), but, + # by putting a file at 'https://<server_name>/.well-known/matrix/server', + # you can delegate incoming traffic to another server. If you do that, + # you should give the target of the delegation here. + # + # For example: if your 'server_name' is 'example.com', but + # 'https://example.com/.well-known/matrix/server' delegates to + # 'matrix.example.com', you should put 'matrix.example.com' here. + # + # If not set, defaults to your 'server_name'. + # + # domain: matrix.example.com + # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that # make HTTPS requests to this server will check that the TLS diff --git a/synapse/handlers/acme.py b/synapse/handlers/acme.py index dd0b217965..813777bf18 100644 --- a/synapse/handlers/acme.py +++ b/synapse/handlers/acme.py @@ -56,6 +56,7 @@ class AcmeHandler(object): def __init__(self, hs): self.hs = hs self.reactor = hs.get_reactor() + self._acme_domain = hs.config.acme_domain @defer.inlineCallbacks def start_listening(self): @@ -123,15 +124,15 @@ class AcmeHandler(object): @defer.inlineCallbacks def provision_certificate(self): - logger.warning("Reprovisioning %s", self.hs.hostname) + logger.warning("Reprovisioning %s", self._acme_domain) try: - yield self._issuer.issue_cert(self.hs.hostname) + yield self._issuer.issue_cert(self._acme_domain) except Exception: logger.exception("Fail!") raise - logger.warning("Reprovisioned %s, saving.", self.hs.hostname) - cert_chain = self._store.certs[self.hs.hostname] + logger.warning("Reprovisioned %s, saving.", self._acme_domain) + cert_chain = self._store.certs[self._acme_domain] try: with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: |