diff options
-rw-r--r-- | changelog.d/4652.feature | 1 | ||||
-rw-r--r-- | synapse/handlers/acme.py | 29 |
2 files changed, 26 insertions, 4 deletions
diff --git a/changelog.d/4652.feature b/changelog.d/4652.feature new file mode 100644 index 0000000000..ebe6880b21 --- /dev/null +++ b/changelog.d/4652.feature @@ -0,0 +1 @@ +Support .well-known delegation when issuing certificates through ACME. diff --git a/synapse/handlers/acme.py b/synapse/handlers/acme.py index dd0b217965..ca5b7257d3 100644 --- a/synapse/handlers/acme.py +++ b/synapse/handlers/acme.py @@ -27,6 +27,8 @@ from twisted.web import server, static from twisted.web.resource import Resource from synapse.app import check_bind_error +from synapse.crypto.context_factory import ClientTLSOptionsFactory +from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent logger = logging.getLogger(__name__) @@ -123,15 +125,34 @@ class AcmeHandler(object): @defer.inlineCallbacks def provision_certificate(self): - logger.warning("Reprovisioning %s", self.hs.hostname) + # Retrieve .well-known if it's in use. We do so through the federation + # agent, because that's where the .well-known logic lives. + agent = MatrixFederationAgent( + tls_client_options_factory=ClientTLSOptionsFactory(None), + reactor=self.reactor, + ) + delegated = yield agent._get_well_known(bytes(self.hs.hostname, "ascii")) + + # If .well-known is in use, use the delegated hostname instead of the + # homeserver's server_name. + if delegated: + cert_name = delegated.decode("ascii") + logger.info( + ".well-known is in use, provisioning %s instead of %s", + cert_name, self.hs.hostname, + ) + else: + cert_name = self.hs.hostname + + logger.warning("Reprovisioning %s", cert_name) try: - yield self._issuer.issue_cert(self.hs.hostname) + yield self._issuer.issue_cert(cert_name) except Exception: logger.exception("Fail!") raise - logger.warning("Reprovisioned %s, saving.", self.hs.hostname) - cert_chain = self._store.certs[self.hs.hostname] + logger.warning("Reprovisioned %s, saving.", cert_name) + cert_chain = self._store.certs[cert_name] try: with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: |