2019-01-23 01:39:06 -07:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# Copyright 2019 New Vector Ltd
|
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
|
|
|
|
|
|
|
import logging
|
|
|
|
|
2019-01-30 07:17:55 -07:00
|
|
|
import twisted
|
|
|
|
import twisted.internet.error
|
2019-01-23 01:39:06 -07:00
|
|
|
from twisted.web import server, static
|
|
|
|
from twisted.web.resource import Resource
|
|
|
|
|
2019-01-30 07:17:55 -07:00
|
|
|
from synapse.app import check_bind_error
|
|
|
|
|
2019-01-23 01:39:06 -07:00
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2020-02-18 08:10:41 -07:00
|
|
|
ACME_REGISTER_FAIL_ERROR = """
|
2020-02-18 08:15:43 -07:00
|
|
|
--------------------------------------------------------------------------------
|
2020-02-21 01:53:01 -07:00
|
|
|
Failed to register with the ACME provider. This is likely happening because the installation
|
|
|
|
is new, and ACME v1 has been deprecated by Let's Encrypt and disabled for
|
|
|
|
new installations since November 2019.
|
|
|
|
At the moment, Synapse doesn't support ACME v2. For more information and alternative
|
|
|
|
solutions, please read https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
|
2020-02-18 08:15:43 -07:00
|
|
|
--------------------------------------------------------------------------------"""
|
2020-02-18 08:10:41 -07:00
|
|
|
|
2019-01-23 01:39:06 -07:00
|
|
|
|
|
|
|
class AcmeHandler(object):
|
|
|
|
def __init__(self, hs):
|
|
|
|
self.hs = hs
|
|
|
|
self.reactor = hs.get_reactor()
|
2019-02-19 03:54:33 -07:00
|
|
|
self._acme_domain = hs.config.acme_domain
|
2019-01-23 01:39:06 -07:00
|
|
|
|
2020-08-03 05:09:33 -06:00
|
|
|
async def start_listening(self):
|
2019-06-24 04:33:56 -06:00
|
|
|
from synapse.handlers import acme_issuing_service
|
2019-01-23 01:39:06 -07:00
|
|
|
|
|
|
|
# Configure logging for txacme, if you need to debug
|
|
|
|
# from eliot import add_destinations
|
|
|
|
# from eliot.twisted import TwistedDestination
|
|
|
|
#
|
|
|
|
# add_destinations(TwistedDestination())
|
|
|
|
|
2019-06-24 04:33:56 -06:00
|
|
|
well_known = Resource()
|
|
|
|
|
|
|
|
self._issuer = acme_issuing_service.create_issuing_service(
|
|
|
|
self.reactor,
|
|
|
|
acme_url=self.hs.config.acme_url,
|
2019-06-21 08:27:41 -06:00
|
|
|
account_key_file=self.hs.config.acme_account_key_file,
|
2019-06-24 04:33:56 -06:00
|
|
|
well_known_resource=well_known,
|
2019-01-23 01:39:06 -07:00
|
|
|
)
|
|
|
|
|
|
|
|
responder_resource = Resource()
|
2019-06-20 03:32:02 -06:00
|
|
|
responder_resource.putChild(b".well-known", well_known)
|
|
|
|
responder_resource.putChild(b"check", static.Data(b"OK", b"text/plain"))
|
2019-01-23 01:39:06 -07:00
|
|
|
srv = server.Site(responder_resource)
|
|
|
|
|
2019-01-30 07:17:55 -07:00
|
|
|
bind_addresses = self.hs.config.acme_bind_addresses
|
|
|
|
for host in bind_addresses:
|
2019-01-23 01:39:06 -07:00
|
|
|
logger.info(
|
2019-06-20 03:32:02 -06:00
|
|
|
"Listening for ACME requests on %s:%i", host, self.hs.config.acme_port
|
2019-01-23 01:39:06 -07:00
|
|
|
)
|
2019-01-30 07:17:55 -07:00
|
|
|
try:
|
2019-06-20 03:32:02 -06:00
|
|
|
self.reactor.listenTCP(self.hs.config.acme_port, srv, interface=host)
|
2019-01-30 07:17:55 -07:00
|
|
|
except twisted.internet.error.CannotListenError as e:
|
|
|
|
check_bind_error(e, host, bind_addresses)
|
2019-01-23 01:39:06 -07:00
|
|
|
|
|
|
|
# Make sure we are registered to the ACME server. There's no public API
|
|
|
|
# for this, it is usually triggered by startService, but since we don't
|
|
|
|
# want it to control where we save the certificates, we have to reach in
|
|
|
|
# and trigger the registration machinery ourselves.
|
|
|
|
self._issuer._registered = False
|
2020-02-13 07:58:34 -07:00
|
|
|
|
|
|
|
try:
|
2020-08-03 05:09:33 -06:00
|
|
|
await self._issuer._ensure_registered()
|
2020-02-13 07:58:34 -07:00
|
|
|
except Exception:
|
2020-02-18 08:10:41 -07:00
|
|
|
logger.error(ACME_REGISTER_FAIL_ERROR)
|
|
|
|
raise
|
2019-01-23 01:39:06 -07:00
|
|
|
|
2020-08-03 05:09:33 -06:00
|
|
|
async def provision_certificate(self):
|
2019-01-23 01:39:06 -07:00
|
|
|
|
2019-02-19 03:54:33 -07:00
|
|
|
logger.warning("Reprovisioning %s", self._acme_domain)
|
2019-01-23 01:39:06 -07:00
|
|
|
|
|
|
|
try:
|
2020-08-03 05:09:33 -06:00
|
|
|
await self._issuer.issue_cert(self._acme_domain)
|
2019-01-23 01:39:06 -07:00
|
|
|
except Exception:
|
|
|
|
logger.exception("Fail!")
|
|
|
|
raise
|
2019-02-19 03:54:33 -07:00
|
|
|
logger.warning("Reprovisioned %s, saving.", self._acme_domain)
|
2019-06-24 04:33:56 -06:00
|
|
|
cert_chain = self._issuer.cert_store.certs[self._acme_domain]
|
2019-01-23 01:39:06 -07:00
|
|
|
|
|
|
|
try:
|
|
|
|
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
|
|
|
|
for x in cert_chain:
|
|
|
|
if x.startswith(b"-----BEGIN RSA PRIVATE KEY-----"):
|
|
|
|
private_key_file.write(x)
|
|
|
|
|
|
|
|
with open(self.hs.config.tls_certificate_file, "wb") as certificate_file:
|
|
|
|
for x in cert_chain:
|
|
|
|
if x.startswith(b"-----BEGIN CERTIFICATE-----"):
|
|
|
|
certificate_file.write(x)
|
|
|
|
except Exception:
|
|
|
|
logger.exception("Failed saving!")
|
|
|
|
raise
|
|
|
|
|
2019-07-23 07:00:55 -06:00
|
|
|
return True
|