Use a configuration parameter to give the domain to generate a certificate for
This commit is contained in:
parent
68a53f825f
commit
45bb55c6de
|
@ -42,6 +42,7 @@ class TlsConfig(Config):
|
||||||
self.acme_port = acme_config.get("port", 80)
|
self.acme_port = acme_config.get("port", 80)
|
||||||
self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
|
self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
|
||||||
self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
|
self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
|
||||||
|
self.acme_domain = acme_config.get("domain", config.get("server_name"))
|
||||||
|
|
||||||
self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
|
self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
|
||||||
self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
|
self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
|
||||||
|
@ -229,6 +230,12 @@ class TlsConfig(Config):
|
||||||
#
|
#
|
||||||
# reprovision_threshold: 30
|
# reprovision_threshold: 30
|
||||||
|
|
||||||
|
# What domain the certificate should be for. Only useful if
|
||||||
|
# delegation via a /.well-known/matrix/server file is being used.
|
||||||
|
# Defaults to the server_name configuration parameter.
|
||||||
|
#
|
||||||
|
# domain: matrix.example.com
|
||||||
|
|
||||||
# List of allowed TLS fingerprints for this server to publish along
|
# List of allowed TLS fingerprints for this server to publish along
|
||||||
# with the signing keys for this server. Other matrix servers that
|
# with the signing keys for this server. Other matrix servers that
|
||||||
# make HTTPS requests to this server will check that the TLS
|
# make HTTPS requests to this server will check that the TLS
|
||||||
|
|
|
@ -27,8 +27,6 @@ from twisted.web import server, static
|
||||||
from twisted.web.resource import Resource
|
from twisted.web.resource import Resource
|
||||||
|
|
||||||
from synapse.app import check_bind_error
|
from synapse.app import check_bind_error
|
||||||
from synapse.crypto.context_factory import ClientTLSOptionsFactory
|
|
||||||
from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
@ -125,34 +123,15 @@ class AcmeHandler(object):
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def provision_certificate(self):
|
def provision_certificate(self):
|
||||||
|
|
||||||
# Retrieve .well-known if it's in use. We do so through the federation
|
logger.warning("Reprovisioning %s", self.hs.config.acme_domain)
|
||||||
# agent, because that's where the .well-known logic lives.
|
|
||||||
agent = MatrixFederationAgent(
|
|
||||||
tls_client_options_factory=ClientTLSOptionsFactory(None),
|
|
||||||
reactor=self.reactor,
|
|
||||||
)
|
|
||||||
delegated = yield agent._get_well_known(bytes(self.hs.hostname, "ascii"))
|
|
||||||
|
|
||||||
# If .well-known is in use, use the delegated hostname instead of the
|
|
||||||
# homeserver's server_name.
|
|
||||||
if delegated:
|
|
||||||
cert_name = delegated.decode("ascii")
|
|
||||||
logger.info(
|
|
||||||
".well-known is in use, provisioning %s instead of %s",
|
|
||||||
cert_name, self.hs.hostname,
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
cert_name = self.hs.hostname
|
|
||||||
|
|
||||||
logger.warning("Reprovisioning %s", cert_name)
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
yield self._issuer.issue_cert(cert_name)
|
yield self._issuer.issue_cert(self.hs.config.acme_domain)
|
||||||
except Exception:
|
except Exception:
|
||||||
logger.exception("Fail!")
|
logger.exception("Fail!")
|
||||||
raise
|
raise
|
||||||
logger.warning("Reprovisioned %s, saving.", cert_name)
|
logger.warning("Reprovisioned %s, saving.", self.hs.config.acme_domain)
|
||||||
cert_chain = self._store.certs[cert_name]
|
cert_chain = self._store.certs[self.hs.config.acme_domain]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
|
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
|
||||||
|
|
Loading…
Reference in New Issue