Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Support .well-known delegation when issuing certificates through ACME #4652

Merged
merged 9 commits into from
Feb 19, 2019
1 change: 1 addition & 0 deletions changelog.d/4652.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Support .well-known delegation when issuing certificates through ACME.
15 changes: 15 additions & 0 deletions synapse/config/tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ def read_config(self, config):
self.acme_port = acme_config.get("port", 80)
self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
self.acme_domain = acme_config.get("domain", config.get("server_name"))

self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
Expand Down Expand Up @@ -229,6 +230,20 @@ def default_config(self, config_dir_path, server_name, **kwargs):
#
# reprovision_threshold: 30

# The domain that the certificate should be for. Normally this
# should be the same as your Matrix domain (i.e., 'server_name'), but,
# by putting a file at 'https://<server_name>/.well-known/matrix/server',
# you can delegate incoming traffic to another server. If you do that,
# you should give the target of the delegation here.
#
# For example: if your 'server_name' is 'example.com', but
# 'https://example.com/.well-known/matrix/server' delegates to
# 'matrix.example.com', you should put 'matrix.example.com' here.
#
# If not set, defaults to your 'server_name'.
#
# domain: matrix.example.com

# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
Expand Down
9 changes: 5 additions & 4 deletions synapse/handlers/acme.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ class AcmeHandler(object):
def __init__(self, hs):
self.hs = hs
self.reactor = hs.get_reactor()
self._acme_domain = hs.config.acme_domain

@defer.inlineCallbacks
def start_listening(self):
Expand Down Expand Up @@ -123,15 +124,15 @@ def start_listening(self):
@defer.inlineCallbacks
def provision_certificate(self):

logger.warning("Reprovisioning %s", self.hs.hostname)
logger.warning("Reprovisioning %s", self._acme_domain)

try:
yield self._issuer.issue_cert(self.hs.hostname)
yield self._issuer.issue_cert(self._acme_domain)
except Exception:
logger.exception("Fail!")
raise
logger.warning("Reprovisioned %s, saving.", self.hs.hostname)
cert_chain = self._store.certs[self.hs.hostname]
logger.warning("Reprovisioned %s, saving.", self._acme_domain)
cert_chain = self._store.certs[self._acme_domain]

try:
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
Expand Down