Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Support .well-known delegation when issuing certificates through ACME #4652

Merged
merged 9 commits into from
Feb 19, 2019
Merged

Support .well-known delegation when issuing certificates through ACME #4652

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1895d14
Support .well-known delegation when issuing certificates through ACME
babolivier Feb 15, 2019
af8a2f6
Remove unused import
babolivier Feb 15, 2019
f86b695
Various cosmetics to make TravisCI happy
babolivier Feb 15, 2019
6d02a13
Typo in info log
anoadragon453 Feb 18, 2019
5b68e12
Typo in changelog
anoadragon453 Feb 18, 2019
68a53f8
Merge branch 'develop' into babolivier/acme-delegated
babolivier Feb 18, 2019
45bb55c
Use a configuration parameter to give the domain to generate a certif…
babolivier Feb 18, 2019
a862690
Fetch ACME domain into an instance member
babolivier Feb 19, 2019
5a707a2
Improve config documentation
babolivier Feb 19, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/4652.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Support .well-known delegation when issuing certificates through ACME
babolivier marked this conversation as resolved.
Show resolved Hide resolved
29 changes: 25 additions & 4 deletions synapse/handlers/acme.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@
from twisted.web.resource import Resource

from synapse.app import check_bind_error
from synapse.crypto.context_factory import ClientTLSOptionsFactory
from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -123,15 +125,34 @@ def start_listening(self):
@defer.inlineCallbacks
def provision_certificate(self):

logger.warning("Reprovisioning %s", self.hs.hostname)
# Retrieve .well-known if it's in use. We do so through the federation
# agent, because that's where the .well-known logic lives.
agent = MatrixFederationAgent(
tls_client_options_factory=ClientTLSOptionsFactory(None),
reactor=self.reactor,
)
delegated = yield agent._get_well_known(bytes(self.hs.hostname, "ascii"))

# If .well-known is in use, use the delegated hostname instead of the
# homeserver's server_name.
if delegated:
cert_name = delegated.decode("ascii")
logger.info(
".well-known is in use, provisionning %s instead of %s",
babolivier marked this conversation as resolved.
Show resolved Hide resolved
cert_name, self.hs.hostname,
)
else:
cert_name = self.hs.hostname

logger.warning("Reprovisioning %s", cert_name)

try:
yield self._issuer.issue_cert(self.hs.hostname)
yield self._issuer.issue_cert(cert_name)
except Exception:
logger.exception("Fail!")
raise
logger.warning("Reprovisioned %s, saving.", self.hs.hostname)
cert_chain = self._store.certs[self.hs.hostname]
logger.warning("Reprovisioned %s, saving.", cert_name)
cert_chain = self._store.certs[cert_name]

try:
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
Expand Down