New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support ACME for certificate provisioning #4384

Merged
merged 71 commits into from Jan 23, 2019

Conversation

Projects
None yet
4 participants
@hawkowl
Copy link
Contributor

hawkowl commented Jan 14, 2019

No description provided.

hawkowl added some commits Jan 14, 2019

fix
fix
fix
fix
@codecov-io

This comment has been minimized.

Copy link

codecov-io commented Jan 17, 2019

Codecov Report

Merging #4384 into develop will decrease coverage by 0.11%.
The diff coverage is 50%.

@@             Coverage Diff             @@
##           develop    #4384      +/-   ##
===========================================
- Coverage     73.7%   73.58%   -0.12%     
===========================================
  Files          300      301       +1     
  Lines        29705    29822     +117     
  Branches      4882     4894      +12     
===========================================
+ Hits         21895    21946      +51     
- Misses        6385     6446      +61     
- Partials      1425     1430       +5

hawkowl added some commits Jan 17, 2019

@hawkowl hawkowl requested a review from matrix-org/synapse-core Jan 21, 2019

@hawkowl

This comment has been minimized.

Copy link
Contributor Author

hawkowl commented Jan 21, 2019

Note for reviewers (@richvdh , @erikjohnston ): this removes the dh_params functionality, and therefore the DHE (but not ECDHE) support. It is unlikely this was used in practice at all, as DHE has been outclassed by ECDHE and is only required for things like IE6. If it breaks anyone, they were using a scarily old and insecure TLS stack, and not one on a platform we support (nor should support).

I'm guessing I'll need to add another newsfile, or split that into a different PR.

More info about why plain DHE is bad: https://weakdh.org/sysadmin.html

@richvdh
Copy link
Member

richvdh left a comment

This is looking nice now.

Something I don't quite understand here. I thought you needed an account key to get certs from LE, and that you were supposed to reuse the same account key for subsequent renewals. I'm not seeing anything about that here... what am I missing?

As for the dh_params thing... I would love it if it could be pulled out to a completely separate PR, but if that's a bit of a faff I won't argue.

CI is sad, at least partially about dh_params.

Show resolved Hide resolved synapse/app/homeserver.py
Show resolved Hide resolved synapse/app/homeserver.py Outdated
Show resolved Hide resolved synapse/app/homeserver.py Outdated
Show resolved Hide resolved synapse/app/homeserver.py Outdated
Show resolved Hide resolved synapse/config/tls.py Outdated
Show resolved Hide resolved synapse/config/tls.py
Show resolved Hide resolved synapse/config/tls.py Outdated
Show resolved Hide resolved synapse/config/tls.py Outdated
Show resolved Hide resolved synapse/python_dependencies.py
Show resolved Hide resolved synapse/python_dependencies.py
Update synapse/app/homeserver.py
Co-Authored-By: hawkowl <hawkowl@atleastfornow.net>
@hawkowl

This comment has been minimized.

Copy link
Contributor Author

hawkowl commented Jan 22, 2019

Something I don't quite understand here. I thought you needed an account key to get certs from LE, and that you were supposed to reuse the same account key for subsequent renewals. I'm not seeing anything about that here... what am I missing?

@richvdh This is because it registers and uses a consistent client.key. See https://github.com/matrix-org/synapse/pull/4384/files#diff-149d848a6b79ba9483b2e5e40ee029feR82 -- txacme terms it as a client key, not an account key.

@hawkowl

This comment has been minimized.

Copy link
Contributor Author

hawkowl commented Jan 22, 2019

@richvdh I'll pull the dh_params out, as it does need a bit of cleanup in other areas + documentation, and could really use its own newsfile. The changing of the cipher string shouldn't result in anything bad (as what's there should equate to what I've added) but will be more consistent across different versions of OpenSSL and is understandable without reading a man page (which I still had trouble deciphering), but is worth calling out anyway.

Show resolved Hide resolved synapse/config/tls.py Outdated
Show resolved Hide resolved synapse/config/tls.py Outdated
Show resolved Hide resolved synapse/config/tls.py Outdated
Show resolved Hide resolved synapse/config/tls.py
fix

@hawkowl hawkowl requested a review from matrix-org/synapse-core Jan 22, 2019

)
self.acme_port = acme_config.get("port", 8449)
self.acme_bind_addresses = acme_config.get("bind_addresses", ["127.0.0.1"])
self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 10)

This comment has been minimized.

@michaelkaye

michaelkaye Jan 22, 2019

Contributor

LetsEncrypt as the main cert provider via ACME suggest renewal after 60 days (at 30 days to go). They currently send emails to warn of un-renewed certs at 20 and 10 days, so this may want to be about 30 days as a default.

acme_config = config.get("acme", {})
self.acme_enabled = acme_config.get("enabled", False)
self.acme_url = acme_config.get(
"url", "https://acme-staging.api.letsencrypt.org/directory"

This comment has been minimized.

@michaelkaye

michaelkaye Jan 22, 2019

Contributor

Don't forget to set the default to be the live endpoint

This comment has been minimized.

@michaelkaye

michaelkaye Jan 22, 2019

Contributor

Also, do we want to consider using the v2 API now , if it's a simple change in our use of the library, to prevent us having to move to v2 when they decommission (timeline unspecified, so if it's a lot of work it is definitelyworth punting down the road)

This comment has been minimized.

@hawkowl

hawkowl Jan 23, 2019

Author Contributor

txacme does not yet support v2. We can probably put a little bit of work in to make it support it, later.

This comment has been minimized.

@hawkowl

hawkowl Jan 23, 2019

Author Contributor

WRT live endpoint -- I think it should be the staging one by default, since the real one has rate limits, and we dont' want someone to get accidentally blacklisted while setting up their server, I think.

This comment has been minimized.

@richvdh

richvdh Jan 23, 2019

Member

that feels like a lower risk then them wondering why their cert doesn't work, tbh. The fact that the whole thing is disabled by default is enough of a safetynet imho.

This comment has been minimized.

@hawkowl

hawkowl Jan 23, 2019

Author Contributor

hmm, okay

@richvdh
Copy link
Member

richvdh left a comment

lgtm otherwise, modulo @michaelkaye 's comments

Show resolved Hide resolved synapse/app/homeserver.py Outdated

richvdh and others added some commits Jan 23, 2019

Update synapse/app/homeserver.py
Co-Authored-By: hawkowl <hawkowl@atleastfornow.net>
Merge branch 'hawkowl/acme-portable-certificates' of ssh://github.com…
…/matrix-org/synapse into hawkowl/acme-portable-certificates

@hawkowl hawkowl merged commit 6129e52 into develop Jan 23, 2019

5 checks passed

ci/circleci: sytestpy2merged Your tests passed on CircleCI!
Details
ci/circleci: sytestpy2postgresmerged Your tests passed on CircleCI!
Details
ci/circleci: sytestpy3merged Your tests passed on CircleCI!
Details
ci/circleci: sytestpy3postgresmerged Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@hawkowl hawkowl deleted the hawkowl/acme-portable-certificates branch Jan 23, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment