Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support .well-known delegation when issuing certificates through ACME #4652

Merged
merged 9 commits into from Feb 19, 2019
Copy path View file
@@ -0,0 +1 @@
Support .well-known delegation when issuing certificates through ACME.
Copy path View file
@@ -42,6 +42,7 @@ def read_config(self, config):
self.acme_port = acme_config.get("port", 80)
self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
self.acme_domain = acme_config.get("domain", config.get("server_name"))

self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
@@ -229,6 +230,12 @@ def default_config(self, config_dir_path, server_name, **kwargs):
#
# reprovision_threshold: 30
# What domain the certificate should be for. Only useful if
This conversation was marked as resolved by babolivier

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 19, 2019

Member

I think we can be clearer here.

The domain that the certificate should be for. Normally this should be the same as your matrix domain (ie, 'server_name'), but, by putting a file at 'https://<server_name>/.well-known/matrix/server', you can delegate incoming traffic to another server. If you do that, you should give the target of the delegation here.

For example: if your 'server_name' is 'example.com', but 'https://example.com/.well-known/matrix/server' delegates to 'matrix.example.com', you should put 'matrix.example.com' here.

This comment has been minimized.

Copy link
@babolivier

babolivier Feb 19, 2019

Author Member

Thanks. I wasn't happy about the documentation I had, but wasn't sure about how to improve it.

# delegation via a /.well-known/matrix/server file is being used.
# Defaults to the server_name configuration parameter.
#
# domain: matrix.example.com
# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
Copy path View file
@@ -123,15 +123,15 @@ def start_listening(self):
@defer.inlineCallbacks
def provision_certificate(self):

logger.warning("Reprovisioning %s", self.hs.hostname)
logger.warning("Reprovisioning %s", self.hs.config.acme_domain)
This conversation was marked as resolved by babolivier

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 19, 2019

Member

could you fetch self.hs.config.acme_domain into an instance member (self._acme_domain) in the constructor? That will mean (a) it'll be noticed sooner if there's a problem reading it; (b) it's more concise)


try:
yield self._issuer.issue_cert(self.hs.hostname)
yield self._issuer.issue_cert(self.hs.config.acme_domain)
except Exception:
logger.exception("Fail!")
raise
logger.warning("Reprovisioned %s, saving.", self.hs.hostname)
cert_chain = self._store.certs[self.hs.hostname]
logger.warning("Reprovisioned %s, saving.", self.hs.config.acme_domain)
cert_chain = self._store.certs[self.hs.config.acme_domain]

try:
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.