Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support .well-known delegation when issuing certificates through ACME #4652

Merged
merged 9 commits into from Feb 19, 2019
Copy path View file
@@ -0,0 +1 @@
Support .well-known delegation when issuing certificates through ACME
This conversation was marked as resolved by babolivier

This comment has been minimized.

Copy link
@anoadragon453

anoadragon453 Feb 18, 2019

Member

Changelog entries should have punctuation :)

Suggested change
Support .well-known delegation when issuing certificates through ACME
Support .well-known delegation when issuing certificates through ACME.
Copy path View file
@@ -27,6 +27,8 @@
from twisted.web.resource import Resource

from synapse.app import check_bind_error
from synapse.crypto.context_factory import ClientTLSOptionsFactory
from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent

logger = logging.getLogger(__name__)

@@ -123,15 +125,34 @@ def start_listening(self):
@defer.inlineCallbacks
def provision_certificate(self):

logger.warning("Reprovisioning %s", self.hs.hostname)
# Retrieve .well-known if it's in use. We do so through the federation
# agent, because that's where the .well-known logic lives.
agent = MatrixFederationAgent(
tls_client_options_factory=ClientTLSOptionsFactory(None),
reactor=self.reactor,
)
delegated = yield agent._get_well_known(bytes(self.hs.hostname, "ascii"))

# If .well-known is in use, use the delegated hostname instead of the
# homeserver's server_name.
if delegated:
cert_name = delegated.decode("ascii")
logger.info(
".well-known is in use, provisionning %s instead of %s",
This conversation was marked as resolved by babolivier

This comment has been minimized.

Copy link
@anoadragon453

anoadragon453 Feb 18, 2019

Member
Suggested change
".well-known is in use, provisionning %s instead of %s",
".well-known is in use, provisioning %s instead of %s",
cert_name, self.hs.hostname,
)
else:
cert_name = self.hs.hostname

logger.warning("Reprovisioning %s", cert_name)

try:
yield self._issuer.issue_cert(self.hs.hostname)
yield self._issuer.issue_cert(cert_name)
except Exception:
logger.exception("Fail!")
raise
logger.warning("Reprovisioned %s, saving.", self.hs.hostname)
cert_chain = self._store.certs[self.hs.hostname]
logger.warning("Reprovisioned %s, saving.", cert_name)
cert_chain = self._store.certs[cert_name]

try:
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.