Support .well-known delegation when issuing certificates through ACME

pull/4652/head
Brendan Abolivier 2019-02-15 12:05:08 +00:00
parent bf4fd14806
commit 1895d14e12
No known key found for this signature in database
GPG Key ID: 8EF1500759F70623
2 changed files with 24 additions and 4 deletions

1
changelog.d/4652.feature Normal file
View File

@ -0,0 +1 @@
Support .well-known delegation when issuing certificates through ACME

View File

@ -25,8 +25,11 @@ from twisted.python.filepath import FilePath
from twisted.python.url import URL from twisted.python.url import URL
from twisted.web import server, static from twisted.web import server, static
from twisted.web.resource import Resource from twisted.web.resource import Resource
from twisted.web.client import URI
from synapse.app import check_bind_error from synapse.app import check_bind_error
from synapse.crypto.context_factory import ClientTLSOptionsFactory
from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -123,15 +126,31 @@ class AcmeHandler(object):
@defer.inlineCallbacks @defer.inlineCallbacks
def provision_certificate(self): def provision_certificate(self):
logger.warning("Reprovisioning %s", self.hs.hostname) # Retrieve .well-known if it's in use. We do so through the federation
# agent, because that's where the .well-known logic lives.
agent = MatrixFederationAgent(
tls_client_options_factory=ClientTLSOptionsFactory(None),
reactor=self.reactor,
)
delegated = yield agent._get_well_known(bytes(self.hs.hostname,"ascii"))
# If .well-known is in use, use the delegated hostname instead of the
# homeserver's server_name.
if delegated:
cert_name = delegated.decode("ascii")
logger.info(".well-known is in use, provisionning %s instead of %s", cert_name, self.hs.hostname)
else:
cert_name = self.hs.hostname
logger.warning("Reprovisioning %s", cert_name)
try: try:
yield self._issuer.issue_cert(self.hs.hostname) yield self._issuer.issue_cert(cert_name)
except Exception: except Exception:
logger.exception("Fail!") logger.exception("Fail!")
raise raise
logger.warning("Reprovisioned %s, saving.", self.hs.hostname) logger.warning("Reprovisioned %s, saving.", cert_name)
cert_chain = self._store.certs[self.hs.hostname] cert_chain = self._store.certs[cert_name]
try: try:
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: