Support .well-known delegation when issuing certificates through ACME

pull/4652/head
Brendan Abolivier 2019-02-15 12:05:08 +00:00
parent bf4fd14806
commit 1895d14e12
No known key found for this signature in database
GPG Key ID: 8EF1500759F70623
2 changed files with 24 additions and 4 deletions

1
changelog.d/4652.feature Normal file
View File

@ -0,0 +1 @@
Support .well-known delegation when issuing certificates through ACME

View File

@ -25,8 +25,11 @@ from twisted.python.filepath import FilePath
from twisted.python.url import URL
from twisted.web import server, static
from twisted.web.resource import Resource
from twisted.web.client import URI
from synapse.app import check_bind_error
from synapse.crypto.context_factory import ClientTLSOptionsFactory
from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent
logger = logging.getLogger(__name__)
@ -123,15 +126,31 @@ class AcmeHandler(object):
@defer.inlineCallbacks
def provision_certificate(self):
logger.warning("Reprovisioning %s", self.hs.hostname)
# Retrieve .well-known if it's in use. We do so through the federation
# agent, because that's where the .well-known logic lives.
agent = MatrixFederationAgent(
tls_client_options_factory=ClientTLSOptionsFactory(None),
reactor=self.reactor,
)
delegated = yield agent._get_well_known(bytes(self.hs.hostname,"ascii"))
# If .well-known is in use, use the delegated hostname instead of the
# homeserver's server_name.
if delegated:
cert_name = delegated.decode("ascii")
logger.info(".well-known is in use, provisionning %s instead of %s", cert_name, self.hs.hostname)
else:
cert_name = self.hs.hostname
logger.warning("Reprovisioning %s", cert_name)
try:
yield self._issuer.issue_cert(self.hs.hostname)
yield self._issuer.issue_cert(cert_name)
except Exception:
logger.exception("Fail!")
raise
logger.warning("Reprovisioned %s, saving.", self.hs.hostname)
cert_chain = self._store.certs[self.hs.hostname]
logger.warning("Reprovisioned %s, saving.", cert_name)
cert_chain = self._store.certs[cert_name]
try:
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: