Merge pull request #4652 from matrix-org/babolivier/acme-delegated
Support .well-known delegation when issuing certificates through ACMEpull/4685/head
commit
a288bdf0b1
|
@ -0,0 +1 @@
|
||||||
|
Support .well-known delegation when issuing certificates through ACME.
|
|
@ -42,6 +42,7 @@ class TlsConfig(Config):
|
||||||
self.acme_port = acme_config.get("port", 80)
|
self.acme_port = acme_config.get("port", 80)
|
||||||
self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
|
self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
|
||||||
self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
|
self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
|
||||||
|
self.acme_domain = acme_config.get("domain", config.get("server_name"))
|
||||||
|
|
||||||
self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
|
self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
|
||||||
self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
|
self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
|
||||||
|
@ -229,6 +230,20 @@ class TlsConfig(Config):
|
||||||
#
|
#
|
||||||
# reprovision_threshold: 30
|
# reprovision_threshold: 30
|
||||||
|
|
||||||
|
# The domain that the certificate should be for. Normally this
|
||||||
|
# should be the same as your Matrix domain (i.e., 'server_name'), but,
|
||||||
|
# by putting a file at 'https://<server_name>/.well-known/matrix/server',
|
||||||
|
# you can delegate incoming traffic to another server. If you do that,
|
||||||
|
# you should give the target of the delegation here.
|
||||||
|
#
|
||||||
|
# For example: if your 'server_name' is 'example.com', but
|
||||||
|
# 'https://example.com/.well-known/matrix/server' delegates to
|
||||||
|
# 'matrix.example.com', you should put 'matrix.example.com' here.
|
||||||
|
#
|
||||||
|
# If not set, defaults to your 'server_name'.
|
||||||
|
#
|
||||||
|
# domain: matrix.example.com
|
||||||
|
|
||||||
# List of allowed TLS fingerprints for this server to publish along
|
# List of allowed TLS fingerprints for this server to publish along
|
||||||
# with the signing keys for this server. Other matrix servers that
|
# with the signing keys for this server. Other matrix servers that
|
||||||
# make HTTPS requests to this server will check that the TLS
|
# make HTTPS requests to this server will check that the TLS
|
||||||
|
|
|
@ -56,6 +56,7 @@ class AcmeHandler(object):
|
||||||
def __init__(self, hs):
|
def __init__(self, hs):
|
||||||
self.hs = hs
|
self.hs = hs
|
||||||
self.reactor = hs.get_reactor()
|
self.reactor = hs.get_reactor()
|
||||||
|
self._acme_domain = hs.config.acme_domain
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def start_listening(self):
|
def start_listening(self):
|
||||||
|
@ -123,15 +124,15 @@ class AcmeHandler(object):
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def provision_certificate(self):
|
def provision_certificate(self):
|
||||||
|
|
||||||
logger.warning("Reprovisioning %s", self.hs.hostname)
|
logger.warning("Reprovisioning %s", self._acme_domain)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
yield self._issuer.issue_cert(self.hs.hostname)
|
yield self._issuer.issue_cert(self._acme_domain)
|
||||||
except Exception:
|
except Exception:
|
||||||
logger.exception("Fail!")
|
logger.exception("Fail!")
|
||||||
raise
|
raise
|
||||||
logger.warning("Reprovisioned %s, saving.", self.hs.hostname)
|
logger.warning("Reprovisioned %s, saving.", self._acme_domain)
|
||||||
cert_chain = self._store.certs[self.hs.hostname]
|
cert_chain = self._store.certs[self._acme_domain]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
|
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
|
||||||
|
|
Loading…
Reference in New Issue