Merge pull request #4652 from matrix-org/babolivier/acme-delegated

Support .well-known delegation when issuing certificates through ACME
pull/4685/head
Brendan Abolivier 2019-02-19 11:15:38 +00:00 committed by GitHub
commit a288bdf0b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 4 deletions

1
changelog.d/4652.feature Normal file
View File

@ -0,0 +1 @@
Support .well-known delegation when issuing certificates through ACME.

View File

@ -42,6 +42,7 @@ class TlsConfig(Config):
self.acme_port = acme_config.get("port", 80) self.acme_port = acme_config.get("port", 80)
self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0']) self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30) self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
self.acme_domain = acme_config.get("domain", config.get("server_name"))
self.tls_certificate_file = self.abspath(config.get("tls_certificate_path")) self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
self.tls_private_key_file = self.abspath(config.get("tls_private_key_path")) self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
@ -229,6 +230,20 @@ class TlsConfig(Config):
# #
# reprovision_threshold: 30 # reprovision_threshold: 30
# The domain that the certificate should be for. Normally this
# should be the same as your Matrix domain (i.e., 'server_name'), but,
# by putting a file at 'https://<server_name>/.well-known/matrix/server',
# you can delegate incoming traffic to another server. If you do that,
# you should give the target of the delegation here.
#
# For example: if your 'server_name' is 'example.com', but
# 'https://example.com/.well-known/matrix/server' delegates to
# 'matrix.example.com', you should put 'matrix.example.com' here.
#
# If not set, defaults to your 'server_name'.
#
# domain: matrix.example.com
# List of allowed TLS fingerprints for this server to publish along # List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that # with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS # make HTTPS requests to this server will check that the TLS

View File

@ -56,6 +56,7 @@ class AcmeHandler(object):
def __init__(self, hs): def __init__(self, hs):
self.hs = hs self.hs = hs
self.reactor = hs.get_reactor() self.reactor = hs.get_reactor()
self._acme_domain = hs.config.acme_domain
@defer.inlineCallbacks @defer.inlineCallbacks
def start_listening(self): def start_listening(self):
@ -123,15 +124,15 @@ class AcmeHandler(object):
@defer.inlineCallbacks @defer.inlineCallbacks
def provision_certificate(self): def provision_certificate(self):
logger.warning("Reprovisioning %s", self.hs.hostname) logger.warning("Reprovisioning %s", self._acme_domain)
try: try:
yield self._issuer.issue_cert(self.hs.hostname) yield self._issuer.issue_cert(self._acme_domain)
except Exception: except Exception:
logger.exception("Fail!") logger.exception("Fail!")
raise raise
logger.warning("Reprovisioned %s, saving.", self.hs.hostname) logger.warning("Reprovisioned %s, saving.", self._acme_domain)
cert_chain = self._store.certs[self.hs.hostname] cert_chain = self._store.certs[self._acme_domain]
try: try:
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: