Use a configuration parameter to give the domain to generate a certif…

…icate for
matrix-org · Feb 18, 2019 · 45bb55c · 45bb55c
1 parent 68a53f8
commit 45bb55c
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 25 deletions.
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
@@ -42,6 +42,7 @@ def read_config(self, config):
         self.acme_port = acme_config.get("port", 80)
         self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0'])
         self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
+        self.acme_domain = acme_config.get("domain", config.get("server_name"))
 
         self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
         self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))
@@ -229,6 +230,12 @@ def default_config(self, config_dir_path, server_name, **kwargs):
             #
             # reprovision_threshold: 30
 
+            # What domain the certificate should be for. Only useful if
+            # delegation via a /.well-known/matrix/server file is being used.
+            # Defaults to the server_name configuration parameter.
+            #
+            # domain: matrix.example.com
+
         # List of allowed TLS fingerprints for this server to publish along
         # with the signing keys for this server. Other matrix servers that
         # make HTTPS requests to this server will check that the TLS

diff --git a/synapse/handlers/acme.py b/synapse/handlers/acme.py
@@ -27,8 +27,6 @@
 from twisted.web.resource import Resource
 
 from synapse.app import check_bind_error
-from synapse.crypto.context_factory import ClientTLSOptionsFactory
-from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent
 
 logger = logging.getLogger(__name__)
 
@@ -125,34 +123,15 @@ def start_listening(self):
     @defer.inlineCallbacks
     def provision_certificate(self):
 
-        # Retrieve .well-known if it's in use. We do so through the federation
-        # agent, because that's where the .well-known logic lives.
-        agent = MatrixFederationAgent(
-            tls_client_options_factory=ClientTLSOptionsFactory(None),
-            reactor=self.reactor,
-        )
-        delegated = yield agent._get_well_known(bytes(self.hs.hostname, "ascii"))
-
-        # If .well-known is in use, use the delegated hostname instead of the
-        # homeserver's server_name.
-        if delegated:
-            cert_name = delegated.decode("ascii")
-            logger.info(
-                ".well-known is in use, provisioning %s instead of %s",
-                cert_name, self.hs.hostname,
-            )
-        else:
-            cert_name = self.hs.hostname
-
-        logger.warning("Reprovisioning %s", cert_name)
+        logger.warning("Reprovisioning %s", self.hs.config.acme_domain)
 
         try:
-            yield self._issuer.issue_cert(cert_name)
+            yield self._issuer.issue_cert(self.hs.config.acme_domain)
         except Exception:
             logger.exception("Fail!")
             raise
-        logger.warning("Reprovisioned %s, saving.", cert_name)
-        cert_chain = self._store.certs[cert_name]
+        logger.warning("Reprovisioned %s, saving.", self.hs.config.acme_domain)
+        cert_chain = self._store.certs[self.hs.config.acme_domain]
 
         try:
             with open(self.hs.config.tls_private_key_file, "wb") as private_key_file: