mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2024-12-26 23:49:23 -05:00
Merge pull request #6907 from matrix-org/babolivier/acme-config
Add mention and warning about ACME v1 deprecation to the TLS config
This commit is contained in:
commit
d484126bf7
1
changelog.d/6907.doc
Normal file
1
changelog.d/6907.doc
Normal file
@ -0,0 +1 @@
|
|||||||
|
Update Synapse's documentation to warn about the deprecation of ACME v1.
|
@ -476,6 +476,11 @@ retention:
|
|||||||
# ACME support: This will configure Synapse to request a valid TLS certificate
|
# ACME support: This will configure Synapse to request a valid TLS certificate
|
||||||
# for your configured `server_name` via Let's Encrypt.
|
# for your configured `server_name` via Let's Encrypt.
|
||||||
#
|
#
|
||||||
|
# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
|
||||||
|
# ACME v2. This means that this feature currently won't work with installs set
|
||||||
|
# up after November 2019. For more info, and alternative solutions, see
|
||||||
|
# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
|
||||||
|
#
|
||||||
# Note that provisioning a certificate in this way requires port 80 to be
|
# Note that provisioning a certificate in this way requires port 80 to be
|
||||||
# routed to Synapse so that it can complete the http-01 ACME challenge.
|
# routed to Synapse so that it can complete the http-01 ACME challenge.
|
||||||
# By default, if you enable ACME support, Synapse will attempt to listen on
|
# By default, if you enable ACME support, Synapse will attempt to listen on
|
||||||
|
@ -32,6 +32,17 @@ from synapse.util import glob_to_regex
|
|||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
ACME_SUPPORT_ENABLED_WARN = """\
|
||||||
|
This server uses Synapse's built-in ACME support. Note that ACME v1 has been
|
||||||
|
deprecated by Let's Encrypt, and that Synapse doesn't currently support ACME v2,
|
||||||
|
which means that this feature will not work with Synapse installs set up after
|
||||||
|
November 2019, and that it may stop working on June 2020 for installs set up
|
||||||
|
before that date.
|
||||||
|
|
||||||
|
For more info and alternative solutions, see
|
||||||
|
https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
|
||||||
|
--------------------------------------------------------------------------------"""
|
||||||
|
|
||||||
|
|
||||||
class TlsConfig(Config):
|
class TlsConfig(Config):
|
||||||
section = "tls"
|
section = "tls"
|
||||||
@ -44,6 +55,9 @@ class TlsConfig(Config):
|
|||||||
|
|
||||||
self.acme_enabled = acme_config.get("enabled", False)
|
self.acme_enabled = acme_config.get("enabled", False)
|
||||||
|
|
||||||
|
if self.acme_enabled:
|
||||||
|
logger.warning(ACME_SUPPORT_ENABLED_WARN)
|
||||||
|
|
||||||
# hyperlink complains on py2 if this is not a Unicode
|
# hyperlink complains on py2 if this is not a Unicode
|
||||||
self.acme_url = six.text_type(
|
self.acme_url = six.text_type(
|
||||||
acme_config.get("url", "https://acme-v01.api.letsencrypt.org/directory")
|
acme_config.get("url", "https://acme-v01.api.letsencrypt.org/directory")
|
||||||
@ -362,6 +376,11 @@ class TlsConfig(Config):
|
|||||||
# ACME support: This will configure Synapse to request a valid TLS certificate
|
# ACME support: This will configure Synapse to request a valid TLS certificate
|
||||||
# for your configured `server_name` via Let's Encrypt.
|
# for your configured `server_name` via Let's Encrypt.
|
||||||
#
|
#
|
||||||
|
# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
|
||||||
|
# ACME v2. This means that this feature currently won't work with installs set
|
||||||
|
# up after November 2019. For more info, and alternative solutions, see
|
||||||
|
# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
|
||||||
|
#
|
||||||
# Note that provisioning a certificate in this way requires port 80 to be
|
# Note that provisioning a certificate in this way requires port 80 to be
|
||||||
# routed to Synapse so that it can complete the http-01 ACME challenge.
|
# routed to Synapse so that it can complete the http-01 ACME challenge.
|
||||||
# By default, if you enable ACME support, Synapse will attempt to listen on
|
# By default, if you enable ACME support, Synapse will attempt to listen on
|
||||||
|
@ -25,6 +25,15 @@ from synapse.app import check_bind_error
|
|||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
ACME_REGISTER_FAIL_ERROR = """
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
Failed to register with the ACME provider. This is likely happening because the install
|
||||||
|
is new, and ACME v1 has been deprecated by Let's Encrypt and is disabled for installs set
|
||||||
|
up after November 2019.
|
||||||
|
At the moment, Synapse doesn't support ACME v2. For more info and alternative solution,
|
||||||
|
check out https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
|
||||||
|
--------------------------------------------------------------------------------"""
|
||||||
|
|
||||||
|
|
||||||
class AcmeHandler(object):
|
class AcmeHandler(object):
|
||||||
def __init__(self, hs):
|
def __init__(self, hs):
|
||||||
@ -71,7 +80,12 @@ class AcmeHandler(object):
|
|||||||
# want it to control where we save the certificates, we have to reach in
|
# want it to control where we save the certificates, we have to reach in
|
||||||
# and trigger the registration machinery ourselves.
|
# and trigger the registration machinery ourselves.
|
||||||
self._issuer._registered = False
|
self._issuer._registered = False
|
||||||
yield self._issuer._ensure_registered()
|
|
||||||
|
try:
|
||||||
|
yield self._issuer._ensure_registered()
|
||||||
|
except Exception:
|
||||||
|
logger.error(ACME_REGISTER_FAIL_ERROR)
|
||||||
|
raise
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def provision_certificate(self):
|
def provision_certificate(self):
|
||||||
|
Loading…
Reference in New Issue
Block a user