Allow configuration of the path used for ACME account keys.

Because sticking it in the same place as the config isn't necessarily the right thing to do.
2025-05-02 12:36:02 -04:00 · 2019-06-21 15:27:41 +01:00 · 2019-06-21 15:27:41 +01:00 · edea4bb5be
commit edea4bb5be
parent c3c6b00d95
4 changed files with 59 additions and 7 deletions
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -33,7 +33,7 @@ logger = logging.getLogger(__name__)


 class TlsConfig(Config):
-    def read_config(self, config, **kwargs):
+    def read_config(self, config, config_dir_path, **kwargs):

        acme_config = config.get("acme", None)
        if acme_config is None:
@ -50,6 +50,10 @@ class TlsConfig(Config):
        self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30)
        self.acme_domain = acme_config.get("domain", config.get("server_name"))

+        self.acme_account_key_file = self.abspath(
+            acme_config.get("account_key_file", config_dir_path + "/client.key")
+        )
+
        self.tls_certificate_file = self.abspath(config.get("tls_certificate_path"))
        self.tls_private_key_file = self.abspath(config.get("tls_private_key_path"))

@ -213,11 +217,12 @@ class TlsConfig(Config):
            if sha256_fingerprint not in sha256_fingerprints:
                self.tls_fingerprints.append({"sha256": sha256_fingerprint})

-    def default_config(self, config_dir_path, server_name, **kwargs):
+    def default_config(self, config_dir_path, server_name, data_dir_path, **kwargs):
        base_key_name = os.path.join(config_dir_path, server_name)

        tls_certificate_path = base_key_name + ".tls.crt"
        tls_private_key_path = base_key_name + ".tls.key"
+        default_acme_account_file = os.path.join(data_dir_path, "acme_account.key")

        # this is to avoid the max line length. Sorrynotsorry
        proxypassline = (
@ -343,6 +348,13 @@ class TlsConfig(Config):
            #
            #domain: matrix.example.com

+            # file to use for the account key. This will be generated if it doesn't
+            # exist.
+            #
+            # If unspecified, we will use CONFDIR/client.key.
+            #
+            account_key_file: %(default_acme_account_file)s
+
        # List of allowed TLS fingerprints for this server to publish along
        # with the signing keys for this server. Other matrix servers that
        # make HTTPS requests to this server will check that the TLS