From 3a5f82267b18a36dfee213d42c76fd8197ead20f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Sep 2017 15:08:54 +0300 Subject: [PATCH] Do not use Let's Encrypt certificate for Synapse's federation port As described here ( https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711 ), using own SSL certificates for the federation port is more fragile, as renewing them could cause federation outages. The recommended setup is to use the self-signed certificates generated by Synapse. On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt certificates, which ensures API consumers work without having to trust "our own CA". Having done this, we also don't need to ever restart Synapse anymore, as no new SSL certificates need to be applied there. It's just matrix-nginx-proxy that needs to be restarted, and it doesn't even need a full restart as an "nginx reload" does the job of swithing to the new SSL certificates. --- roles/matrix-server/defaults/main.yml | 8 ++++---- roles/matrix-server/tasks/setup_nginx_proxy.yml | 13 +++++++++++++ roles/matrix-server/tasks/setup_synapse.yml | 16 ---------------- .../matrix-nginx-proxy-periodic-restarter.j2 | 8 ++++++++ .../cron.d/matrix-periodic-restarter.j2 | 11 ----------- .../cron.d/matrix-ssl-certificate-renewal.j2 | 2 +- .../systemd/matrix-nginx-proxy.service.j2 | 1 + .../templates/systemd/matrix-synapse.service.j2 | 2 -- 8 files changed, 27 insertions(+), 34 deletions(-) create mode 100644 roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 delete mode 100644 roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9139b9130..30800a017 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -43,10 +43,6 @@ docker_nginx_image: "nginx:1.13.5-alpine" docker_riot_image: "silviof/matrix-riot-docker:latest" docker_s3fs_image: "xueshanf/s3fs:latest" -# Specifies when to restart the Matrix services so that -# a new SSL certificate could go into effect (UTC time). -matrix_services_restart_cron_time_definition: "15 4 3 * *" - # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 @@ -72,3 +68,7 @@ matrix_riot_web_enabled: true # But in case that's not the case, you may wish to prevent that # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true + +# Specifies when to reload the matrix-nginx-proxy service so that +# a new SSL certificate could go into effect (UTC time). +matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml index 0363d0621..571080640 100644 --- a/roles/matrix-server/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -56,6 +56,13 @@ mode: 0644 when: matrix_nginx_proxy_enabled +- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal) + template: + src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2" + dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" + mode: 0600 + when: matrix_nginx_proxy_enabled + # # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) # @@ -74,3 +81,9 @@ path: "/etc/systemd/system/matrix-nginx-proxy.service" state: absent when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" + +- name: Ensure periodic restarting of matrix-nginx-proxy is removed + file: + path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" + state: absent + when: "not matrix_nginx_proxy_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 7cb42728c..9c15d8c2b 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -53,14 +53,6 @@ - "{{ matrix_synapse_config_dir_path }}:/data" when: "not matrix_synapse_config_stat.stat.exists" -- name: Ensure self-signed certificates are removed - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt" - - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key" - - name: Augment Matrix log config lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" args: @@ -78,8 +70,6 @@ line: '{{ item.line }}' with_items: - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'} - - {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'} - - {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'} - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'} - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} @@ -148,9 +138,3 @@ src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 - -- name: Ensure periodic restarting of Matrix is configured (for SSL renewal) - template: - src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2" - dest: "/etc/cron.d/matrix-periodic-restarter" - mode: 0600 diff --git a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 new file mode 100644 index 000000000..e8dfb72b2 --- /dev/null +++ b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 @@ -0,0 +1,8 @@ +MAILTO="{{ matrix_ssl_support_email }}" + +# This periodically reloads the matrix-nginx-proxy service +# to ensure it's using the latest SSL certificate +# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob +# (which happens once every ~2-3 months). + +{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service diff --git a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 deleted file mode 100644 index 719ca2532..000000000 --- a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 +++ /dev/null @@ -1,11 +0,0 @@ -MAILTO="{{ matrix_ssl_support_email }}" - -# This periodically restarts the Matrix services -# to ensure they're using the latest SSL certificate -# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob -# (which happens once every ~2-3 months). -# -# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`, -# both would be restarted. - -{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index 47d2cbe97..fa0c98ad1 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -19,6 +19,6 @@ MAILTO="{{ matrix_ssl_support_email }}" # because it aliases `/.well-known/acme-challenge` to that same directory. # # When a custom proxy server (not matrix-nginx-proxy provided by this playbook), -# you'd need to make sure you alias these files corretly or SSL renewal would not work. +# you'd need to make sure you alias these files correctly or SSL renewal would not work. 15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index c105c63bf..975b6edb5 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -21,6 +21,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ {{ docker_nginx_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy +ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index a647db03e..717bd3a8f 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -15,7 +15,6 @@ Requires=matrix-s3fs.service Type=simple ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse -ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if not matrix_postgres_use_external %} --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ @@ -30,7 +29,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_media_store_path }}:/matrix-media-store \ - -v {{ matrix_ssl_certs_path }}:/acmetool-certs \ {{ docker_matrix_image }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse