Do not use Let's Encrypt certificate for Synapse's federation port

As described here (
https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711
), using own SSL certificates for the federation port is more fragile,
as renewing them could cause federation outages.

The recommended setup is to use the self-signed certificates generated
by Synapse.

On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt
certificates, which ensures API consumers work without having to trust
"our own CA".

Having done this, we also don't need to ever restart Synapse anymore,
as no new SSL certificates need to be applied there.

It's just matrix-nginx-proxy that needs to be restarted, and it doesn't
even need a full restart as an "nginx reload" does the job of swithing
to the new SSL certificates.
This commit is contained in:
Slavi Pantaleev 2017-09-23 15:08:54 +03:00
parent 6962bfcc42
commit 3a5f82267b
8 changed files with 27 additions and 34 deletions

View File

@ -43,10 +43,6 @@ docker_nginx_image: "nginx:1.13.5-alpine"
docker_riot_image: "silviof/matrix-riot-docker:latest" docker_riot_image: "silviof/matrix-riot-docker:latest"
docker_s3fs_image: "xueshanf/s3fs:latest" docker_s3fs_image: "xueshanf/s3fs:latest"
# Specifies when to restart the Matrix services so that
# a new SSL certificate could go into effect (UTC time).
matrix_services_restart_cron_time_definition: "15 4 3 * *"
# UDP port-range to use for TURN # UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_udp_max_port: 49172
@ -72,3 +68,7 @@ matrix_riot_web_enabled: true
# But in case that's not the case, you may wish to prevent that # But in case that's not the case, you may wish to prevent that
# and take care of proxying by yourself. # and take care of proxying by yourself.
matrix_nginx_proxy_enabled: true matrix_nginx_proxy_enabled: true
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect (UTC time).
matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *"

View File

@ -56,6 +56,13 @@
mode: 0644 mode: 0644
when: matrix_nginx_proxy_enabled when: matrix_nginx_proxy_enabled
- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
template:
src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
mode: 0600
when: matrix_nginx_proxy_enabled
# #
# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
# #
@ -74,3 +81,9 @@
path: "/etc/systemd/system/matrix-nginx-proxy.service" path: "/etc/systemd/system/matrix-nginx-proxy.service"
state: absent state: absent
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure periodic restarting of matrix-nginx-proxy is removed
file:
path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
state: absent
when: "not matrix_nginx_proxy_enabled"

View File

@ -53,14 +53,6 @@
- "{{ matrix_synapse_config_dir_path }}:/data" - "{{ matrix_synapse_config_dir_path }}:/data"
when: "not matrix_synapse_config_stat.stat.exists" when: "not matrix_synapse_config_stat.stat.exists"
- name: Ensure self-signed certificates are removed
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key"
- name: Augment Matrix log config - name: Augment Matrix log config
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
args: args:
@ -78,8 +70,6 @@
line: '{{ item.line }}' line: '{{ item.line }}'
with_items: with_items:
- {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'} - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
- {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'}
- {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'}
- {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'} - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
- {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
- {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
@ -148,9 +138,3 @@
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
dest: "/usr/local/bin/matrix-synapse-register-user" dest: "/usr/local/bin/matrix-synapse-register-user"
mode: 0750 mode: 0750
- name: Ensure periodic restarting of Matrix is configured (for SSL renewal)
template:
src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2"
dest: "/etc/cron.d/matrix-periodic-restarter"
mode: 0600

View File

@ -0,0 +1,8 @@
MAILTO="{{ matrix_ssl_support_email }}"
# This periodically reloads the matrix-nginx-proxy service
# to ensure it's using the latest SSL certificate
# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
# (which happens once every ~2-3 months).
{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service

View File

@ -1,11 +0,0 @@
MAILTO="{{ matrix_ssl_support_email }}"
# This periodically restarts the Matrix services
# to ensure they're using the latest SSL certificate
# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
# (which happens once every ~2-3 months).
#
# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,
# both would be restarted.
{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service

View File

@ -19,6 +19,6 @@ MAILTO="{{ matrix_ssl_support_email }}"
# because it aliases `/.well-known/acme-challenge` to that same directory. # because it aliases `/.well-known/acme-challenge` to that same directory.
# #
# When a custom proxy server (not matrix-nginx-proxy provided by this playbook), # When a custom proxy server (not matrix-nginx-proxy provided by this playbook),
# you'd need to make sure you alias these files corretly or SSL renewal would not work. # you'd need to make sure you alias these files correctly or SSL renewal would not work.
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug 15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug

View File

@ -21,6 +21,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
{{ docker_nginx_image }} {{ docker_nginx_image }}
ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
ExecStop=-/usr/bin/docker rm matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload
Restart=always Restart=always
RestartSec=30 RestartSec=30

View File

@ -15,7 +15,6 @@ Requires=matrix-s3fs.service
Type=simple Type=simple
ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker kill matrix-synapse
ExecStartPre=-/usr/bin/docker rm matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse
ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R
ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
{% if not matrix_postgres_use_external %} {% if not matrix_postgres_use_external %}
--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
@ -30,7 +29,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
-v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_config_dir_path }}:/data \
-v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_run_path }}:/matrix-run \
-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \ -v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
{{ docker_matrix_image }} {{ docker_matrix_image }}
ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker kill matrix-synapse
ExecStop=-/usr/bin/docker rm matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse