Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

ACME Reprovisioning #4522

Merged
merged 51 commits into from
Feb 11, 2019
Merged

ACME Reprovisioning #4522

Show file tree
Hide file tree
Changes from 40 commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
e3e159d
fix typo
hawkowl Jan 24, 2019
f6a7149
fix
hawkowl Jan 24, 2019
e148691
fix
hawkowl Jan 24, 2019
3ca24d5
fix
hawkowl Jan 24, 2019
8aa6d71
fix
hawkowl Jan 24, 2019
7ea34b0
fix
hawkowl Jan 24, 2019
70170e0
fix
hawkowl Jan 24, 2019
92e893e
fix
hawkowl Jan 24, 2019
f8c4258
fix
hawkowl Jan 24, 2019
9a66c51
fix
hawkowl Jan 24, 2019
7c99df8
fix
hawkowl Jan 24, 2019
0f0187e
fix
hawkowl Jan 24, 2019
4b9fd2b
fix
hawkowl Jan 24, 2019
e2615be
fix
hawkowl Jan 24, 2019
abc4e7d
fix
hawkowl Jan 24, 2019
666fc90
fix
hawkowl Jan 24, 2019
f6b58aa
fix
hawkowl Jan 24, 2019
26f4f5a
Merge remote-tracking branch 'origin/develop' into hawkowl/sighup-tls
hawkowl Jan 28, 2019
aaf9220
fix
hawkowl Jan 28, 2019
7df3114
changelog
hawkowl Jan 28, 2019
3fe07f7
fix
hawkowl Jan 29, 2019
2340ae5
fix
hawkowl Jan 29, 2019
08de6c9
fix
hawkowl Jan 29, 2019
cd78e7e
Merge remote-tracking branch 'origin/develop' into hawkowl/sighup-tls
hawkowl Jan 29, 2019
14e4c4f
fix
hawkowl Jan 29, 2019
d08ef7b
fix
hawkowl Jan 29, 2019
45f9d6c
reprovisioning code
hawkowl Jan 29, 2019
97eec0a
reprovisioning code
hawkowl Jan 30, 2019
edd51a1
Merge remote-tracking branch 'origin/develop' into hawkowl/acme-repro…
hawkowl Jan 30, 2019
62b4e01
pep8 fixes
hawkowl Jan 30, 2019
965921c
pep8 fixes
hawkowl Jan 30, 2019
d21f762
fixes
hawkowl Jan 30, 2019
67c30d3
Merge remote-tracking branch 'origin/develop' into hawkowl/acme-repro…
hawkowl Jan 30, 2019
14274eb
fixes
hawkowl Jan 30, 2019
12696ab
fixes
hawkowl Jan 30, 2019
fe36f24
fixes
hawkowl Jan 30, 2019
9c9d261
changelog
hawkowl Jan 30, 2019
e9e4c52
Merge remote-tracking branch 'origin/develop' into hawkowl/acme-repro…
hawkowl Jan 30, 2019
45810a4
Merge remote-tracking branch 'origin/develop' into hawkowl/acme-repro…
hawkowl Jan 30, 2019
512dfeb
fixes
hawkowl Jan 30, 2019
5fdaf5c
port over
hawkowl Feb 5, 2019
3fa83ab
changelog
hawkowl Feb 5, 2019
1779696
fix
hawkowl Feb 5, 2019
89fba92
some cleanup
hawkowl Feb 8, 2019
b232c17
some cleanup
hawkowl Feb 8, 2019
ffdac50
some cleanup
hawkowl Feb 8, 2019
54ea80c
Merge branch 'hawkowl/dedupe-start' into hawkowl/acme-reprovision
hawkowl Feb 8, 2019
759ceb8
Merge remote-tracking branch 'origin/develop' into hawkowl/acme-repro…
hawkowl Feb 8, 2019
fcb2fe1
Update _base.py
hawkowl Feb 8, 2019
565b3d2
some docs
hawkowl Feb 11, 2019
50046cc
fix changelog
richvdh Feb 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/4522.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Synapse can now automatically provision TLS certificates via ACME (the protocol used by CAs like Let's Encrypt).
61 changes: 61 additions & 0 deletions synapse/app/_base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,26 @@

import gc
import logging
import signal
import sys
import traceback

import psutil
from daemonize import Daemonize

from twisted.internet import error, reactor
from twisted.protocols.tls import TLSMemoryBIOFactory

from synapse.app import check_bind_error
from synapse.crypto import context_factory
from synapse.util import PreserveLoggingContext
from synapse.util.rlimit import change_resource_limit

logger = logging.getLogger(__name__)

_sighup_callbacks = []
register_sighup = _sighup_callbacks.append


def start_worker_reactor(appname, config):
""" Run the reactor in the main process
Expand Down Expand Up @@ -189,3 +196,57 @@ def listen_ssl(

logger.info("Synapse now listening on port %d (TLS)", port)
return r


def refresh_certificate(hs):
"""
Refresh the TLS certificates that Synapse is using by re-reading them from
disk and updating the TLS context factories to use them.
"""
logging.info("Loading certificate from disk...")
hs.config.read_certificate_from_disk()
hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
hs.tls_client_options_factory = context_factory.ClientTLSOptionsFactory(
hs.config
)
logging.info("Certificate loaded.")

if hs._listening_services:
logging.info("Updating context factories...")
for i in hs._listening_services:
if isinstance(i.factory, TLSMemoryBIOFactory):
i.factory = TLSMemoryBIOFactory(
hs.tls_server_context_factory,
False,
i.factory.wrappedFactory
)
logging.info("Context factories updated.")


def start(hs, listeners=None):
"""
Start a Synapse server or worker.
"""
try:
# Set up the SIGHUP machinery.
if hasattr(signal, "SIGHUP"):
def handle_sighup(*args, **kwargs):
for i in _sighup_callbacks:
i(hs)

signal.signal(signal.SIGHUP, handle_sighup)

register_sighup(refresh_certificate)

# Load the certificate from disk.
refresh_certificate(hs)

# It is now safe to start your Synapse.
hs.start_listening(listeners)
hs.get_datastore().start_profiling()
except Exception:
traceback.print_exc(file=sys.stderr)
reactor = hs.get_reactor()
if reactor.running:
reactor.stop()
sys.exit(1)
7 changes: 1 addition & 6 deletions synapse/app/appservice.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,12 +168,7 @@ def start(config_options):
)

ps.setup()
ps.start_listening(config.worker_listeners)

def start():
ps.get_datastore().start_profiling()

reactor.callWhenRunning(start)
reactor.callWhenRunning(_base.start, ps, config.worker_listeners)

_base.start_worker_reactor("synapse-appservice", config)

Expand Down
13 changes: 1 addition & 12 deletions synapse/app/client_reader.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
from synapse.config._base import ConfigError
from synapse.config.homeserver import HomeServerConfig
from synapse.config.logger import setup_logging
from synapse.crypto import context_factory
from synapse.http.server import JsonResource
from synapse.http.site import SynapseSite
from synapse.metrics import RegistryProxy
Expand Down Expand Up @@ -173,17 +172,7 @@ def start(config_options):
)

ss.setup()

def start():
ss.config.read_certificate_from_disk()
ss.tls_server_context_factory = context_factory.ServerContextFactory(config)
ss.tls_client_options_factory = context_factory.ClientTLSOptionsFactory(
config
)
ss.start_listening(config.worker_listeners)
ss.get_datastore().start_profiling()

reactor.callWhenRunning(start)
reactor.callWhenRunning(_base.start, ss, config.worker_listeners)

_base.start_worker_reactor("synapse-client-reader", config)

Expand Down
13 changes: 1 addition & 12 deletions synapse/app/event_creator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
from synapse.config._base import ConfigError
from synapse.config.homeserver import HomeServerConfig
from synapse.config.logger import setup_logging
from synapse.crypto import context_factory
from synapse.http.server import JsonResource
from synapse.http.site import SynapseSite
from synapse.metrics import RegistryProxy
Expand Down Expand Up @@ -194,17 +193,7 @@ def start(config_options):
)

ss.setup()

def start():
ss.config.read_certificate_from_disk()
ss.tls_server_context_factory = context_factory.ServerContextFactory(config)
ss.tls_client_options_factory = context_factory.ClientTLSOptionsFactory(
config
)
ss.start_listening(config.worker_listeners)
ss.get_datastore().start_profiling()

reactor.callWhenRunning(start)
reactor.callWhenRunning(_base.start, ss, config.worker_listeners)

_base.start_worker_reactor("synapse-event-creator", config)

Expand Down
13 changes: 1 addition & 12 deletions synapse/app/federation_reader.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@
from synapse.config._base import ConfigError
from synapse.config.homeserver import HomeServerConfig
from synapse.config.logger import setup_logging
from synapse.crypto import context_factory
from synapse.federation.transport.server import TransportLayerServer
from synapse.http.site import SynapseSite
from synapse.metrics import RegistryProxy
Expand Down Expand Up @@ -160,17 +159,7 @@ def start(config_options):
)

ss.setup()

def start():
ss.config.read_certificate_from_disk()
ss.tls_server_context_factory = context_factory.ServerContextFactory(config)
ss.tls_client_options_factory = context_factory.ClientTLSOptionsFactory(
config
)
ss.start_listening(config.worker_listeners)
ss.get_datastore().start_profiling()

reactor.callWhenRunning(start)
reactor.callWhenRunning(_base.start, ss, config.worker_listeners)

_base.start_worker_reactor("synapse-federation-reader", config)

Expand Down
12 changes: 1 addition & 11 deletions synapse/app/federation_sender.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
from synapse.config._base import ConfigError
from synapse.config.homeserver import HomeServerConfig
from synapse.config.logger import setup_logging
from synapse.crypto import context_factory
from synapse.federation import send_queue
from synapse.http.site import SynapseSite
from synapse.metrics import RegistryProxy
Expand Down Expand Up @@ -192,17 +191,8 @@ def start(config_options):
)

ss.setup()
reactor.callWhenRunning(_base.start, ss, config.worker_listeners)

def start():
ss.config.read_certificate_from_disk()
ss.tls_server_context_factory = context_factory.ServerContextFactory(config)
ss.tls_client_options_factory = context_factory.ClientTLSOptionsFactory(
config
)
ss.start_listening(config.worker_listeners)
ss.get_datastore().start_profiling()

reactor.callWhenRunning(start)
_base.start_worker_reactor("synapse-federation-sender", config)


Expand Down
13 changes: 1 addition & 12 deletions synapse/app/frontend_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@
from synapse.config._base import ConfigError
from synapse.config.homeserver import HomeServerConfig
from synapse.config.logger import setup_logging
from synapse.crypto import context_factory
from synapse.http.server import JsonResource
from synapse.http.servlet import RestServlet, parse_json_object_from_request
from synapse.http.site import SynapseSite
Expand Down Expand Up @@ -250,17 +249,7 @@ def start(config_options):
)

ss.setup()

def start():
ss.config.read_certificate_from_disk()
ss.tls_server_context_factory = context_factory.ServerContextFactory(config)
ss.tls_client_options_factory = context_factory.ClientTLSOptionsFactory(
config
)
ss.start_listening(config.worker_listeners)
ss.get_datastore().start_profiling()

reactor.callWhenRunning(start)
reactor.callWhenRunning(_base.start, ss, config.worker_listeners)

_base.start_worker_reactor("synapse-frontend-proxy", config)

Expand Down
Loading