Do not use Let's Encrypt certificate for Synapse's federation port
As described here ( https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711 ), using own SSL certificates for the federation port is more fragile, as renewing them could cause federation outages. The recommended setup is to use the self-signed certificates generated by Synapse. On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt certificates, which ensures API consumers work without having to trust "our own CA". Having done this, we also don't need to ever restart Synapse anymore, as no new SSL certificates need to be applied there. It's just matrix-nginx-proxy that needs to be restarted, and it doesn't even need a full restart as an "nginx reload" does the job of swithing to the new SSL certificates.
This commit is contained in:
Slavi Pantaleev
@ -56,6 +56,13 @@
|
||||
mode: 0644
|
||||
when: matrix_nginx_proxy_enabled
|
||||
|
||||
- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
|
||||
template:
|
||||
src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
|
||||
dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
|
||||
mode: 0600
|
||||
when: matrix_nginx_proxy_enabled
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
|
||||
#
|
||||
@ -74,3 +81,9 @@
|
||||
path: "/etc/systemd/system/matrix-nginx-proxy.service"
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure periodic restarting of matrix-nginx-proxy is removed
|
||||
file:
|
||||
path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_enabled"
|
||||
@ -53,14 +53,6 @@
|
||||
- "{{ matrix_synapse_config_dir_path }}:/data"
|
||||
when: "not matrix_synapse_config_stat.stat.exists"
|
||||
|
||||
- name: Ensure self-signed certificates are removed
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
|
||||
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key"
|
||||
|
||||
- name: Augment Matrix log config
|
||||
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
|
||||
args:
|
||||
@ -78,8 +70,6 @@
|
||||
line: '{{ item.line }}'
|
||||
with_items:
|
||||
- {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
|
||||
- {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'}
|
||||
- {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'}
|
||||
- {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
|
||||
- {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
|
||||
- {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
|
||||
@ -148,9 +138,3 @@
|
||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
|
||||
dest: "/usr/local/bin/matrix-synapse-register-user"
|
||||
mode: 0750
|
||||
|
||||
- name: Ensure periodic restarting of Matrix is configured (for SSL renewal)
|
||||
template:
|
||||
src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2"
|
||||
dest: "/etc/cron.d/matrix-periodic-restarter"
|
||||
mode: 0600
|
||||
|
||||
Reference in New Issue
Block a user