Do not use Let's Encrypt certificate for Synapse's federation port
As described here ( https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711 ), using own SSL certificates for the federation port is more fragile, as renewing them could cause federation outages. The recommended setup is to use the self-signed certificates generated by Synapse. On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt certificates, which ensures API consumers work without having to trust "our own CA". Having done this, we also don't need to ever restart Synapse anymore, as no new SSL certificates need to be applied there. It's just matrix-nginx-proxy that needs to be restarted, and it doesn't even need a full restart as an "nginx reload" does the job of swithing to the new SSL certificates.
This commit is contained in:
parent
6962bfcc42
commit
3a5f82267b
@ -43,10 +43,6 @@ docker_nginx_image: "nginx:1.13.5-alpine"
|
|||||||
docker_riot_image: "silviof/matrix-riot-docker:latest"
|
docker_riot_image: "silviof/matrix-riot-docker:latest"
|
||||||
docker_s3fs_image: "xueshanf/s3fs:latest"
|
docker_s3fs_image: "xueshanf/s3fs:latest"
|
||||||
|
|
||||||
# Specifies when to restart the Matrix services so that
|
|
||||||
# a new SSL certificate could go into effect (UTC time).
|
|
||||||
matrix_services_restart_cron_time_definition: "15 4 3 * *"
|
|
||||||
|
|
||||||
# UDP port-range to use for TURN
|
# UDP port-range to use for TURN
|
||||||
matrix_coturn_turn_udp_min_port: 49152
|
matrix_coturn_turn_udp_min_port: 49152
|
||||||
matrix_coturn_turn_udp_max_port: 49172
|
matrix_coturn_turn_udp_max_port: 49172
|
||||||
@ -72,3 +68,7 @@ matrix_riot_web_enabled: true
|
|||||||
# But in case that's not the case, you may wish to prevent that
|
# But in case that's not the case, you may wish to prevent that
|
||||||
# and take care of proxying by yourself.
|
# and take care of proxying by yourself.
|
||||||
matrix_nginx_proxy_enabled: true
|
matrix_nginx_proxy_enabled: true
|
||||||
|
|
||||||
|
# Specifies when to reload the matrix-nginx-proxy service so that
|
||||||
|
# a new SSL certificate could go into effect (UTC time).
|
||||||
|
matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *"
|
@ -56,6 +56,13 @@
|
|||||||
mode: 0644
|
mode: 0644
|
||||||
when: matrix_nginx_proxy_enabled
|
when: matrix_nginx_proxy_enabled
|
||||||
|
|
||||||
|
- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
|
||||||
|
dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
|
||||||
|
mode: 0600
|
||||||
|
when: matrix_nginx_proxy_enabled
|
||||||
|
|
||||||
#
|
#
|
||||||
# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
|
# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
|
||||||
#
|
#
|
||||||
@ -74,3 +81,9 @@
|
|||||||
path: "/etc/systemd/system/matrix-nginx-proxy.service"
|
path: "/etc/systemd/system/matrix-nginx-proxy.service"
|
||||||
state: absent
|
state: absent
|
||||||
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
|
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
|
||||||
|
|
||||||
|
- name: Ensure periodic restarting of matrix-nginx-proxy is removed
|
||||||
|
file:
|
||||||
|
path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_nginx_proxy_enabled"
|
@ -53,14 +53,6 @@
|
|||||||
- "{{ matrix_synapse_config_dir_path }}:/data"
|
- "{{ matrix_synapse_config_dir_path }}:/data"
|
||||||
when: "not matrix_synapse_config_stat.stat.exists"
|
when: "not matrix_synapse_config_stat.stat.exists"
|
||||||
|
|
||||||
- name: Ensure self-signed certificates are removed
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
with_items:
|
|
||||||
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
|
|
||||||
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key"
|
|
||||||
|
|
||||||
- name: Augment Matrix log config
|
- name: Augment Matrix log config
|
||||||
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
|
||||||
args:
|
args:
|
||||||
@ -78,8 +70,6 @@
|
|||||||
line: '{{ item.line }}'
|
line: '{{ item.line }}'
|
||||||
with_items:
|
with_items:
|
||||||
- {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
|
- {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
|
||||||
- {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'}
|
|
||||||
- {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'}
|
|
||||||
- {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
|
- {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
|
||||||
- {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
|
- {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
|
||||||
- {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
|
- {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
|
||||||
@ -148,9 +138,3 @@
|
|||||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
|
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
|
||||||
dest: "/usr/local/bin/matrix-synapse-register-user"
|
dest: "/usr/local/bin/matrix-synapse-register-user"
|
||||||
mode: 0750
|
mode: 0750
|
||||||
|
|
||||||
- name: Ensure periodic restarting of Matrix is configured (for SSL renewal)
|
|
||||||
template:
|
|
||||||
src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2"
|
|
||||||
dest: "/etc/cron.d/matrix-periodic-restarter"
|
|
||||||
mode: 0600
|
|
||||||
|
@ -0,0 +1,8 @@
|
|||||||
|
MAILTO="{{ matrix_ssl_support_email }}"
|
||||||
|
|
||||||
|
# This periodically reloads the matrix-nginx-proxy service
|
||||||
|
# to ensure it's using the latest SSL certificate
|
||||||
|
# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
|
||||||
|
# (which happens once every ~2-3 months).
|
||||||
|
|
||||||
|
{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service
|
@ -1,11 +0,0 @@
|
|||||||
MAILTO="{{ matrix_ssl_support_email }}"
|
|
||||||
|
|
||||||
# This periodically restarts the Matrix services
|
|
||||||
# to ensure they're using the latest SSL certificate
|
|
||||||
# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
|
|
||||||
# (which happens once every ~2-3 months).
|
|
||||||
#
|
|
||||||
# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,
|
|
||||||
# both would be restarted.
|
|
||||||
|
|
||||||
{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service
|
|
@ -19,6 +19,6 @@ MAILTO="{{ matrix_ssl_support_email }}"
|
|||||||
# because it aliases `/.well-known/acme-challenge` to that same directory.
|
# because it aliases `/.well-known/acme-challenge` to that same directory.
|
||||||
#
|
#
|
||||||
# When a custom proxy server (not matrix-nginx-proxy provided by this playbook),
|
# When a custom proxy server (not matrix-nginx-proxy provided by this playbook),
|
||||||
# you'd need to make sure you alias these files corretly or SSL renewal would not work.
|
# you'd need to make sure you alias these files correctly or SSL renewal would not work.
|
||||||
|
|
||||||
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
||||||
|
@ -21,6 +21,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
|
|||||||
{{ docker_nginx_image }}
|
{{ docker_nginx_image }}
|
||||||
ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
|
ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
|
||||||
ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
|
ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
|
||||||
|
ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=30
|
RestartSec=30
|
||||||
|
|
||||||
|
@ -15,7 +15,6 @@ Requires=matrix-s3fs.service
|
|||||||
Type=simple
|
Type=simple
|
||||||
ExecStartPre=-/usr/bin/docker kill matrix-synapse
|
ExecStartPre=-/usr/bin/docker kill matrix-synapse
|
||||||
ExecStartPre=-/usr/bin/docker rm matrix-synapse
|
ExecStartPre=-/usr/bin/docker rm matrix-synapse
|
||||||
ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R
|
|
||||||
ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
|
ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
|
||||||
{% if not matrix_postgres_use_external %}
|
{% if not matrix_postgres_use_external %}
|
||||||
--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
|
--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
|
||||||
@ -30,7 +29,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
|
|||||||
-v {{ matrix_synapse_config_dir_path }}:/data \
|
-v {{ matrix_synapse_config_dir_path }}:/data \
|
||||||
-v {{ matrix_synapse_run_path }}:/matrix-run \
|
-v {{ matrix_synapse_run_path }}:/matrix-run \
|
||||||
-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
|
-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
|
||||||
-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
|
|
||||||
{{ docker_matrix_image }}
|
{{ docker_matrix_image }}
|
||||||
ExecStop=-/usr/bin/docker kill matrix-synapse
|
ExecStop=-/usr/bin/docker kill matrix-synapse
|
||||||
ExecStop=-/usr/bin/docker rm matrix-synapse
|
ExecStop=-/usr/bin/docker rm matrix-synapse
|
||||||
|
Loading…
Reference in New Issue
Block a user