Make self-check not validate self-signed certificates

By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)
This commit is contained in:
Slavi Pantaleev 2019-03-22 09:39:17 +02:00
parent 1939fc9113
commit 73af8f7bbb
11 changed files with 29 additions and 3 deletions

View File

@ -181,6 +181,8 @@ matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025
matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0
matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_mxisd_systemd_wanted_services_list: | matrix_mxisd_systemd_wanted_services_list: |
{{ {{
(['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service'])
@ -238,6 +240,8 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_nginx_proxy_systemd_wanted_services_list: | matrix_nginx_proxy_systemd_wanted_services_list: |
{{ {{
(['matrix-synapse.service']) (['matrix-synapse.service'])
@ -313,6 +317,8 @@ matrix_riot_web_integrations_rest_url: "{{ matrix_dimension_integrations_rest_ur
matrix_riot_web_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" matrix_riot_web_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}"
matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}"
matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
###################################################################### ######################################################################
# #
# /matrix-riot-web # /matrix-riot-web
@ -375,6 +381,8 @@ matrix_synapse_turn_uris: |
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_synapse_systemd_required_services_list: | matrix_synapse_systemd_required_services_list: |
{{ {{
(['docker.service']) (['docker.service'])

View File

@ -55,6 +55,9 @@ matrix_mxisd_threepid_medium_email_custom_session_validation_template: ""
matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: ""
matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" matrix_mxisd_threepid_medium_email_custom_matrixid_template: ""
# Controls whether the self-check feature should validate SSL certificates.
matrix_mxisd_self_check_validate_certificates: true
# Default mxisd configuration template which covers the generic use case. # Default mxisd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it. # You can customize it by controlling the various variables inside it.
# #

View File

@ -7,6 +7,7 @@
uri: uri:
url: "{{ mxisd_url_endpoint_public }}" url: "{{ mxisd_url_endpoint_public }}"
follow_redirects: false follow_redirects: false
validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}"
register: result_mxisd register: result_mxisd
ignore_errors: true ignore_errors: true

View File

@ -104,6 +104,9 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving Riot and Synapse # Specifies which SSL protocols to use when serving Riot and Synapse
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
# Controls whether the self-check feature should validate SSL certificates.
matrix_nginx_proxy_self_check_validate_certificates: true
# By default, this playbook automatically retrieves and auto-renews # By default, this playbook automatically retrieves and auto-renews
# free SSL certificates from Let's Encrypt. # free SSL certificates from Let's Encrypt.
# #

View File

@ -7,6 +7,7 @@
purpose: Client Discovery purpose: Client Discovery
cors: true cors: true
follow_redirects: false follow_redirects: false
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- block: - block:
- set_fact: - set_fact:
@ -15,6 +16,7 @@
purpose: Server Discovery purpose: Server Discovery
cors: false cors: false
follow_redirects: true follow_redirects: true
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- name: Determine domains that we require certificates for (mxisd) - name: Determine domains that we require certificates for (mxisd)
set_fact: set_fact:

View File

@ -11,6 +11,7 @@
url: "{{ well_known_url_matrix }}" url: "{{ well_known_url_matrix }}"
follow_redirects: false follow_redirects: false
return_content: true return_content: true
validate_certs: "{{ well_known_file_check.validate_certs }}"
register: result_well_known_matrix register: result_well_known_matrix
ignore_errors: true ignore_errors: true
@ -37,6 +38,7 @@
url: "{{ well_known_url_identity }}" url: "{{ well_known_url_identity }}"
follow_redirects: "{{ well_known_file_check.follow_redirects }}" follow_redirects: "{{ well_known_file_check.follow_redirects }}"
return_content: true return_content: true
validate_certs: "{{ well_known_file_check.validate_certs }}"
register: result_well_known_identity register: result_well_known_identity
ignore_errors: true ignore_errors: true

View File

@ -25,3 +25,6 @@ matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
# By default, there's no Riot homepage (when logged in). If you wish to have one, # By default, there's no Riot homepage (when logged in). If you wish to have one,
# point this to a `home.html` template file on your local filesystem. # point this to a `home.html` template file on your local filesystem.
matrix_riot_web_embedded_pages_home_path: ~ matrix_riot_web_embedded_pages_home_path: ~
# Controls whether the self-check feature should validate SSL certificates.
matrix_riot_web_self_check_validate_certificates: true

View File

@ -7,6 +7,7 @@
uri: uri:
url: "{{ riot_web_url_endpoint_public }}" url: "{{ riot_web_url_endpoint_public }}"
follow_redirects: false follow_redirects: false
validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}"
register: result_riot_web register: result_riot_web
ignore_errors: true ignore_errors: true

View File

@ -202,6 +202,8 @@ matrix_s3_media_store_aws_access_key: "your-aws-access-key"
matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
matrix_s3_media_store_region: "eu-central-1" matrix_s3_media_store_region: "eu-central-1"
# Controls whether the self-check feature should validate SSL certificates.
matrix_synapse_self_check_validate_certificates: true
# Matrix mautrix is a Matrix <-> Telegram bridge # Matrix mautrix is a Matrix <-> Telegram bridge
# Enable telegram bridge # Enable telegram bridge

View File

@ -4,6 +4,7 @@
uri: uri:
url: "{{ matrix_synapse_client_api_url_endpoint_public }}" url: "{{ matrix_synapse_client_api_url_endpoint_public }}"
follow_redirects: false follow_redirects: false
validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
register: result_matrix_synapse_client_api register: result_matrix_synapse_client_api
ignore_errors: true ignore_errors: true

View File

@ -4,7 +4,7 @@
uri: uri:
url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
follow_redirects: false follow_redirects: false
validate_certs: false validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
register: result_matrix_synapse_federation_api register: result_matrix_synapse_federation_api
ignore_errors: true ignore_errors: true