Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add mention and warning about ACME v1 deprecation to the TLS config #6907

Merged
merged 9 commits into from
Feb 18, 2020
Merged

Add mention and warning about ACME v1 deprecation to the TLS config #6907

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5820ed9
Add mention and warning about ACME v1 deprecation to the Synapse config
babolivier Feb 13, 2020
12bbcc2
Add a comprehensive error when failing to register for an ACME account
babolivier Feb 13, 2020
ef9c275
Add a separator for the config warning
babolivier Feb 13, 2020
0cb83cd
Lint
babolivier Feb 13, 2020
f3f1422
Changelog
babolivier Feb 13, 2020
65bdc35
Lint
babolivier Feb 13, 2020
36af094
Linters are hard but in they end they just want what's best for us
babolivier Feb 13, 2020
bfbe2f5
Print the error as an error log and raise the same exception we got
babolivier Feb 18, 2020
9801a04
Make the log more noticeable
babolivier Feb 18, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/6907.doc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Update Synapse's documentation to warn about the deprecation of ACME v1.
5 changes: 5 additions & 0 deletions docs/sample_config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -466,6 +466,11 @@ retention:
# ACME support: This will configure Synapse to request a valid TLS certificate
# for your configured `server_name` via Let's Encrypt.
#
# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
# ACME v2. This means that this feature currently won't work with installs set
# up after November 2019. For more info, and alternative solutions, see
# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
#
# Note that provisioning a certificate in this way requires port 80 to be
# routed to Synapse so that it can complete the http-01 ACME challenge.
# By default, if you enable ACME support, Synapse will attempt to listen on
Expand Down
19 changes: 19 additions & 0 deletions synapse/config/tls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,17 @@

logger = logging.getLogger(__name__)

ACME_SUPPORT_ENABLED_WARN = """\
This server uses Synapse's built-in ACME support. Note that ACME v1 has been
deprecated by Let's Encrypt, and that Synapse doesn't currently support ACME v2,
which means that this feature will not work with Synapse installs set up after
November 2019, and that it may stop working on June 2020 for installs set up
before that date.

For more info and alternative solutions, see
https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
--------------------------------------------------------------------------------"""


class TlsConfig(Config):
section = "tls"
Expand All @@ -44,6 +55,9 @@ def read_config(self, config: dict, config_dir_path: str, **kwargs):

self.acme_enabled = acme_config.get("enabled", False)

if self.acme_enabled:
logger.warning(ACME_SUPPORT_ENABLED_WARN)

# hyperlink complains on py2 if this is not a Unicode
self.acme_url = six.text_type(
acme_config.get("url", "https://acme-v01.api.letsencrypt.org/directory")
Expand Down Expand Up @@ -362,6 +376,11 @@ def generate_config_section(
# ACME support: This will configure Synapse to request a valid TLS certificate
# for your configured `server_name` via Let's Encrypt.
#
# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
# ACME v2. This means that this feature currently won't work with installs set
# up after November 2019. For more info, and alternative solutions, see
# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
#
# Note that provisioning a certificate in this way requires port 80 to be
# routed to Synapse so that it can complete the http-01 ACME challenge.
# By default, if you enable ACME support, Synapse will attempt to listen on
Expand Down
16 changes: 15 additions & 1 deletion synapse/handlers/acme.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,15 @@

logger = logging.getLogger(__name__)

ACME_REGISTER_FAIL_ERROR = """
--------------------------------------------------------------------------------
Failed to register with the ACME provider. This is likely happening because the install
is new, and ACME v1 has been deprecated by Let's Encrypt and is disabled for installs set
up after November 2019.
At the moment, Synapse doesn't support ACME v2. For more info and alternative solution,
check out https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
--------------------------------------------------------------------------------"""


class AcmeHandler(object):
def __init__(self, hs):
Expand Down Expand Up @@ -71,7 +80,12 @@ def start_listening(self):
# want it to control where we save the certificates, we have to reach in
# and trigger the registration machinery ourselves.
self._issuer._registered = False
yield self._issuer._ensure_registered()

try:
yield self._issuer._ensure_registered()
except Exception:
babolivier marked this conversation as resolved.
Show resolved Hide resolved
logger.error(ACME_REGISTER_FAIL_ERROR)
raise

@defer.inlineCallbacks
def provision_certificate(self):
Expand Down