Do not use Let's Encrypt certificate for Synapse's federation port

As described here ( https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711 ), using own SSL certificates for the federation port is more fragile, as renewing them could cause federation outages. The recommended setup is to use the self-signed certificates generated by Synapse. On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt certificates, which ensures API consumers work without having to trust "our own CA". Having done this, we also don't need to ever restart Synapse anymore, as no new SSL certificates need to be applied there. It's just matrix-nginx-proxy that needs to be restarted, and it doesn't even need a full restart as an "nginx reload" does the job of swithing to the new SSL certificates.
7 years ago · 3a5f82267b
parent 6962bfcc42
commit 3a5f82267b
8 changed files with 27 additions and 34 deletions
--- a/roles/matrix-server/defaults/main.yml
+++ b/roles/matrix-server/defaults/main.yml
@ -43,10 +43,6 @@ docker_nginx_image: "nginx:1.13.5-alpine"
 docker_riot_image: "silviof/matrix-riot-docker:latest"
 docker_s3fs_image: "xueshanf/s3fs:latest"

-# Specifies when to restart the Matrix services so that
-# a new SSL certificate could go into effect (UTC time).
-matrix_services_restart_cron_time_definition: "15 4 3 * *"
-
 # UDP port-range to use for TURN
 matrix_coturn_turn_udp_min_port: 49152
 matrix_coturn_turn_udp_max_port: 49172
@ -72,3 +68,7 @@ matrix_riot_web_enabled: true
 # But in case that's not the case, you may wish to prevent that
 # and take care of proxying by yourself.
 matrix_nginx_proxy_enabled: true
+
+# Specifies when to reload the matrix-nginx-proxy service so that
+# a new SSL certificate could go into effect (UTC time).
+matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *"
--- a/roles/matrix-server/tasks/setup_nginx_proxy.yml
+++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml
@ -56,6 +56,13 @@
    mode: 0644
  when: matrix_nginx_proxy_enabled

+- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
+  template:
+    src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
+    dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
+    mode: 0600
+  when: matrix_nginx_proxy_enabled
+
 #
 # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
 #
@ -74,3 +81,9 @@
    path: "/etc/systemd/system/matrix-nginx-proxy.service"
    state: absent
  when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
+
+- name: Ensure periodic restarting of matrix-nginx-proxy is removed
+  file:
+    path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
+    state: absent
+  when: "not matrix_nginx_proxy_enabled"
--- a/roles/matrix-server/tasks/setup_synapse.yml
+++ b/roles/matrix-server/tasks/setup_synapse.yml
@ -53,14 +53,6 @@
      - "{{ matrix_synapse_config_dir_path }}:/data"
  when: "not matrix_synapse_config_stat.stat.exists"

- name: Ensure self-signed certificates are removed
-  file:
-    path: "{{ item }}"
-    state: absent
-  with_items:
-    - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
-    - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key"
-
 - name: Augment Matrix log config
  lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
  args:
@ -78,8 +70,6 @@
    line: '{{ item.line }}'
  with_items:
    - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
-    - {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'}
-    - {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'}
    - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
    - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
    - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
@ -148,9 +138,3 @@
    src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
    dest: "/usr/local/bin/matrix-synapse-register-user"
    mode: 0750
-
- name: Ensure periodic restarting of Matrix is configured (for SSL renewal)
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2"
-    dest: "/etc/cron.d/matrix-periodic-restarter"
-    mode: 0600
--- a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2
+++ b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2
@ -0,0 +1,8 @@
+MAILTO="{{ matrix_ssl_support_email }}"
+
+# This periodically reloads the matrix-nginx-proxy service
+# to ensure it's using the latest SSL certificate
+# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
+# (which happens once every ~2-3 months).
+
+{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service
--- a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2
+++ b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2
@ -1,11 +0,0 @@
-MAILTO="{{ matrix_ssl_support_email }}"
-
-# This periodically restarts the Matrix services
-# to ensure they're using the latest SSL certificate
-# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
-# (which happens once every ~2-3 months).
-#
-# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,
-# both would be restarted.
-
-{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service
--- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
+++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
@ -19,6 +19,6 @@ MAILTO="{{ matrix_ssl_support_email }}"
 # because it aliases `/.well-known/acme-challenge` to that same directory.
 #
 # When a custom proxy server (not matrix-nginx-proxy provided by this playbook),
-# you'd need to make sure you alias these files corretly or SSL renewal would not work.
+# you'd need to make sure you alias these files correctly or SSL renewal would not work.

 15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
--- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2
@ -21,6 +21,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			{{ docker_nginx_image }}
 ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
+ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload
 Restart=always
 RestartSec=30

--- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2
@ -15,7 +15,6 @@ Requires=matrix-s3fs.service
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-synapse
 ExecStartPre=-/usr/bin/docker rm matrix-synapse
-ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R
 ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% if not matrix_postgres_use_external %}
 			--link matrix-postgres:{{ matrix_postgres_connection_hostname }} \
@ -30,7 +29,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			-v {{ matrix_synapse_config_dir_path }}:/data \
 			-v {{ matrix_synapse_run_path }}:/matrix-run \
 			-v {{ matrix_synapse_media_store_path }}:/matrix-media-store \
-			-v {{ matrix_ssl_certs_path }}:/acmetool-certs \
 			{{ docker_matrix_image }}
 ExecStop=-/usr/bin/docker kill matrix-synapse
 ExecStop=-/usr/bin/docker rm matrix-synapse