From 40f3793af702cba03e8aba10ad0672856978484f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 09:17:55 +0200 Subject: [PATCH] Upgrade Synapse to v0.99 and simplify dummy TLS cert logic --- group_vars/matrix-servers | 5 ++ roles/matrix-synapse/defaults/main.yml | 2 +- .../tasks/setup_synapse_main.yml | 55 ------------------- 3 files changed, 6 insertions(+), 56 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index b79f5038..597a6a89 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -295,6 +295,11 @@ matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. matrix_synapse_no_tls: true +# Even though we don't do TLS at the Synapse side, Synapse v0.99 would still like to read +# some certificate file. The container contains a dummy certificate that could be used +# to prevent certificate file reading errors. It won't actually be used for anything else. +# See https://github.com/matrix-org/synapse/issues/4554 +matrix_synapse_tls_certificate_path: /conf/dummy.tls.crt matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index af5fa68a..96825f94 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0rc4-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 4d2598af..57a296bc 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -58,61 +58,6 @@ dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" mode: 0644 -# -# To make Synapse 0.99 happy, we need to generate a valid (self-signed is OK) certificate file that we provide to it. -# It won't be used for anything important, but it needs to be there. -# See https://github.com/matrix-org/synapse/issues/4554 -# -# Previously, Synapse would generate such certificate files and actually use them. -# So existing installations already have them. -# - -- name: Check if Synapse certificate exists - stat: - path: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt" - register: matrix_synapse_certificate_stat - -- name: Ensure OpenSSL installed (RedHat) - yum: - name: - - openssl - state: present - update_cache: no - when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'RedHat'" - -- name: Ensure OpenSSL installed (Debian) - apt: - name: - - openssl - state: present - update_cache: no - when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'Debian'" - -# The proper way to do this is by using a sequence of -# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`. -# -# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work, -# which is not available on CentOS 7 (at least). -# -# We'll do it in a more manual way. -- name: Generate SSL certificate - command: | - openssl req -x509 \ - -sha256 \ - -newkey rsa:4096 \ - -nodes \ - -subj "/CN={{ hostname_matrix }}" \ - -keyout {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key \ - -out {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt \ - -days 3650 - become: true - become_user: "{{ matrix_user_username }}" - when: "not matrix_synapse_certificate_stat.stat.exists" - -# -# End of tasks related to making Synapse 0.99 happy. -# - - name: Ensure matrix-synapse.service installed template: src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2"