Upgrade Synapse to v0.99 and simplify dummy TLS cert logic

6 years ago · 40f3793af7
parent 5db692f877
commit 40f3793af7
3 changed files with 6 additions and 56 deletions
--- a/group_vars/matrix-servers
+++ b/group_vars/matrix-servers
@ -295,6 +295,11 @@ matrix_synapse_database_database: "{{ matrix_postgres_db_name }}"
 # We do not enable TLS in Synapse by default.
 # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse.
 matrix_synapse_no_tls: true
+# Even though we don't do TLS at the Synapse side, Synapse v0.99 would still like to read
+# some certificate file. The container contains a dummy certificate that could be used
+# to prevent certificate file reading errors. It won't actually be used for anything else.
+# See https://github.com/matrix-org/synapse/issues/4554
+matrix_synapse_tls_certificate_path: /conf/dummy.tls.crt

 matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
 matrix_synapse_email_smtp_host: "matrix-mailer"
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -1,4 +1,4 @@
-matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0rc4-py3"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0-py3"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
 matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
--- a/roles/matrix-synapse/tasks/setup_synapse_main.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml
@ -58,61 +58,6 @@
    dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
    mode: 0644

-#
-# To make Synapse 0.99 happy, we need to generate a valid (self-signed is OK) certificate file that we provide to it.
-# It won't be used for anything important, but it needs to be there.
-# See https://github.com/matrix-org/synapse/issues/4554
-#
-# Previously, Synapse would generate such certificate files and actually use them.
-# So existing installations already have them.
-#
-
- name: Check if Synapse certificate exists
-  stat:
-    path: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
-  register: matrix_synapse_certificate_stat
-
- name: Ensure OpenSSL installed (RedHat)
-  yum:
-    name:
-      - openssl
-    state: present
-    update_cache: no
-  when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'RedHat'"
-
- name: Ensure OpenSSL installed (Debian)
-  apt:
-    name:
-      - openssl
-    state: present
-    update_cache: no
-  when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'Debian'"
-
-# The proper way to do this is by using a sequence of
-# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
-#
-# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
-# which is not available on CentOS 7 (at least).
-#
-# We'll do it in a more manual way.
- name: Generate SSL certificate
-  command: |
-    openssl req -x509 \
-    -sha256 \
-    -newkey rsa:4096 \
-    -nodes \
-    -subj "/CN={{ hostname_matrix }}" \
-    -keyout {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key \
-    -out {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt \
-    -days 3650
-  become: true
-  become_user: "{{ matrix_user_username }}"
-  when: "not matrix_synapse_certificate_stat.stat.exists"
-
-#
-# End of tasks related to making Synapse 0.99 happy.
-#
-
 - name: Ensure matrix-synapse.service installed
  template:
    src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2"