From 9dac61a33a42059558b97be2af89f178332b3ce7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 30 Dec 2017 15:59:05 +0100 Subject: [PATCH] Fix certificate access --- README.md | 4 ++-- conf/homeserver.yaml | 2 +- manifest.json | 2 +- scripts/_common.sh | 51 +------------------------------------------- scripts/install | 9 ++++---- scripts/restore | 8 ++----- scripts/upgrade | 14 +++++++++--- 7 files changed, 23 insertions(+), 67 deletions(-) diff --git a/README.md b/README.md index 9f0dbd0..e098f4e 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,8 @@ Setup ### Install for ARM arch (or slow arch) -If you don't have a dh.pem file in `/etc/yunohost/certs/YOUR DOMAIN/dh.pem` you should built it befor to install the app because it could take a long time. -You could built it by this cmd : `sudo openssl dhparam -out /etc/yunohost/certs/YOUR DOMAIN/dh.pem 2048 > /dev/null` +For all slow or arm architecture it's recommended to build the dh file before the install to have quicker install. +You could built it by this cmd : `mkdir -p /etc/matrix-synapse && openssl dhparam -out /etc/matrix-synapse/dh.pem 2048 > /dev/null` After that you can install it without problem. The package use a prebuild python virtualenvironnement. The binary are taken from this repos : https://github.com/Josue-T/synapse_python_build diff --git a/conf/homeserver.yaml b/conf/homeserver.yaml index ccc204f..c43fbad 100644 --- a/conf/homeserver.yaml +++ b/conf/homeserver.yaml @@ -10,7 +10,7 @@ tls_certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem" tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem" # PEM dh parameters for ephemeral keys -tls_dh_params_path: "/etc/yunohost/certs/__DOMAIN__/dh.pem" +tls_dh_params_path: "/etc/matrix-synapse/dh.pem" # Don't bind to the https port no_tls: False diff --git a/manifest.json b/manifest.json index 6781154..be56b21 100644 --- a/manifest.json +++ b/manifest.json @@ -38,7 +38,7 @@ "en": "Is it a public server ?", "fr": "Est-ce un serveur public ?" }, - "default": "0" + "default": 0 } ] } diff --git a/scripts/_common.sh b/scripts/_common.sh index 79f421d..baf6624 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -37,6 +37,7 @@ set_permission() { chown $synapse_user:root -R /var/log/matrix-synapse chown turnserver:root -R /var/log/turnserver chown $synapse_user:root -R /etc/matrix-synapse + chmod 600 /etc/matrix-synapse/dh.pem } install_source() { @@ -97,56 +98,6 @@ config_coturn() { ynh_replace_string __TLS_PORT__ $turnserver_tls_port /etc/turnserver.conf } -set_certificat_access() { - set_access $synapse_user /etc/yunohost/certs/$domain/crt.pem - set_access $synapse_user /etc/yunohost/certs/$domain/key.pem - set_access $synapse_user /etc/yunohost/certs/$domain/dh.pem - - set_access turnserver /etc/yunohost/certs/$domain/crt.pem - set_access turnserver /etc/yunohost/certs/$domain/key.pem - set_access turnserver /etc/yunohost/certs/$domain/dh.pem -} - -set_access() { # example : set_access USER FILE - user="$1" - file_to_set="$2" - while [[ 0 ]] - do - path_to_set="" - oldIFS="$IFS" - IFS="/" - for dirname in $file_to_set - do - if [[ -n "$dirname" ]] - then - test -f "$path_to_set"/"$dirname" && setfacl -m d:u:$user:r "$path_to_set" - - path_to_set="$path_to_set/$dirname" - - if $(sudo -u $user test ! -r "$path_to_set") - then - test -d "$path_to_set" && setfacl -m user:$user:rx "$path_to_set" - test -f "$path_to_set" && setfacl -m user:$user:r "$path_to_set" - fi - fi - done - IFS="$oldIFS" - - if $(test -L "$file_to_set") - then - if [[ -n "$(readlink "$file_to_set" | grep -e "^/")" ]] - then - file_to_set=$(readlink "$file_to_set") # If it is an absolute path - else - file_to_set=$(realpath -s -m "$(echo "$file_to_set" | cut -d'/' -f-$(echo "$file_to_set" | grep -o '/' | wc -l))/$(readlink "$file_to_set")") # If it is an relative path (we get with realpath the absolute path) - fi - else - break - fi - done -} - - ####### Solve issue https://dev.yunohost.org/issues/1006 # Build and install a package from an equivs control file diff --git a/scripts/install b/scripts/install index 50f6f83..3bb0c47 100644 --- a/scripts/install +++ b/scripts/install @@ -31,7 +31,9 @@ yunohost firewall allow --no-upnp TCP $synapse_tls_port > /dev/null 2>&1 yunohost firewall allow --no-upnp Both $turnserver_tls_port > /dev/null 2>&1 # Make dh cert for synapse if it not exist -test ! -e /etc/yunohost/certs/$domain/dh.pem && openssl dhparam -out /etc/yunohost/certs/$domain/dh.pem 2048 > /dev/null +test ! -e /etc/matrix-synapse/dh.pem && \ + mkdir -p /etc/matrix-synapse && \ + openssl dhparam -out /etc/matrix-synapse/dh.pem 2048 > /dev/null # Find password for turnserver and database turnserver_pwd=$(ynh_string_random 30) @@ -54,6 +56,8 @@ install_dependances # Create user ynh_system_user_create $synapse_user /var/lib/matrix-synapse +adduser $synapse_user ssl-cert +adduser turnserver ssl-cert # Create postgresql database ynh_psql_test_if_first_run @@ -86,9 +90,6 @@ config_synapse # Configure Coturn config_coturn -# Configure access for certificates -set_certificat_access - # Configuration de logrotate ynh_use_logrotate /var/log/matrix-synapse ynh_use_logrotate /var/log/turnserver diff --git a/scripts/restore b/scripts/restore index db1a43b..5d02705 100644 --- a/scripts/restore +++ b/scripts/restore @@ -24,9 +24,6 @@ turnserver_pwd=$(ynh_app_setting_get $app turnserver_pwd) # Check domain/path availability ynh_webpath_available $domain $path || ynh_die "$domain/$path is not available, please use an other domain." -# Make dh cert for synapse if it not exist -test ! -e /etc/yunohost/certs/$domain/dh.pem && openssl dhparam -out /etc/yunohost/certs/$domain/dh.pem 2048 > /dev/null - # Ouvre le port dans le firewall yunohost firewall allow --no-upnp TCP $synapse_tls_port > /dev/null 2>&1 yunohost firewall allow --no-upnp Both $turnserver_tls_port > /dev/null 2>&1 @@ -36,6 +33,8 @@ install_dependances # Create user ynh_system_user_create $synapse_user /var/lib/matrix-synapse +adduser $synapse_user ssl-cert +adduser turnserver ssl-cert # Restore all config and data ynh_restore @@ -46,9 +45,6 @@ set_permission # Open access to server without a button the home python $final_path/add_sso_conf.py -# Configure access for certificates -set_certificat_access - # Restore postgresql database ynh_psql_test_if_first_run ynh_psql_create_user $synapse_db_user $synapse_db_pwd diff --git a/scripts/upgrade b/scripts/upgrade index 4de3512..65437a5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -67,6 +67,7 @@ then # Create directory Install synapse in virtualenv setup_dir || true # If the dir aready exist the command could fail install_source + cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-synapse/dh.pem set_permission # Open access to server without a button the home @@ -76,6 +77,8 @@ then # Create user ynh_system_user_create $synapse_user /var/lib/matrix-synapse + adduser $synapse_user ssl-cert + adduser turnserver ssl-cert # Create systemd service ynh_secure_remove /etc/init.d/matrix-synapse @@ -122,6 +125,14 @@ fi # If the turnserver log is not ready configured we configure it now test -e /var/log/turnserver || (mkdir -p /var/log/turnserver && ynh_use_logrotate /var/log/turnserver) +# Fix issue about certificates access +if [[ ! $(grep "ssl-cert:x:[0-9]*:.*matrix-synapse" /etc/group) ]] +then + adduser $synapse_user ssl-cert + adduser turnserver ssl-cert + cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-synapse/dh.pem +fi + # Upgrade manually Synapse install_source set_permission @@ -132,9 +143,6 @@ config_nginx # Configure Synapse config_synapse -# Configure access for certificates -set_certificat_access - # Configure Coturn config_coturn