Use the Yunohost certificate

2024-09-03 20:26:38 +02:00 · 2019-02-08 11:24:08 +01:00 · 2019-02-08 11:24:08 +01:00 · d6332fb09b
commit d6332fb09b
parent 39b2e75dc5
5 changed files with 66 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -49,6 +49,8 @@ You need to replace SYNAPSE_PORT by the real port. This port can be obtained by

 If it is not automatically done, you need to open this in your ISP box.

+You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
+
 ### Turnserver

 For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
--- a/conf/homeserver.yaml
+++ b/conf/homeserver.yaml
@ -4,13 +4,13 @@
 # autogenerates on launch with your own SSL certificate + key pair
 # if you like.  Any required intermediary certificates can be
 # appended after the primary certificate in hierarchical order.
-tls_certificate_path: "/etc/matrix-__APP__/__DOMAIN__.tls.crt"
+tls_certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem"

 # PEM encoded private key for TLS
-tls_private_key_path: "/etc/matrix-__APP__/__DOMAIN__.tls.key"
+tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem"

 # PEM dh parameters for ephemeral keys
-tls_dh_params_path: "/etc/matrix-__APP__/__DOMAIN__.tls.dh"
+tls_dh_params_path: "/etc/ssl/private/dh2048.pem"

 # Don't bind to the https port
 no_tls: False
--- a/scripts/install
+++ b/scripts/install
@ -86,6 +86,21 @@ ynh_app_setting_set $app turnserver_tls_port $turnserver_tls_port
 ynh_app_setting_set $app turnserver_alt_tls_port $turnserver_alt_tls_port
 ynh_app_setting_set $app cli_port $cli_port

+#=================================================
+# CREATE A DH FILE
+#=================================================
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for synapse if it not exist
+if [[ ! -e /etc/ssl/private/dh2048.pem ]]
+then
+    openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@ -157,25 +172,22 @@ else
 fi

 #=================================================
-# CREATE SYNAPSE KEYS
+# CREATE SYNAPSE CONFIG
 #=================================================

 # Go in virtualenvironnement
 PS1=${PS1:-}
 source $final_path/bin/activate

-# Get the dh.pem if exist
-test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem $domain.tls.dh
-
-# Generate config and keys
+# Generate config
 python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml

 # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
 deactivate

 # Get random values from config
-registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2)
-form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f2)
+registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2)
+form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f2)

 # store in yunohost settings
 ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret"
@ -223,8 +235,8 @@ ynh_replace_string __SYNAPSE_DB_PWD__ $synapse_db_pwd "$homeserver_config_path"
 ynh_replace_string __PORT__ $port "$homeserver_config_path"
 ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path"
 ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path"
-ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
-ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
+ynh_replace_special_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
+ynh_replace_special_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
 ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path"
 ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path"

@ -319,7 +331,7 @@ chown $synapse_user:root -R /var/lib/matrix-$app
 chown $synapse_user:root -R /var/log/matrix-$app
 chown $synapse_user:root -R /etc/matrix-$app
 chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key}
+chmod 600 /etc/matrix-$app/$domain.signing.key
 setfacl -R -m user:turnserver:rX  /etc/matrix-$app
 setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app

@ -352,6 +364,8 @@ You also need to open the TCP port $synapse_tls_port on your ISP box if it's not

 Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .

-If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh"
+If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh
+
+You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en"

 ynh_send_readme_to_admin "$message"
--- a/scripts/restore
+++ b/scripts/restore
@ -53,6 +53,21 @@ ynh_webpath_available $domain $path_url || ynh_die "$domain/$path_url is not ava
 # Restore all config and data
 ynh_restore

+#=================================================
+# CREATE A DH FILE
+#=================================================
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for synapse if it not exist
+if [[ ! -e /etc/ssl/private/dh2048.pem ]]
+then
+    openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
+
 #=================================================
 # REINSTALL DEPENDENCIES
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -119,7 +119,7 @@ else
 fi

 #=================================================
-# MIGRATION 1 : USE SYNAPSE OWN KEYS
+# MIGRATION 1 : GENERATE SYNAPSE SECRET
 #=================================================

 if [[ -z "$registration_shared_secret" ]]
@ -128,10 +128,6 @@ then
    PS1=${PS1:-}
    source $final_path/bin/activate

-    # Get the dh.pem if exist
-    test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem /etc/matrix-$app/$domain.tls.dh
-    test -e /etc/matrix-$app/homeserver.signing.key && mv /etc/matrix-$app/homeserver.signing.key /etc/matrix-$app/$domain.signing.key
-
    # Generate config and keys
    python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml

@ -139,8 +135,8 @@ then
    deactivate

    # Get random values from config
-    registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2)
-    form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f1)
+    registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2)
+    form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f1)

    # store in yunohost settings
    ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret"
@ -166,8 +162,8 @@ ynh_replace_string __SYNAPSE_DB_PWD__ $synapse_db_pwd "$homeserver_config_path"
 ynh_replace_string __PORT__ $port "$homeserver_config_path"
 ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path"
 ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path"
-ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
-ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
+ynh_replace_special_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
+ynh_replace_special_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
 ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path"
 ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path"

@ -228,6 +224,21 @@ then
    adduser turnserver ssl-cert
 fi

+#=================================================
+# MIGRATION 4 : CREATE A DH FILE
+#=================================================
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for synapse if it not exist
+if [[ ! -e /etc/ssl/private/dh2048.pem ]]
+then
+    openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
+
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@ -310,7 +321,7 @@ chown $synapse_user:root -R /var/lib/matrix-$app
 chown $synapse_user:root -R /var/log/matrix-$app
 chown $synapse_user:root -R /etc/matrix-$app
 chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key}
+chmod 600 /etc/matrix-$app/$domain.signing.key
 setfacl -R -m user:turnserver:rX  /etc/matrix-$app
 setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app