From d6332fb09b410c2af4a6400cb2faea5bae8849d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Fri, 8 Feb 2019 11:24:08 +0100 Subject: [PATCH] Use the Yunohost certificate --- README.md | 2 ++ conf/homeserver.yaml | 6 +++--- scripts/install | 36 +++++++++++++++++++++++++----------- scripts/restore | 15 +++++++++++++++ scripts/upgrade | 31 +++++++++++++++++++++---------- 5 files changed, 66 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index cfe8db5..e4bf1e8 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,8 @@ You need to replace SYNAPSE_PORT by the real port. This port can be obtained by If it is not automatically done, you need to open this in your ISP box. +You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en + ### Turnserver For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands: diff --git a/conf/homeserver.yaml b/conf/homeserver.yaml index 3d1c66a..c866bf7 100644 --- a/conf/homeserver.yaml +++ b/conf/homeserver.yaml @@ -4,13 +4,13 @@ # autogenerates on launch with your own SSL certificate + key pair # if you like. Any required intermediary certificates can be # appended after the primary certificate in hierarchical order. -tls_certificate_path: "/etc/matrix-__APP__/__DOMAIN__.tls.crt" +tls_certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem" # PEM encoded private key for TLS -tls_private_key_path: "/etc/matrix-__APP__/__DOMAIN__.tls.key" +tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem" # PEM dh parameters for ephemeral keys -tls_dh_params_path: "/etc/matrix-__APP__/__DOMAIN__.tls.dh" +tls_dh_params_path: "/etc/ssl/private/dh2048.pem" # Don't bind to the https port no_tls: False diff --git a/scripts/install b/scripts/install index 0ee8895..40d22b5 100644 --- a/scripts/install +++ b/scripts/install @@ -86,6 +86,21 @@ ynh_app_setting_set $app turnserver_tls_port $turnserver_tls_port ynh_app_setting_set $app turnserver_alt_tls_port $turnserver_alt_tls_port ynh_app_setting_set $app cli_port $cli_port +#================================================= +# CREATE A DH FILE +#================================================= + +# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE +# For any update do it in all files + +# Make dh cert for synapse if it not exist +if [[ ! -e /etc/ssl/private/dh2048.pem ]] +then + openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null + chown root:ssl-cert /etc/ssl/private/dh2048.pem + chmod 640 /etc/ssl/private/dh2048.pem +fi + #================================================= # INSTALL DEPENDENCIES #================================================= @@ -157,25 +172,22 @@ else fi #================================================= -# CREATE SYNAPSE KEYS +# CREATE SYNAPSE CONFIG #================================================= # Go in virtualenvironnement PS1=${PS1:-} source $final_path/bin/activate -# Get the dh.pem if exist -test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem $domain.tls.dh - -# Generate config and keys +# Generate config python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does deactivate # Get random values from config -registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2) -form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f2) +registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2) +form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f2) # store in yunohost settings ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret" @@ -223,8 +235,8 @@ ynh_replace_string __SYNAPSE_DB_PWD__ $synapse_db_pwd "$homeserver_config_path" ynh_replace_string __PORT__ $port "$homeserver_config_path" ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path" ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path" -ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path" -ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path" +ynh_replace_special_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path" +ynh_replace_special_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path" ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path" ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path" @@ -319,7 +331,7 @@ chown $synapse_user:root -R /var/lib/matrix-$app chown $synapse_user:root -R /var/log/matrix-$app chown $synapse_user:root -R /etc/matrix-$app chmod u=rwX,g=rX,o= -R /etc/matrix-$app -chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key} +chmod 600 /etc/matrix-$app/$domain.signing.key setfacl -R -m user:turnserver:rX /etc/matrix-$app setfacl -R -m user:turnserver:rwX /var/log/matrix-$app @@ -352,6 +364,8 @@ You also need to open the TCP port $synapse_tls_port on your ISP box if it's not Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh . -If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh" +If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh + +You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en" ynh_send_readme_to_admin "$message" diff --git a/scripts/restore b/scripts/restore index 09b0280..bc5cc56 100644 --- a/scripts/restore +++ b/scripts/restore @@ -53,6 +53,21 @@ ynh_webpath_available $domain $path_url || ynh_die "$domain/$path_url is not ava # Restore all config and data ynh_restore +#================================================= +# CREATE A DH FILE +#================================================= + +# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE +# For any update do it in all files + +# Make dh cert for synapse if it not exist +if [[ ! -e /etc/ssl/private/dh2048.pem ]] +then + openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null + chown root:ssl-cert /etc/ssl/private/dh2048.pem + chmod 640 /etc/ssl/private/dh2048.pem +fi + #================================================= # REINSTALL DEPENDENCIES #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 1c4912b..a0e9740 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -119,7 +119,7 @@ else fi #================================================= -# MIGRATION 1 : USE SYNAPSE OWN KEYS +# MIGRATION 1 : GENERATE SYNAPSE SECRET #================================================= if [[ -z "$registration_shared_secret" ]] @@ -128,10 +128,6 @@ then PS1=${PS1:-} source $final_path/bin/activate - # Get the dh.pem if exist - test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem /etc/matrix-$app/$domain.tls.dh - test -e /etc/matrix-$app/homeserver.signing.key && mv /etc/matrix-$app/homeserver.signing.key /etc/matrix-$app/$domain.signing.key - # Generate config and keys python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml @@ -139,8 +135,8 @@ then deactivate # Get random values from config - registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2) - form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f1) + registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2) + form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f1) # store in yunohost settings ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret" @@ -166,8 +162,8 @@ ynh_replace_string __SYNAPSE_DB_PWD__ $synapse_db_pwd "$homeserver_config_path" ynh_replace_string __PORT__ $port "$homeserver_config_path" ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path" ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path" -ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path" -ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path" +ynh_replace_special_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path" +ynh_replace_special_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path" ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path" ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path" @@ -228,6 +224,21 @@ then adduser turnserver ssl-cert fi +#================================================= +# MIGRATION 4 : CREATE A DH FILE +#================================================= + +# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE +# For any update do it in all files + +# Make dh cert for synapse if it not exist +if [[ ! -e /etc/ssl/private/dh2048.pem ]] +then + openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null + chown root:ssl-cert /etc/ssl/private/dh2048.pem + chmod 640 /etc/ssl/private/dh2048.pem +fi + #================================================= # STANDARD UPGRADE STEPS #================================================= @@ -310,7 +321,7 @@ chown $synapse_user:root -R /var/lib/matrix-$app chown $synapse_user:root -R /var/log/matrix-$app chown $synapse_user:root -R /etc/matrix-$app chmod u=rwX,g=rX,o= -R /etc/matrix-$app -chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key} +chmod 600 /etc/matrix-$app/$domain.signing.key setfacl -R -m user:turnserver:rX /etc/matrix-$app setfacl -R -m user:turnserver:rwX /var/log/matrix-$app