Use the Yunohost certificate

README.md

@@ -49,6 +49,8 @@ You need to replace SYNAPSE_PORT by the real port. This port can be obtained by
 
 If it is not automatically done, you need to open this in your ISP box.
 
+You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
+
 ### Turnserver
 
 For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:

conf/homeserver.yaml

@@ -4,13 +4,13 @@
 # autogenerates on launch with your own SSL certificate + key pair
 # if you like.  Any required intermediary certificates can be
 # appended after the primary certificate in hierarchical order.
-tls_certificate_path: "/etc/matrix-__APP__/__DOMAIN__.tls.crt"
+tls_certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem"
 
 # PEM encoded private key for TLS
-tls_private_key_path: "/etc/matrix-__APP__/__DOMAIN__.tls.key"
+tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem"
 
 # PEM dh parameters for ephemeral keys
-tls_dh_params_path: "/etc/matrix-__APP__/__DOMAIN__.tls.dh"
+tls_dh_params_path: "/etc/ssl/private/dh2048.pem"
 
 # Don't bind to the https port
 no_tls: False

scripts/install

@@ -86,6 +86,21 @@ ynh_app_setting_set $app turnserver_tls_port $turnserver_tls_port
 ynh_app_setting_set $app turnserver_alt_tls_port $turnserver_alt_tls_port
 ynh_app_setting_set $app cli_port $cli_port
 
+#=================================================
+# CREATE A DH FILE
+#=================================================
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for synapse if it not exist
+if [[ ! -e /etc/ssl/private/dh2048.pem ]]
+then
+    openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@@ -157,25 +172,22 @@ else
 fi
 
 #=================================================
-# CREATE SYNAPSE KEYS
+# CREATE SYNAPSE CONFIG
 #=================================================
 
 # Go in virtualenvironnement
 PS1=${PS1:-}
 source $final_path/bin/activate
 
-# Get the dh.pem if exist
+# Generate config
-test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem $domain.tls.dh
-
-# Generate config and keys
 python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml
 
 # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
 deactivate
 
 # Get random values from config
-registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2)
+registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2)
-form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f2)
+form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f2)
 
 # store in yunohost settings
 ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret"
@@ -223,8 +235,8 @@ ynh_replace_string __SYNAPSE_DB_PWD__ $synapse_db_pwd "$homeserver_config_path"
 ynh_replace_string __PORT__ $port "$homeserver_config_path"
 ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path"
 ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path"
-ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
+ynh_replace_special_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
-ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
+ynh_replace_special_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
 ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path"
 ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path"
 
@@ -319,7 +331,7 @@ chown $synapse_user:root -R /var/lib/matrix-$app
 chown $synapse_user:root -R /var/log/matrix-$app
 chown $synapse_user:root -R /etc/matrix-$app
 chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key}
+chmod 600 /etc/matrix-$app/$domain.signing.key
 setfacl -R -m user:turnserver:rX  /etc/matrix-$app
 setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app
 
@@ -352,6 +364,8 @@ You also need to open the TCP port $synapse_tls_port on your ISP box if it's not
 
 Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
 
-If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh"
+If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh
+
+You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en"
 
 ynh_send_readme_to_admin "$message"

scripts/restore

@@ -53,6 +53,21 @@ ynh_webpath_available $domain $path_url || ynh_die "$domain/$path_url is not ava
 # Restore all config and data
 ynh_restore
 
+#=================================================
+# CREATE A DH FILE
+#=================================================
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for synapse if it not exist
+if [[ ! -e /etc/ssl/private/dh2048.pem ]]
+then
+    openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
+
 #=================================================
 # REINSTALL DEPENDENCIES
 #=================================================

scripts/upgrade

@@ -119,7 +119,7 @@ else
 fi
 
 #=================================================
-# MIGRATION 1 : USE SYNAPSE OWN KEYS
+# MIGRATION 1 : GENERATE SYNAPSE SECRET
 #=================================================
 
 if [[ -z "$registration_shared_secret" ]]
@@ -128,10 +128,6 @@ then
     PS1=${PS1:-}
     source $final_path/bin/activate
 
-    # Get the dh.pem if exist
-    test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem /etc/matrix-$app/$domain.tls.dh
-    test -e /etc/matrix-$app/homeserver.signing.key && mv /etc/matrix-$app/homeserver.signing.key /etc/matrix-$app/$domain.signing.key
-
     # Generate config and keys
     python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml
 
@@ -139,8 +135,8 @@ then
     deactivate
 
     # Get random values from config
-    registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2)
+    registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2)
-    form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f1)
+    form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f1)
 
     # store in yunohost settings
     ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret"
@@ -166,8 +162,8 @@ ynh_replace_string __SYNAPSE_DB_PWD__ $synapse_db_pwd "$homeserver_config_path"
 ynh_replace_string __PORT__ $port "$homeserver_config_path"
 ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path"
 ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path"
-ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
+ynh_replace_special_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
-ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
+ynh_replace_special_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
 ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path"
 ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path"
 
@@ -228,6 +224,21 @@ then
     adduser turnserver ssl-cert
 fi
 
+#=================================================
+# MIGRATION 4 : CREATE A DH FILE
+#=================================================
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for synapse if it not exist
+if [[ ! -e /etc/ssl/private/dh2048.pem ]]
+then
+    openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
+
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@@ -310,7 +321,7 @@ chown $synapse_user:root -R /var/lib/matrix-$app
 chown $synapse_user:root -R /var/log/matrix-$app
 chown $synapse_user:root -R /etc/matrix-$app
 chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key}
+chmod 600 /etc/matrix-$app/$domain.signing.key
 setfacl -R -m user:turnserver:rX  /etc/matrix-$app
 setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app