From 73af8f7bbb5c22a29be59baf8bedf06b76f70fce Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Mar 2019 09:39:17 +0200 Subject: [PATCH] Make self-check not validate self-signed certificates By default, `--tags=self-check` no longer validates certificates when `matrix_ssl_retrieval_method` is set to `self-signed`. Besides this default, people can also enable/disable validation using the individual role variables manually. Fixes #124 (Github Issue) --- group_vars/matrix-servers | 8 ++++++++ roles/matrix-mxisd/defaults/main.yml | 3 +++ roles/matrix-mxisd/tasks/self_check_mxisd.yml | 1 + roles/matrix-nginx-proxy/defaults/main.yml | 3 +++ roles/matrix-nginx-proxy/tasks/self_check_well_known.yml | 2 ++ .../tasks/self_check_well_known_file.yml | 2 ++ roles/matrix-riot-web/defaults/main.yml | 3 +++ roles/matrix-riot-web/tasks/self_check_riot_web.yml | 1 + roles/matrix-synapse/defaults/main.yml | 6 ++++-- roles/matrix-synapse/tasks/self_check_client_api.yml | 1 + roles/matrix-synapse/tasks/self_check_federation_api.yml | 2 +- 11 files changed, 29 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 45d251782..7ded5ff42 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -181,6 +181,8 @@ matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 +matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" + matrix_mxisd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) @@ -238,6 +240,8 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" +matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" + matrix_nginx_proxy_systemd_wanted_services_list: | {{ (['matrix-synapse.service']) @@ -313,6 +317,8 @@ matrix_riot_web_integrations_rest_url: "{{ matrix_dimension_integrations_rest_ur matrix_riot_web_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" +matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" + ###################################################################### # # /matrix-riot-web @@ -375,6 +381,8 @@ matrix_synapse_turn_uris: | matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" +matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" + matrix_synapse_systemd_required_services_list: | {{ (['docker.service']) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index b28c20f69..cb83674c6 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -55,6 +55,9 @@ matrix_mxisd_threepid_medium_email_custom_session_validation_template: "" matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" +# Controls whether the self-check feature should validate SSL certificates. +matrix_mxisd_self_check_validate_certificates: true + # Default mxisd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml index 1ca9a39bf..26dccb76f 100644 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ b/roles/matrix-mxisd/tasks/self_check_mxisd.yml @@ -7,6 +7,7 @@ uri: url: "{{ mxisd_url_endpoint_public }}" follow_redirects: false + validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" register: result_mxisd ignore_errors: true diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8117cb895..a7ed92d4b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -104,6 +104,9 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" +# Controls whether the self-check feature should validate SSL certificates. +matrix_nginx_proxy_self_check_validate_certificates: true + # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 2ea110bfd..5f2138a4b 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -7,6 +7,7 @@ purpose: Client Discovery cors: true follow_redirects: false + validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - block: - set_fact: @@ -15,6 +16,7 @@ purpose: Server Discovery cors: false follow_redirects: true + validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - name: Determine domains that we require certificates for (mxisd) set_fact: diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index 6467cedbe..91dbcdc8d 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -11,6 +11,7 @@ url: "{{ well_known_url_matrix }}" follow_redirects: false return_content: true + validate_certs: "{{ well_known_file_check.validate_certs }}" register: result_well_known_matrix ignore_errors: true @@ -37,6 +38,7 @@ url: "{{ well_known_url_identity }}" follow_redirects: "{{ well_known_file_check.follow_redirects }}" return_content: true + validate_certs: "{{ well_known_file_check.validate_certs }}" register: result_well_known_identity ignore_errors: true diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 1d0803333..77534983c 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -25,3 +25,6 @@ matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" # By default, there's no Riot homepage (when logged in). If you wish to have one, # point this to a `home.html` template file on your local filesystem. matrix_riot_web_embedded_pages_home_path: ~ + +# Controls whether the self-check feature should validate SSL certificates. +matrix_riot_web_self_check_validate_certificates: true diff --git a/roles/matrix-riot-web/tasks/self_check_riot_web.yml b/roles/matrix-riot-web/tasks/self_check_riot_web.yml index 1e10566f6..f16e210b7 100644 --- a/roles/matrix-riot-web/tasks/self_check_riot_web.yml +++ b/roles/matrix-riot-web/tasks/self_check_riot_web.yml @@ -7,6 +7,7 @@ uri: url: "{{ riot_web_url_endpoint_public }}" follow_redirects: false + validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}" register: result_riot_web ignore_errors: true diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 7cbdc6693..5e74d760a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -202,6 +202,8 @@ matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_region: "eu-central-1" +# Controls whether the self-check feature should validate SSL certificates. +matrix_synapse_self_check_validate_certificates: true # Matrix mautrix is a Matrix <-> Telegram bridge # Enable telegram bridge @@ -673,7 +675,7 @@ matrix_appservice_discord_configuration_yaml: | database: filename: "/data/discord.db" userStorePath: "/data/user-store.db" - roomStorePath: "/data/room-store.db" + roomStorePath: "/data/room-store.db" matrix_appservice_discord_configuration_extension_yaml: | # This is a sample of the config file showing all avaliable options. @@ -765,7 +767,7 @@ matrix_appservice_discord_configuration_extension_yaml: | # # (Copies of a sent message may arrive from discord before we've # # fininished handling it, causing us to echo it back to the room) # discordSendDelay: 750 - + matrix_appservice_discord_configuration_extension: "{{ matrix_appservice_irc_configuration_extension_yaml|from_yaml if matrix_appservice_irc_configuration_extension_yaml|from_yaml else {} }}" matrix_appservice_discord_configuration: "{{ matrix_appservice_discord_configuration_yaml|from_yaml|combine(matrix_appservice_discord_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml index 654f6a1a4..888ff2109 100644 --- a/roles/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/matrix-synapse/tasks/self_check_client_api.yml @@ -4,6 +4,7 @@ uri: url: "{{ matrix_synapse_client_api_url_endpoint_public }}" follow_redirects: false + validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_client_api ignore_errors: true diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index e13387e07..db3070f72 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -4,7 +4,7 @@ uri: url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" follow_redirects: false - validate_certs: false + validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_federation_api ignore_errors: true