[Pkg-matrix-maintainers] Bug#921439: matrix-synapse: Delete self-signed certificates during upgrade to version 0.99

Joseph Nuthalapati njoseph at riseup.net
Tue Feb 5 14:49:18 GMT 2019


Package: matrix-synapse
Version: 0.34.1.1-4
Severity: important

Dear maintainer,

Context:
Matrix Synapse has two ports - 8008 for communication with clients and
8448 for federation with other servers. Both need some kind of TLS
certificates. Usually, the certificates on the reverse proxy server are
used for communication with clients (8008). Port 8448 is left open in
the firewall for federation.

Problem:
Matrix versions before 0.99 have used self-signed certificates for
server to server communication (found in /etc/matrix-synapse/). Synapse
0.99 will transparently talk to Let's Encrypt and obtain the certificate
of the Matrix server to be used for federation as well. Version 1.0
onwards, all server to server communication will require each server to
have a CA-issued certificate.

Suggested fix:
The action recommended by the upstream is to delete the self-signed
certificates before upgrading to 0.99. I think the preinst script of the
package should do this deletion, so that once Synapse 0.99 comes up, it
will detect that the certificates are missing and obtain new ones from
Let's Encrypt.

Reference:
See the following FOSDEM video at around 35 minutes
https://video.fosdem.org/2019/Janson/matrix_french_state.webm

-- 
Regards,
Joseph Nuthalapati

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-matrix-maintainers/attachments/20190205/d8afb29c/attachment.sig>


More information about the Pkg-matrix-maintainers mailing list