Bug#960305: matrix-synapse: No instructions on setting up TLS

[devel]

Hello,

On Sun, 1 Aug 2021 12:08:50 +0200 Nicolas George  wrote:
> I have a tidbit of information to add:
> 
> The systemd service configuration says:
> 
> ExecStartPre=/usr/bin/python3 -m synapse.app.homeserver 
> --config-path=/etc/matrix-synapse/homeserver.yaml 
> --config-path=/etc/matrix-synapse/conf.d/ --generate-keys
> 
> The "--generate-keys" exists in the source code Python files.
> 
> Yet if I run this command explicitly, it does nothing at all, and strace
> shows it does nothing about the keys.

yes, since synapse!4509 [1] the `--generate-keys` argument does not trigger the
creation of TLS files anymore.
(the new alias `--generate-missing-config` for that option is less misleading)
Thus it would probably be a good idea for the matrix-synapse package to disable
the TLS configuration by default and to use the new `--generate-missing-config`
(instead of `--generate-keys`) to avoid any confusion.

Disabled TLS is also the default configuration provided by
`/usr/bin/synapse_generate_config`.
Probably most users will use a separate reverse proxy. Thus, the enabled TLS
setting could infact complicate deployment for many people.

Thank you for maintaining the package!

Cheers,
Lars


[1] https://github.com/matrix-org/synapse/pull/4509

Bug#960305: matrix-synapse: No instructions on setting up TLS

[Nicolas George]

Mikko Rasa (12020-05-11):
> Debian's homeserver configuration contains a https listener with certificate
> files stored under /etc/matrix-synapse.  However these files are not supplied
> nor generated by the package and there's no instructions on how to generate
> them.  Due to this the server won't start and it's not immediately obvious
> what should be done to correct the situation.

Hi. I am running in the same problem, and gave up considering this
project "not mature enough".

I have a tidbit of information to add:

The systemd service configuration says:

ExecStartPre=/usr/bin/python3 -m synapse.app.homeserver 
--config-path=/etc/matrix-synapse/homeserver.yaml 
--config-path=/etc/matrix-synapse/conf.d/ --generate-keys

The "--generate-keys" exists in the source code Python files.

Yet if I run this command explicitly, it does nothing at all, and strace
shows it does nothing about the keys.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Bug#960305: matrix-synapse: No instructions on setting up TLS

[Mikko Rasa]

Package: matrix-synapse
Version: 1.12.4-1
Severity: normal

Debian's homeserver configuration contains a https listener with certificate
files stored under /etc/matrix-synapse.  However these files are not supplied
nor generated by the package and there's no instructions on how to generate
them.  Due to this the server won't start and it's not immediately obvious
what should be done to correct the situation.

Most debian packages which need certificates use a self-signed "snakeoil"
certificate.  Perhaps that could also be used here?

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.35-core2-server (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages matrix-synapse depends on:
ii  adduser3.118
ii  debconf [debconf-2.0]  1.5.74
ii  libjs-jquery   3.5.1+dfsg-3
ii  libpython3-stdlib  3.8.2-3
ii  lsb-base   11.1.0
ii  python33.8.2-3
ii  python3-attr   19.3.0-4
ii  python3-bcrypt 3.1.7-3
ii  python3-bleach 3.1.5-2
ii  python3-canonicaljson  1.1.4-3
ii  python3-daemonize  2.4.7-4
ii  python3-distutils  3.8.2-2
ii  python3-frozendict 1.2-2
ii  python3-idna   2.9-1
ii  python3-jinja2 2.11.1-1
ii  python3-jsonschema 3.2.0-3
ii  python3-lxml   4.5.0-1.1
ii  python3-msgpack0.6.2-1+b1
ii  python3-nacl   1.3.0-5
ii  python3-netaddr0.7.19-4
ii  python3-openssl19.1.0-2
ii  python3-phonenumbers   8.12.1-1
ii  python3-pil7.0.0-4+b1
ii  python3-prometheus-client  0.7.1-1.1
ii  python3-pyasn1 0.4.2-4
ii  python3-pyasn1-modules 0.2.1-1
ii  python3-pymacaroons0.13.0-3
ii  python3-service-identity   18.1.0-6
ii  python3-signedjson 1.1.0-1
ii  python3-six1.14.0-3
ii  python3-sortedcontainers   2.1.0-2
ii  python3-systemd234-3+b2
ii  python3-treq   18.6.0-0.2
ii  python3-twisted18.9.0-11
ii  python3-typing-extensions  3.7.4.2-1
ii  python3-unpaddedbase64 1.1.0-5
ii  python3-yaml   5.3.1-2

Versions of packages matrix-synapse recommends:
ii  python3-psycopg2  2.8.5-1

Versions of packages matrix-synapse suggests:
pn  python3-txacme  

-- Configuration Files:
/etc/init.d/matrix-synapse changed [not included]
/etc/matrix-synapse/homeserver.yaml [Errno 13] Permission denied: 
'/etc/matrix-synapse/homeserver.yaml'

-- debconf information excluded