From d14ef08d5b85ba5ac99aae03d4799010dccd357e Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Fri, 1 Dec 2017 12:07:27 +0100
Subject: [PATCH] Fix SSL certificate renewal for the custom-proxy-server case

When using matrix-nginx-proxy, the file permissions are organized
in a way that matrix-nginx-proxy could read the challenge files
produced by acmetool.

However, when another own/external webserver was used (like nginx
with our generated sample configuration), this could not work.
From on we're proxying the HTTP requests to port :402 in such a case,
which fixes the problem.
---
 .../templates/nginx-conf.d/matrix-riot-web.conf.j2     | 10 ++++++++++
 .../templates/nginx-conf.d/matrix-synapse.conf.j2      | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
index b96fd5a6..30ce8a75 100644
--- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
@@ -5,8 +5,18 @@ server {
 	server_tokens off;
 
 	location /.well-known/acme-challenge {
+		{#
+			The proxy can access the files directly.
+			An external server likely does not have permission to read these files,
+			so we'll just proxy to acme's :402 port.
+		#}
+
+		{%- if matrix_nginx_proxy_enabled -%}
 		default_type "text/plain";
 		alias {{ matrix_ssl_certs_path }}/run/acme-challenge;
+		{%- else -%}
+		proxy_pass http://localhost:402;
+		{% endif %}
 	}
 
 	location / {
diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
index a9e3b1ee..cc2eb21a 100644
--- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
@@ -5,8 +5,18 @@ server {
 	server_tokens off;
 
 	location /.well-known/acme-challenge {
+		{#
+			The proxy can access the files directly.
+			An external server likely does not have permission to read these files,
+			so we'll just proxy to acme's :402 port.
+		#}
+
+		{%- if matrix_nginx_proxy_enabled -%}
 		default_type "text/plain";
 		alias {{ matrix_ssl_certs_path }}/run/acme-challenge;
+		{%- else -%}
+		proxy_pass http://localhost:402;
+		{% endif %}
 	}
 
 	location / {