From c173e2b4918abbacf1de211c7a0549a31d7d9214 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Mon, 24 May 2021 17:47:39 +0100
Subject: [PATCH] Remove redundant code to reload tls cert

we don't need to reload the tls cert if we don't have any tls listeners.

Follow-up to #9280.
---
 changelog.d/10054.removal |  1 +
 synapse/app/_base.py      |  5 +----
 synapse/config/tls.py     | 22 +++-------------------
 3 files changed, 5 insertions(+), 23 deletions(-)
 create mode 100644 changelog.d/10054.removal

diff --git a/changelog.d/10054.removal b/changelog.d/10054.removal
new file mode 100644
index 000000000000..a142fb4b1a82
--- /dev/null
+++ b/changelog.d/10054.removal
@@ -0,0 +1 @@
+Removed support for the deprecated `tls_fingerprints` configuration setting. Contributed by Jerin J Titus.
diff --git a/synapse/app/_base.py b/synapse/app/_base.py
index 59918d789ec5..1329af2e2be7 100644
--- a/synapse/app/_base.py
+++ b/synapse/app/_base.py
@@ -261,13 +261,10 @@ def refresh_certificate(hs):
     Refresh the TLS certificates that Synapse is using by re-reading them from
     disk and updating the TLS context factories to use them.
     """
-
     if not hs.config.has_tls_listener():
-        # attempt to reload the certs for the good of the tls_fingerprints
-        hs.config.read_certificate_from_disk(require_cert_and_key=False)
         return
 
-    hs.config.read_certificate_from_disk(require_cert_and_key=True)
+    hs.config.read_certificate_from_disk()
     hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
 
     if hs._listening_services:
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index 26f1150ca506..0e9bba53c915 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -215,28 +215,12 @@ def is_disk_cert_valid(self, allow_self_signed=True):
         days_remaining = (expires_on - now).days
         return days_remaining
 
-    def read_certificate_from_disk(self, require_cert_and_key: bool):
+    def read_certificate_from_disk(self):
         """
         Read the certificates and private key from disk.
-
-        Args:
-            require_cert_and_key: set to True to throw an error if the certificate
-                and key file are not given
         """
-        if require_cert_and_key:
-            self.tls_private_key = self.read_tls_private_key()
-            self.tls_certificate = self.read_tls_certificate()
-        elif self.tls_certificate_file:
-            # we only need the certificate for the tls_fingerprints. Reload it if we
-            # can, but it's not a fatal error if we can't.
-            try:
-                self.tls_certificate = self.read_tls_certificate()
-            except Exception as e:
-                logger.info(
-                    "Unable to read TLS certificate (%s). Ignoring as no "
-                    "tls listeners enabled.",
-                    e,
-                )
+        self.tls_private_key = self.read_tls_private_key()
+        self.tls_certificate = self.read_tls_certificate()
 
     def generate_config_section(
         self,