mirror of
https://github.com/element-hq/synapse.git
synced 2024-11-25 11:05:49 +03:00
Don't imply self-signed certs are required
This commit is contained in:
parent
142b2cddf0
commit
cd6fee3169
1 changed files with 17 additions and 16 deletions
33
UPGRADE.rst
33
UPGRADE.rst
|
@ -51,34 +51,35 @@ returned by the Client-Server API:
|
||||||
Upgrading to v0.99.0
|
Upgrading to v0.99.0
|
||||||
====================
|
====================
|
||||||
|
|
||||||
In preparation for Synapse v1.0, you must update your TLS certificates from
|
In preparation for Synapse v1.0, you must ensure your federation TLS
|
||||||
self-signed ones to verifiable ones signed by a trusted root CA.
|
certificates are verifiable by signed by a trusted root CA.
|
||||||
|
|
||||||
If you do not already have a certificate for your domain, the easiest way to get
|
If you do not already have a valid certificate for your domain, the easiest
|
||||||
one is with Synapse's new ACME support, which will use the ACME protocol to
|
way to get one is with Synapse's new ACME support, which will use the ACME
|
||||||
provision a certificate automatically. By default, certificates will be obtained
|
protocol to provision a certificate automatically. By default, certificates
|
||||||
from the publicly trusted CA Let's Encrypt.
|
will be obtained from the publicly trusted CA Let's Encrypt.
|
||||||
|
|
||||||
For a sample configuration, please inspect the new ACME section in the example
|
For a sample configuration, please inspect the new ACME section in the example
|
||||||
generated config by running the ``generate-config`` executable. For example::
|
generated config by running the ``generate-config`` executable. For example::
|
||||||
|
|
||||||
~/synapse/env3/bin/generate-config
|
~/synapse/env3/bin/generate-config
|
||||||
|
|
||||||
You will need to provide Let's Encrypt (or other ACME provider) access to your
|
You will need to provide Let's Encrypt (or another ACME provider) access to
|
||||||
Synapse ACME challenge responder on port 80, at the domain of your homeserver.
|
your Synapse ACME challenge responder on port 80, at the domain of your
|
||||||
This requires you either change the port of the ACME listener provided by
|
homeserver. This requires you to either change the port of the ACME listener
|
||||||
Synapse to a high port and reverse proxy to it, or use a tool like authbind to
|
provided by Synapse to a high port and reverse proxy to it, or use a tool
|
||||||
allow Synapse to listen on port 80 without root access. (Do not run Synapse with
|
like ``authbind`` to allow Synapse to listen on port 80 without root access.
|
||||||
root permissions!)
|
(Do not run Synapse with root permissions!)
|
||||||
|
|
||||||
You will need to back up or delete your self signed TLS certificate
|
If you are already using self-signed ceritifcates, you will need to back up
|
||||||
(``example.com.tls.crt`` and ``example.com.tls.key``), Synapse's ACME
|
or delete them (files ``example.com.tls.crt`` and ``example.com.tls.key`` in
|
||||||
implementation will not overwrite them.
|
Synapse's root directory), Synapse's ACME implementation will not overwrite
|
||||||
|
them.
|
||||||
|
|
||||||
You may wish to use alternate methods such as Certbot to obtain a certificate
|
You may wish to use alternate methods such as Certbot to obtain a certificate
|
||||||
from Let's Encrypt, depending on your server configuration. Of course, if you
|
from Let's Encrypt, depending on your server configuration. Of course, if you
|
||||||
already have a valid certificate for your homeserver's domain, that can be
|
already have a valid certificate for your homeserver's domain, that can be
|
||||||
placed in Synapse's config directory without the need for ACME.
|
placed in Synapse's config directory without the need for any ACME setup.
|
||||||
|
|
||||||
Upgrading to v0.34.0
|
Upgrading to v0.34.0
|
||||||
====================
|
====================
|
||||||
|
|
Loading…
Reference in a new issue