mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2025-01-24 19:11:03 -05:00
Update ACME
This commit is contained in:
parent
e119cec229
commit
2ca63df83b
31
docs/ACME.md
31
docs/ACME.md
@ -1,15 +1,23 @@
|
|||||||
# ACME
|
# ACME
|
||||||
|
|
||||||
Synapse v1.0 requires that federation TLS certificates are verifiable by a
|
Synapse v1.0 will require valid TLS certificates for communication between
|
||||||
trusted root CA. If you do not already have a valid certificate for your domain, the easiest
|
servers (port `8448` by default) in addition to those that are client-facing
|
||||||
way to get one is with Synapse's new ACME support, which will use the ACME
|
(port `443`). If you do not already have a valid certificate for your domain,
|
||||||
protocol to provision a certificate automatically. By default, certificates
|
the easiest way to get one is with Synapse's new ACME support, which will use
|
||||||
will be obtained from the publicly trusted CA Let's Encrypt.
|
the ACME protocol to provision a certificate automatically. Synapse v0.99.0+
|
||||||
|
will provision server-to-server certificates automatically for you for free
|
||||||
|
through [Let's Encrypt](https://letsencrypt.org/) if you tell it to.
|
||||||
|
|
||||||
|
In the case that your `server_name` config variable is the same as
|
||||||
|
the hostname that the client connects to, then the same certificate can be
|
||||||
|
used between client and federation ports without issue.
|
||||||
|
|
||||||
For a sample configuration, please inspect the new ACME section in the example
|
For a sample configuration, please inspect the new ACME section in the example
|
||||||
generated config by running the `generate-config` executable. For example::
|
generated config by running the `generate-config` executable. For example:
|
||||||
|
|
||||||
~/synapse/env3/bin/generate-config
|
```
|
||||||
|
~/synapse/env3/bin/generate-config
|
||||||
|
```
|
||||||
|
|
||||||
You will need to provide Let's Encrypt (or another ACME provider) access to
|
You will need to provide Let's Encrypt (or another ACME provider) access to
|
||||||
your Synapse ACME challenge responder on port 80, at the domain of your
|
your Synapse ACME challenge responder on port 80, at the domain of your
|
||||||
@ -31,13 +39,6 @@ placed in Synapse's config directory without the need for any ACME setup.
|
|||||||
|
|
||||||
## ACME setup
|
## ACME setup
|
||||||
|
|
||||||
Synapse v1.0 will require valid TLS certificates for communication between servers
|
|
||||||
(port `8448` by default) in addition to those that are client-facing (port
|
|
||||||
`443`). In the case that your `server_name` config variable is the same as
|
|
||||||
the hostname that the client connects to, then the same certificate can be
|
|
||||||
used between client and federation ports without issue. Synapse v0.99.0+
|
|
||||||
**will provision server-to-server certificates automatically for you for
|
|
||||||
free** through [Let's Encrypt](https://letsencrypt.org/) if you tell it to.
|
|
||||||
|
|
||||||
In order for Synapse to complete the ACME challenge to provision a
|
In order for Synapse to complete the ACME challenge to provision a
|
||||||
certificate, it needs access to port 80. Typically listening on port 80 is
|
certificate, it needs access to port 80. Typically listening on port 80 is
|
||||||
@ -97,6 +98,8 @@ When Synapse is started, use the following syntax::
|
|||||||
authbind --deep <synapse start command>
|
authbind --deep <synapse start command>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Config file editing
|
||||||
|
|
||||||
Finally, once Synapse is able to listen on port 80 for ACME challenge
|
Finally, once Synapse is able to listen on port 80 for ACME challenge
|
||||||
requests, it must be told to perform ACME provisioning by setting `enabled`
|
requests, it must be told to perform ACME provisioning by setting `enabled`
|
||||||
to true under the `acme` section in `homeserver.yaml`:
|
to true under the `acme` section in `homeserver.yaml`:
|
||||||
|
Loading…
Reference in New Issue
Block a user