Don't imply self-signed certs are required

This commit is contained in:
Andrew Morgan 2019-02-05 14:29:09 +00:00
parent 142b2cddf0
commit cd6fee3169

View File

@ -51,34 +51,35 @@ returned by the Client-Server API:
Upgrading to v0.99.0 Upgrading to v0.99.0
==================== ====================
In preparation for Synapse v1.0, you must update your TLS certificates from In preparation for Synapse v1.0, you must ensure your federation TLS
self-signed ones to verifiable ones signed by a trusted root CA. certificates are verifiable by signed by a trusted root CA.
If you do not already have a certificate for your domain, the easiest way to get If you do not already have a valid certificate for your domain, the easiest
one is with Synapse's new ACME support, which will use the ACME protocol to way to get one is with Synapse's new ACME support, which will use the ACME
provision a certificate automatically. By default, certificates will be obtained protocol to provision a certificate automatically. By default, certificates
from the publicly trusted CA Let's Encrypt. will be obtained from the publicly trusted CA Let's Encrypt.
For a sample configuration, please inspect the new ACME section in the example For a sample configuration, please inspect the new ACME section in the example
generated config by running the ``generate-config`` executable. For example:: generated config by running the ``generate-config`` executable. For example::
~/synapse/env3/bin/generate-config ~/synapse/env3/bin/generate-config
You will need to provide Let's Encrypt (or other ACME provider) access to your You will need to provide Let's Encrypt (or another ACME provider) access to
Synapse ACME challenge responder on port 80, at the domain of your homeserver. your Synapse ACME challenge responder on port 80, at the domain of your
This requires you either change the port of the ACME listener provided by homeserver. This requires you to either change the port of the ACME listener
Synapse to a high port and reverse proxy to it, or use a tool like authbind to provided by Synapse to a high port and reverse proxy to it, or use a tool
allow Synapse to listen on port 80 without root access. (Do not run Synapse with like ``authbind`` to allow Synapse to listen on port 80 without root access.
root permissions!) (Do not run Synapse with root permissions!)
You will need to back up or delete your self signed TLS certificate If you are already using self-signed ceritifcates, you will need to back up
(``example.com.tls.crt`` and ``example.com.tls.key``), Synapse's ACME or delete them (files ``example.com.tls.crt`` and ``example.com.tls.key`` in
implementation will not overwrite them. Synapse's root directory), Synapse's ACME implementation will not overwrite
them.
You may wish to use alternate methods such as Certbot to obtain a certificate You may wish to use alternate methods such as Certbot to obtain a certificate
from Let's Encrypt, depending on your server configuration. Of course, if you from Let's Encrypt, depending on your server configuration. Of course, if you
already have a valid certificate for your homeserver's domain, that can be already have a valid certificate for your homeserver's domain, that can be
placed in Synapse's config directory without the need for ACME. placed in Synapse's config directory without the need for any ACME setup.
Upgrading to v0.34.0 Upgrading to v0.34.0
==================== ====================