Add docs for ACME setup #4547
Add docs for ACME setup #4547
Conversation
Codecov Report
@@ Coverage Diff @@
## release-v0.99.0 #4547 +/- ##
==================================================
- Coverage 74.91% 74.9% -0.02%
==================================================
Files 338 338
Lines 34495 34495
Branches 5619 5619
==================================================
- Hits 25843 25839 -4
- Misses 7069 7074 +5
+ Partials 1583 1582 -1 |
README.rst
Outdated
| automatically for you for free** through `Let's Encrypt | ||
| <https://letsencrypt.org/>`_ if you tell it to. | ||
|
|
||
| Note: Synapse does not currently hot-renew Let's Encrypt certificates for |
README.rst
Outdated
|
|
||
| Synapse requires valid TLS certificates for communication between servers | ||
| (port ``8448`` by default) in addition to those that are client-facing (port | ||
| ``443``). Synapse **will provision server-to-server certificates |
There was a problem hiding this comment.
we should mention that they can be the same cert if the server_name is the same as the hostname that the client connects to.
README.rst
Outdated
| **Using a reverse proxy** | ||
|
|
||
| A reverse proxy such as Apache or Nginx allows a single process (the web | ||
| server) to listen on port 80 and redirect traffic to the appropriate program |
README.rst
Outdated
| not being used for any other purpose then all that is necessary is the | ||
| following: | ||
|
|
||
| Install ``authbind``:: |
There was a problem hiding this comment.
| Install ``authbind``:: | |
| Install ``authbind``. For example, on Debian/Ubuntu:: |
README.rst
Outdated
| # authbind syntax. don't start Synapse yet | ||
| authbind --deep <synapse start command> | ||
|
|
||
| If using the `Systemd`_ service file above, you can change the following line |
There was a problem hiding this comment.
there is no systemd file; need to change this to use synctl
README.rst
Outdated
| certificate, but please be aware that a valid certificate will be required in | ||
| Synapse v1.0. | ||
|
|
||
| If you would like to do initial testing with a client without having to setup |
There was a problem hiding this comment.
I don't think this is limited to initial testing?
README.rst
Outdated
| the default 8448. However, if you are thinking of using a reverse-proxy on the | ||
| federation port, which is not recommended, be sure to read | ||
| `Reverse-proxying the federation port`_ first.) | ||
| the default 8448. |
There was a problem hiding this comment.
| the default 8448. | |
| the default 8448.) |
README.rst
Outdated
| ``Certificates[0].SHA256Fingerprint`` (the fingerprint of the certificate | ||
| presented by your reverse-proxy) matches ``Keys.tls_fingerprints[0].sha256`` | ||
| (the fingerprint of the certificate Synapse is using). | ||
| Please see `ACME setup`_ for details on reverse-proxying the federation port. |
There was a problem hiding this comment.
the acme setup section doesn't say anything about reverse-proxying port 8448. Suggest removing this sentence.
anoadragon453
force-pushed
the
anoa/acme_docs
branch
from
98ea34c to
09ca6e7
Compare
anoadragon453
force-pushed
the
anoa/acme_docs
branch
from
09ca6e7 to
7f914a2
Compare
README.rst
Outdated
|
|
||
| authbind --deep <synapse start command> | ||
|
|
||
| If you would like to use your own certificates, you can do so by |
There was a problem hiding this comment.
can we take this out of the acme>authbind section? maybe put it above 'ACME setup' ?
README.rst
Outdated
| If you would like to use your own certificates, you can do so by | ||
| changing ``tls_certificate_path`` and ``tls_private_key_path`` in | ||
| ``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure | ||
| to read `Using a reverse proxy with Synapse`_ when doing so. Apart from port |
There was a problem hiding this comment.
I don't think there's anything terribly relevant in the "Using a reverse proxy" section; I'd omit the link.
README.rst
Outdated
| changing ``tls_certificate_path`` and ``tls_private_key_path`` in | ||
| ``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure | ||
| to read `Using a reverse proxy with Synapse`_ when doing so. Apart from port | ||
| 8448 using TLS, both ports are the same in the default configuration. |
There was a problem hiding this comment.
I'm not sure what this is talking about. Tempted to just take out the line.
README.rst
Outdated
| 8448 for server-server connections. All the Matrix endpoints begin ``/_matrix``, | ||
| so an example nginx configuration might look like:: | ||
| The recommended setup is therefore to configure your reverse-proxy on port | ||
| 443 to port 8008 of synapse for client connections, and port 8448 for |
There was a problem hiding this comment.
this makes no sense.
I think the recommendation (if you're going to use a reverse-proxy) should be:
- set
no_tls: Trueand remove thetlslisteners from the synapse config - have reverse proxy listen on both 443 and 8448, and forward both to port 8008.
However, this is starting to all get out of scope. For now I suggest: you remove this paragraph and just say "An example nginx configuration for forwarding client connections to synapse is::"
Co-Authored-By: anoadragon453 <1342360+anoadragon453@users.noreply.github.com>
Co-Authored-By: anoadragon453 <1342360+anoadragon453@users.noreply.github.com>
Add documentation for ACME certificate provisioning in Synapse v0.99.0+.