summary refs log tree commit diff
diff options
context:
space:
mode:
authorAndrew Morgan <andrew@amorgan.xyz>2019-02-05 15:49:34 +0000
committerAndrew Morgan <andrew@amorgan.xyz>2019-02-05 15:49:34 +0000
commit0af50020fd9bb591fde82876a6b543d50683bae0 (patch)
treeac03c0270de2027c1987a8fbf428f1e453d4604c
parentRe-add link to ACME docs from README (diff)
downloadsynapse-0af50020fd9bb591fde82876a6b543d50683bae0.tar.xz
Move ACME docs from INSTALL.md to ACME.md
-rw-r--r--INSTALL.md79
1 files changed, 1 insertions, 78 deletions
diff --git a/INSTALL.md b/INSTALL.md
index fd37c2d9b9..cbe4bda120 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -355,90 +355,13 @@ configured without TLS; it should be behind a reverse proxy for TLS/SSL
 termination on port 443 which in turn should be used for clients. Port 8448
 is configured to use TLS for Federation with a self-signed or verified
 certificate, but please be aware that a valid certificate will be required in
-Synapse v1.0.
+Synapse v1.0. Instructions for having Synapse automatically provision and renew federation certificates through ACME can be found at [ACME.md](docs/ACME.md).
 
 If you would like to use your own certificates, you can do so by changing
 `tls_certificate_path` and `tls_private_key_path` in `homeserver.yaml`;
 alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS,
 both ports are the same in the default configuration.
 
-### ACME setup
-
-Synapse v1.0 will require valid TLS certificates for communication between servers
-(port `8448` by default) in addition to those that are client-facing (port
-`443`). In the case that your `server_name` config variable is the same as
-the hostname that the client connects to, then the same certificate can be
-used between client and federation ports without issue. Synapse v0.99.0+
-**will provision server-to-server certificates automatically for you for
-free** through [Let's Encrypt](https://letsencrypt.org/) if you tell it to.
-
-In order for Synapse to complete the ACME challenge to provision a
-certificate, it needs access to port 80. Typically listening on port 80 is
-only granted to applications running as root. There are thus two solutions to
-this problem.
-
-#### Using a reverse proxy
-
-A reverse proxy such as Apache or nginx allows a single process (the web
-server) to listen on port 80 and proxy traffic to the appropriate program
-running on your server. It is the recommended method for setting up ACME as
-it allows you to use your existing webserver while also allowing Synapse to
-provision certificates as needed.
-
-For nginx users, add the following line to your existing `server` block:
-
-```
-location /.well-known/acme-challenge {
-    proxy_pass http://localhost:8009/;
-}
-```
-
-For Apache, add the following to your existing webserver config::
-
-```
-ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
-```
-
-Make sure to restart/reload your webserver after making changes.
-
-
-#### Authbind
-
-`authbind` allows a program which does not run as root to bind to
-low-numbered ports in a controlled way. The setup is simpler, but requires a
-webserver not to already be running on port 80. **This includes every time
-Synapse renews a certificate**, which may be cumbersome if you usually run a
-web server on port 80. Nevertheless, if you're sure port 80 is not being used
-for any other purpose then all that is necessary is the following:
-
-Install `authbind`. For example, on Debian/Ubuntu:
-
-```
-sudo apt-get install authbind
-```
-
-Allow `authbind` to bind port 80:
-
-```
-sudo touch /etc/authbind/byport/80
-sudo chmod 777 /etc/authbind/byport/80
-```
-
-When Synapse is started, use the following syntax::
-
-```
-authbind --deep <synapse start command>
-```
-
-Finally, once Synapse is able to listen on port 80 for ACME challenge
-requests, it must be told to perform ACME provisioning by setting `enabled`
-to true under the `acme` section in `homeserver.yaml`:
-
-```
-acme:
-    enabled: true
-```
-
 ## Registering a user
 
 You will need at least one user on your server in order to use a Matrix