diff options
| author | Andrew Morgan <andrew@amorgan.xyz> | 2019-02-05 15:29:42 +0000 |
|---|---|---|
| committer | Andrew Morgan <andrew@amorgan.xyz> | 2019-02-05 15:33:23 +0000 |
| commit | 08b26afeee7b7db8c9d511cb63244927cf48ba9d (patch) | |
| tree | cab1fa9eef5b115dfc2ded50af30d45c59159069 /UPGRADE.rst | |
| parent | Don't imply self-signed certs are required (diff) | |
| download | synapse-08b26afeee7b7db8c9d511cb63244927cf48ba9d.tar.xz | |
Move ACME docs to docs/ACME.rst and link from UPGRADE.
Diffstat (limited to 'UPGRADE.rst')
| -rw-r--r-- | UPGRADE.rst | 33 |
1 files changed, 4 insertions, 29 deletions
diff --git a/UPGRADE.rst b/UPGRADE.rst index f6cdec4734..74d2452749 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -51,35 +51,10 @@ returned by the Client-Server API: Upgrading to v0.99.0 ==================== -In preparation for Synapse v1.0, you must ensure your federation TLS -certificates are verifiable by signed by a trusted root CA. - -If you do not already have a valid certificate for your domain, the easiest -way to get one is with Synapse's new ACME support, which will use the ACME -protocol to provision a certificate automatically. By default, certificates -will be obtained from the publicly trusted CA Let's Encrypt. - -For a sample configuration, please inspect the new ACME section in the example -generated config by running the ``generate-config`` executable. For example:: - - ~/synapse/env3/bin/generate-config - -You will need to provide Let's Encrypt (or another ACME provider) access to -your Synapse ACME challenge responder on port 80, at the domain of your -homeserver. This requires you to either change the port of the ACME listener -provided by Synapse to a high port and reverse proxy to it, or use a tool -like ``authbind`` to allow Synapse to listen on port 80 without root access. -(Do not run Synapse with root permissions!) - -If you are already using self-signed ceritifcates, you will need to back up -or delete them (files ``example.com.tls.crt`` and ``example.com.tls.key`` in -Synapse's root directory), Synapse's ACME implementation will not overwrite -them. - -You may wish to use alternate methods such as Certbot to obtain a certificate -from Let's Encrypt, depending on your server configuration. Of course, if you -already have a valid certificate for your homeserver's domain, that can be -placed in Synapse's config directory without the need for any ACME setup. +No special steps are required, but please be aware that you will need to +replace any self-signed certificates with those verified by a root CA before +Synapse v1.0 releases in roughly a month's time after v0.99.0. Information on +how to do so can be found at `the ACME docs <docs/ACME.rst>`_. Upgrading to v0.34.0 ==================== |