summary refs log tree commit diff
path: root/UPGRADE.rst
diff options
context:
space:
mode:
authorAndrew Morgan <1342360+anoadragon453@users.noreply.github.com>2019-02-05 17:34:43 +0000
committerGitHub <noreply@github.com>2019-02-05 17:34:43 +0000
commit4a7524ffd39eb548deac0ca8e0a623f9b3ffa047 (patch)
treea98260dbd2f5368f66f7745af45ca1ab5a1c6c4b /UPGRADE.rst
parentNeilj/1711faq (#4572) (diff)
parentAdd TL;DR and final step details to ACME (diff)
downloadsynapse-4a7524ffd39eb548deac0ca8e0a623f9b3ffa047.tar.xz
Merge pull request #4570 from matrix-org/anoa/self_signed_upgrade
Add ACME docs and link to it from README and INSTALL
Diffstat (limited to 'UPGRADE.rst')
-rw-r--r--UPGRADE.rst32
1 files changed, 4 insertions, 28 deletions
diff --git a/UPGRADE.rst b/UPGRADE.rst
index 7bd631f14c..75aef366bd 100644
--- a/UPGRADE.rst
+++ b/UPGRADE.rst
@@ -51,34 +51,10 @@ returned by the Client-Server API:
 Upgrading to v0.99.0
 ====================
 
-In preparation for Synapse v1.0, you must update your TLS certificates from
-self-signed ones to verifiable ones signed by a trusted root CA.
-
-If you do not already have a certificate for your domain, the easiest way to get
-one is with Synapse's new ACME support, which will use the ACME protocol to
-provision a certificate automatically. By default, certificates will be obtained
-from the publicly trusted CA Let's Encrypt.
-
-For a sample configuration, please inspect the new ACME section in the example
-generated config by running the ``generate-config`` executable. For example::
-
-  ~/synapse/env3/bin/generate-config
-
-You will need to provide Let's Encrypt (or other ACME provider) access to your
-Synapse ACME challenge responder on port 80, at the domain of your homeserver.
-This requires you either change the port of the ACME listener provided by
-Synapse to a high port and reverse proxy to it, or use a tool like authbind to
-allow Synapse to listen on port 80 without root access. (Do not run Synapse with
-root permissions!)
-
-You will need to back up or delete your self signed TLS certificate
-(``example.com.tls.crt`` and ``example.com.tls.key``), Synapse's ACME
-implementation will not overwrite them.
-
-You may wish to use alternate methods such as Certbot to obtain a certificate
-from Let's Encrypt, depending on your server configuration. Of course, if you
-already have a valid certificate for your homeserver's domain, that can be
-placed in Synapse's config directory without the need for ACME.
+Please be aware that, before Synapse v1.0 is released around March 2019, you
+will need to replace any self-signed certificates with those verified by a
+root CA. Information on how to do so can be found at `the ACME docs
+<docs/ACME.md>`_.
 
 For more information on configuring TLS certificates see the `FAQ <https://github.com/matrix-org/synapse/blob/master/docs/MSC1711_certificates_FAQ.md>`_