diff options
| author | Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> | 2019-02-05 17:34:43 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-02-05 17:34:43 +0000 |
| commit | 4a7524ffd39eb548deac0ca8e0a623f9b3ffa047 (patch) | |
| tree | a98260dbd2f5368f66f7745af45ca1ab5a1c6c4b /UPGRADE.rst | |
| parent | Neilj/1711faq (#4572) (diff) | |
| parent | Add TL;DR and final step details to ACME (diff) | |
| download | synapse-4a7524ffd39eb548deac0ca8e0a623f9b3ffa047.tar.xz | |
Merge pull request #4570 from matrix-org/anoa/self_signed_upgrade
Add ACME docs and link to it from README and INSTALL
Diffstat (limited to 'UPGRADE.rst')
| -rw-r--r-- | UPGRADE.rst | 32 |
1 files changed, 4 insertions, 28 deletions
diff --git a/UPGRADE.rst b/UPGRADE.rst index 7bd631f14c..75aef366bd 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -51,34 +51,10 @@ returned by the Client-Server API: Upgrading to v0.99.0 ==================== -In preparation for Synapse v1.0, you must update your TLS certificates from -self-signed ones to verifiable ones signed by a trusted root CA. - -If you do not already have a certificate for your domain, the easiest way to get -one is with Synapse's new ACME support, which will use the ACME protocol to -provision a certificate automatically. By default, certificates will be obtained -from the publicly trusted CA Let's Encrypt. - -For a sample configuration, please inspect the new ACME section in the example -generated config by running the ``generate-config`` executable. For example:: - - ~/synapse/env3/bin/generate-config - -You will need to provide Let's Encrypt (or other ACME provider) access to your -Synapse ACME challenge responder on port 80, at the domain of your homeserver. -This requires you either change the port of the ACME listener provided by -Synapse to a high port and reverse proxy to it, or use a tool like authbind to -allow Synapse to listen on port 80 without root access. (Do not run Synapse with -root permissions!) - -You will need to back up or delete your self signed TLS certificate -(``example.com.tls.crt`` and ``example.com.tls.key``), Synapse's ACME -implementation will not overwrite them. - -You may wish to use alternate methods such as Certbot to obtain a certificate -from Let's Encrypt, depending on your server configuration. Of course, if you -already have a valid certificate for your homeserver's domain, that can be -placed in Synapse's config directory without the need for ACME. +Please be aware that, before Synapse v1.0 is released around March 2019, you +will need to replace any self-signed certificates with those verified by a +root CA. Information on how to do so can be found at `the ACME docs +<docs/ACME.md>`_. For more information on configuring TLS certificates see the `FAQ <https://github.com/matrix-org/synapse/blob/master/docs/MSC1711_certificates_FAQ.md>`_ |