Merge pull request #6909 from matrix-org/babolivier/acme-install

Update INSTALL.md to recommend reverse proxying and warn about ACMEv1 deprecation
This commit is contained in:
Brendan Abolivier 2020-02-18 15:06:06 +00:00 committed by GitHub
commit 7a782c32a2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 11 deletions

View file

@ -388,15 +388,17 @@ Once you have installed synapse as above, you will need to configure it.
## TLS certificates ## TLS certificates
The default configuration exposes a single HTTP port: http://localhost:8008. It The default configuration exposes a single HTTP port on the local
is suitable for local testing, but for any practical use, you will either need interface: `http://localhost:8008`. It is suitable for local testing,
to enable a reverse proxy, or configure Synapse to expose an HTTPS port. but for any practical use, you will need Synapse's APIs to be served
over HTTPS.
For information on using a reverse proxy, see The recommended way to do so is to set up a reverse proxy on port
`8448`. You can find documentation on doing so in
[docs/reverse_proxy.md](docs/reverse_proxy.md). [docs/reverse_proxy.md](docs/reverse_proxy.md).
To configure Synapse to expose an HTTPS port, you will need to edit Alternatively, you can configure Synapse to expose an HTTPS port. To do
`homeserver.yaml`, as follows: so, you will need to edit `homeserver.yaml`, as follows:
* First, under the `listeners` section, uncomment the configuration for the * First, under the `listeners` section, uncomment the configuration for the
TLS-enabled listener. (Remove the hash sign (`#`) at the start of TLS-enabled listener. (Remove the hash sign (`#`) at the start of
@ -414,11 +416,15 @@ To configure Synapse to expose an HTTPS port, you will need to edit
point these settings at an existing certificate and key, or you can point these settings at an existing certificate and key, or you can
enable Synapse's built-in ACME (Let's Encrypt) support. Instructions enable Synapse's built-in ACME (Let's Encrypt) support. Instructions
for having Synapse automatically provision and renew federation for having Synapse automatically provision and renew federation
certificates through ACME can be found at [ACME.md](docs/ACME.md). If you certificates through ACME can be found at [ACME.md](docs/ACME.md).
are using your own certificate, be sure to use a `.pem` file that includes Note that, as pointed out in that document, this feature will not
the full certificate chain including any intermediate certificates (for work with installs set up after November 2020.
instance, if using certbot, use `fullchain.pem` as your certificate, not
`cert.pem`). If you are using your
own certificate, be sure to use a `.pem` file that includes the full
certificate chain including any intermediate certificates (for
instance, if using certbot, use `fullchain.pem` as your certificate,
not `cert.pem`).
For a more detailed guide to configuring your server for federation, see For a more detailed guide to configuring your server for federation, see
[federate.md](docs/federate.md) [federate.md](docs/federate.md)

1
changelog.d/6909.doc Normal file
View file

@ -0,0 +1 @@
Update Synapse's documentation to warn about the deprecation of ACME v1.