-
Dirk Klimpel authoredBased on matrix-doc switching from master -> main and MSCs being merged.
Dirk Klimpel authoredBased on matrix-doc switching from master -> main and MSCs being merged.
MSC1711 Certificates FAQ
Historical Note
This document was originally written to guide server admins through the upgrade path towards Synapse 1.0. Specifically, MSC1711 required that all servers present valid TLS certificates on their federation API. Admins were encouraged to achieve compliance from version 0.99.0 (released in February 2019) ahead of version 1.0 (released June 2019) enforcing the certificate checks.
Much of what follows is now outdated since most admins will have already upgraded, however it may be of use to those with old installs returning to the project.
If you are setting up a server from scratch you almost certainly should look at the installation guide instead.
Introduction
The goal of Synapse 0.99.0 is to act as a stepping stone to Synapse 1.0.0. It supports the r0.1 release of the server to server specification, but is compatible with both the legacy Matrix federation behaviour (pre-r0.1) as well as post-r0.1 behaviour, in order to allow for a smooth upgrade across the federation.
The most important thing to know is that Synapse 1.0.0 will require a valid TLS certificate on federation endpoints. Self signed certificates will not be sufficient.
Synapse 0.99.0 makes it easy to configure TLS certificates and will interoperate with both >= 1.0.0 servers as well as existing servers yet to upgrade.
It is critical that all admins upgrade to 0.99.0 and configure a valid TLS certificate. Admins will have 1 month to do so, after which 1.0.0 will be released and those servers without a valid certificate will not longer be able to federate with >= 1.0.0 servers.