Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Matrix
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Container Registry
Model registry
Operate
Environments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
TeDomum
Matrix
Commits
ffcbd809
Commit
ffcbd809
authored
6 years ago
by
Andrew Morgan
Browse files
Options
Downloads
Patches
Plain Diff
Actually add ACME docs
parent
0af50020
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
docs/ACME.md
+107
-0
107 additions, 0 deletions
docs/ACME.md
with
107 additions
and
0 deletions
docs/ACME.md
0 → 100644
+
107
−
0
View file @
ffcbd809
# ACME
Synapse v1.0 requires that federation TLS certificates are verifiable by a
trusted root CA. If you do not already have a valid certificate for your domain, the easiest
way to get one is with Synapse's new ACME support, which will use the ACME
protocol to provision a certificate automatically. By default, certificates
will be obtained from the publicly trusted CA Let's Encrypt.
For a sample configuration, please inspect the new ACME section in the example
generated config by running the
`generate-config`
executable. For example::
~/synapse/env3/bin/generate-config
You will need to provide Let's Encrypt (or another ACME provider) access to
your Synapse ACME challenge responder on port 80, at the domain of your
homeserver. This requires you to either change the port of the ACME listener
provided by Synapse to a high port and reverse proxy to it, or use a tool
like
`authbind`
to allow Synapse to listen on port 80 without root access.
(Do not run Synapse with root permissions!) Detailed instructions are
available under "ACME setup" below.
If you are already using self-signed certificates, you will need to back up
or delete them (files
`example.com.tls.crt`
and
`example.com.tls.key`
in
Synapse's root directory), Synapse's ACME implementation will not overwrite
them.
You may wish to use alternate methods such as Certbot to obtain a certificate
from Let's Encrypt, depending on your server configuration. Of course, if you
already have a valid certificate for your homeserver's domain, that can be
placed in Synapse's config directory without the need for any ACME setup.
## ACME setup
Synapse v1.0 will require valid TLS certificates for communication between servers
(port
`8448`
by default) in addition to those that are client-facing (port
`443`
). In the case that your
`server_name`
config variable is the same as
the hostname that the client connects to, then the same certificate can be
used between client and federation ports without issue. Synapse v0.99.0+
**
will provision server-to-server certificates automatically for you for
free
**
through
[
Let's Encrypt
](
https://letsencrypt.org/
)
if you tell it to.
In order for Synapse to complete the ACME challenge to provision a
certificate, it needs access to port 80. Typically listening on port 80 is
only granted to applications running as root. There are thus two solutions to
this problem.
### Using a reverse proxy
A reverse proxy such as Apache or nginx allows a single process (the web
server) to listen on port 80 and proxy traffic to the appropriate program
running on your server. It is the recommended method for setting up ACME as
it allows you to use your existing webserver while also allowing Synapse to
provision certificates as needed.
For nginx users, add the following line to your existing
`server`
block:
```
location /.well-known/acme-challenge {
proxy_pass http://localhost:8009/;
}
```
For Apache, add the following to your existing webserver config::
```
ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
```
Make sure to restart/reload your webserver after making changes.
### Authbind
`authbind`
allows a program which does not run as root to bind to
low-numbered ports in a controlled way. The setup is simpler, but requires a
webserver not to already be running on port 80.
**
This includes every time
Synapse renews a certificate
**
, which may be cumbersome if you usually run a
web server on port 80. Nevertheless, if you're sure port 80 is not being used
for any other purpose then all that is necessary is the following:
Install
`authbind`
. For example, on Debian/Ubuntu:
```
sudo apt-get install authbind
```
Allow
`authbind`
to bind port 80:
```
sudo touch /etc/authbind/byport/80
sudo chmod 777 /etc/authbind/byport/80
```
When Synapse is started, use the following syntax::
```
authbind --deep <synapse start command>
```
Finally, once Synapse is able to listen on port 80 for ACME challenge
requests, it must be told to perform ACME provisioning by setting
`enabled`
to true under the
`acme`
section in
`homeserver.yaml`
:
```
acme:
enabled: true
```
\ No newline at end of file
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
