Merge branch 'master' into develop

7a22a645 · Richard van der Hoff · 7fe407a8 · 624b172e · 7a22a645 · 7a22a645
Commit 7a22a645 authored 6 years ago by Richard van der Hoff
--- a/changelog.d/4578.misc
+++ b/changelog.d/4578.misc
+Add port configuration information to ACME instructions.
\ No newline at end of file
--- a/docs/ACME.md
+++ b/docs/ACME.md
@@ -41,10 +41,10 @@ placed in Synapse's config directory without the need for any ACME setup.

 The main steps for enabling ACME support in short summary are:

-1. Allow Synapse to listen on port 80 with authbind, or forward it from a reverse-proxy.
-1. Set `acme:enabled` to `true` in homeserver.yaml.
+1. Allow Synapse to listen for incoming ACME challenges.
+1. Enable ACME support in `homeserver.yaml`.
 1. Move your old certificates (files `example.com.tls.crt` and `example.com.tls.key` out of the way if they currently exist at the paths specified in `homeserver.yaml`.
-1. Restart Synapse
+1. Restart Synapse.

 Detailed instructions for each step are provided below.

@@ -71,7 +71,7 @@ location /.well-known/acme-challenge {
 }
 ```

-For Apache, add the following to your existing webserver config::
+For Apache, add the following to your existing webserver config:

 ```
 ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
@@ -79,6 +79,14 @@ ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-cha

 Make sure to restart/reload your webserver after making changes.

+Now make the relevant changes in `homeserver.yaml` to enable ACME support:
+
+```
+acme:
+    enabled: true
+    port: 8009
+```
+

 #### Authbind

@@ -102,24 +110,20 @@ sudo touch /etc/authbind/byport/80
 sudo chmod 777 /etc/authbind/byport/80
 ```

-When Synapse is started, use the following syntax::
+When Synapse is started, use the following syntax:

 ```
 authbind --deep <synapse start command>
 ```

-### Config file editing
-
-Once Synapse is able to listen on port 80 for ACME challenge
-requests, it must be told to perform ACME provisioning by setting `enabled`
-to true under the `acme` section in `homeserver.yaml`:
+Make the relevant changes in `homeserver.yaml` to enable ACME support:

 ```
 acme:
    enabled: true
 ```

-### Starting synapse
+### (Re)starting synapse

 Ensure that the certificate paths specified in `homeserver.yaml` (`tls_certificate_path` and `tls_private_key_path`) do not currently point to any files. Synapse will not provision certificates if files exist, as it does not want to overwrite existing certificates.


--- a/docs/MSC1711_certificates_FAQ.md
+++ b/docs/MSC1711_certificates_FAQ.md
@@ -112,7 +112,7 @@ _matrix._tcp.example.com. IN SRV 10 5 443 customer.example.net.

 In this situation, you have two choices for how to proceed:

-#### Option 1: give Synapse a certificate for your matrix domain
+#### Option 1: give Synapse (or a reverse-proxy) a certificate for your matrix domain

 Synapse 1.0 will expect your server to present a TLS certificate for your
 `server_name` (`example.com` in the above example). You can achieve this by