Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
synapse
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container Registry
Model registry
Monitor
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Maunium
synapse
Commits
f092029d
Unverified
Commit
f092029d
authored
5 years ago
by
Brendan Abolivier
Browse files
Options
Downloads
Patches
Plain Diff
Update ACME.md to mention ACME v1 deprecation
parent
6cd34da8
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
docs/ACME.md
+41
-7
41 additions, 7 deletions
docs/ACME.md
with
41 additions
and
7 deletions
docs/ACME.md
+
41
−
7
View file @
f092029d
# ACME
Synapse v1.0 will require valid TLS certificates for communication between
servers (port
`8448`
by default) in addition to those that are client-facing
(port
`443`
). If you do not already have a valid certificate for your domain,
the easiest way to get one is with Synapse's new ACME support, which will use
the ACME protocol to provision a certificate automatically. Synapse v0.99.0+
will provision server-to-server certificates automatically for you for free
through
[
Let's Encrypt
](
https://letsencrypt.org/
)
if you tell it to.
From version 1.0 (June 2019) onwards, Synapse requires valid TLS
certificates for communication between servers (by default on port
`8448`
) in addition to those that are client-facing (port
`443`
). To
help homeserver admins fulfil this new requirement, Synapse v0.99.0
introduced support for automatically provisioning certificates through
[
Let's Encrypt
](
https://letsencrypt.org/
)
using the ACME protocol.
## Deprecation of ACME v1
In
[
March 2019
](
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430
)
,
Let's Encrypt announced that they were deprecating version 1 of the ACME
protocol, with the plan to disable the use of it for new accounts in
November 2019, and for existing accounts in June 2020.
Synapse doesn't currently support version 2 of the ACME protocol, which
means that:
*
for existing installs, Synapse's built-in ACME support will continue
to work until June 2020.
*
for new installs, this feature will not work at all.
Either way, it is recommended to move from Synapse's ACME support
feature to an external automated tool such as
[
certbot
](
https://github.com/certbot/certbot
)
(or browse
[
this list
](
https://letsencrypt.org/fr/docs/client-options/
)
for an alternative ACME client).
It's also recommended to use a reverse proxy for the server-facing
communications (mode documentation about this can be found
[
here
](
/docs/reverse_proxy.md
)
) as well as the client-facing ones and
have it serve the certificates.
In case you can't do that and need Synapse to serve them itself, make
sure to set the
`tls_certificate_path`
configuration setting to the path
of the certificate (make sure to use the certificate containing the full
certification chain, e.g.
`fullchain.pem`
if using certbot) and
`tls_private_key_path`
to the path of the matching private key.
If you still want to use Synapse's built-in ACME support, the rest of
this document explains how to set it up.
## Initial setup
In the case that your
`server_name`
config variable is the same as
the hostname that the client connects to, then the same certificate can be
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
