Move ACME docs from INSTALL.md to ACME.md

pull/4570/head
Andrew Morgan 2019-02-05 15:49:34 +00:00
parent d75e15edce
commit 0af50020fd
1 changed files with 1 additions and 78 deletions

View File

@ -355,90 +355,13 @@ configured without TLS; it should be behind a reverse proxy for TLS/SSL
termination on port 443 which in turn should be used for clients. Port 8448
is configured to use TLS for Federation with a self-signed or verified
certificate, but please be aware that a valid certificate will be required in
Synapse v1.0.
Synapse v1.0. Instructions for having Synapse automatically provision and renew federation certificates through ACME can be found at [ACME.md](docs/ACME.md).
If you would like to use your own certificates, you can do so by changing
`tls_certificate_path` and `tls_private_key_path` in `homeserver.yaml`;
alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS,
both ports are the same in the default configuration.
### ACME setup
Synapse v1.0 will require valid TLS certificates for communication between servers
(port `8448` by default) in addition to those that are client-facing (port
`443`). In the case that your `server_name` config variable is the same as
the hostname that the client connects to, then the same certificate can be
used between client and federation ports without issue. Synapse v0.99.0+
**will provision server-to-server certificates automatically for you for
free** through [Let's Encrypt](https://letsencrypt.org/) if you tell it to.
In order for Synapse to complete the ACME challenge to provision a
certificate, it needs access to port 80. Typically listening on port 80 is
only granted to applications running as root. There are thus two solutions to
this problem.
#### Using a reverse proxy
A reverse proxy such as Apache or nginx allows a single process (the web
server) to listen on port 80 and proxy traffic to the appropriate program
running on your server. It is the recommended method for setting up ACME as
it allows you to use your existing webserver while also allowing Synapse to
provision certificates as needed.
For nginx users, add the following line to your existing `server` block:
```
location /.well-known/acme-challenge {
proxy_pass http://localhost:8009/;
}
```
For Apache, add the following to your existing webserver config::
```
ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
```
Make sure to restart/reload your webserver after making changes.
#### Authbind
`authbind` allows a program which does not run as root to bind to
low-numbered ports in a controlled way. The setup is simpler, but requires a
webserver not to already be running on port 80. **This includes every time
Synapse renews a certificate**, which may be cumbersome if you usually run a
web server on port 80. Nevertheless, if you're sure port 80 is not being used
for any other purpose then all that is necessary is the following:
Install `authbind`. For example, on Debian/Ubuntu:
```
sudo apt-get install authbind
```
Allow `authbind` to bind port 80:
```
sudo touch /etc/authbind/byport/80
sudo chmod 777 /etc/authbind/byport/80
```
When Synapse is started, use the following syntax::
```
authbind --deep <synapse start command>
```
Finally, once Synapse is able to listen on port 80 for ACME challenge
requests, it must be told to perform ACME provisioning by setting `enabled`
to true under the `acme` section in `homeserver.yaml`:
```
acme:
enabled: true
```
## Registering a user
You will need at least one user on your server in order to use a Matrix