Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update ACME docs to include port instructions #4578

Merged
merged 5 commits into from Feb 7, 2019

Conversation

Projects
None yet
3 participants
@anoadragon453
Copy link
Member

commented Feb 6, 2019

Update ACME docs to add information for port configuration.

@anoadragon453 anoadragon453 requested a review from matrix-org/synapse-core Feb 6, 2019

@richvdh
Copy link
Member

left a comment

looks good, but would it be clearer to just have the config file info twice (once for reverse-proxy, once for authbind)?

@anoadragon453

This comment has been minimized.

Copy link
Member Author

commented Feb 6, 2019

Yeah probably.

@anoadragon453 anoadragon453 requested a review from matrix-org/synapse-core Feb 6, 2019

@codecov-io

This comment has been minimized.

Copy link

commented Feb 6, 2019

Codecov Report

Merging #4578 into release-v0.99.0 will decrease coverage by <.01%.
The diff coverage is n/a.

@@                Coverage Diff                 @@
##           release-v0.99.0   #4578      +/-   ##
==================================================
- Coverage             74.9%   74.9%   -0.01%     
==================================================
  Files                  338     338              
  Lines                34495   34495              
  Branches              5619    5619              
==================================================
- Hits                 25840   25839       -1     
+ Misses                7074    7072       -2     
- Partials              1581    1584       +3
1. Allow Synapse to listen on port 80 with authbind, or forward it from a reverse-proxy.
1. Set `acme:enabled` to `true` in homeserver.yaml.
1. Allow Synapse to listen on port 80 with `authbind`, or forward it to port `8009` from a reverse-proxy.
1. Set `acme:enabled` to `true` and `acme:port` to the appropriate port (`8009` for reverse-proxy, `80` for listening directly with `authbind`) in homeserver.yaml.

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 6, 2019

Member

you don't need to set acme:port if its port 80, and it's starting to just be a duplicate of the information below. Can we make this snappier and handwavier: "enable acme support in homeserver.yaml".

@@ -41,8 +41,8 @@ placed in Synapse's config directory without the need for any ACME setup.

The main steps for enabling ACME support in short summary are:

1. Allow Synapse to listen on port 80 with authbind, or forward it from a reverse-proxy.
1. Set `acme:enabled` to `true` in homeserver.yaml.
1. Allow Synapse to listen on port 80 with `authbind`, or forward it to port `8009` from a reverse-proxy.

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 6, 2019

Member

again, I think specifying the destination port here is overdetailed

Once Synapse is able to listen on port 80 for ACME challenge
requests, it must be told to perform ACME provisioning by setting `enabled`
to true under the `acme` section in `homeserver.yaml`:
Once Synapse is able to listen on port 80 for ACME challenge requests, either

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 6, 2019

Member

surely just stick the two halves of this under the relevant sections above?

@anoadragon453 anoadragon453 requested a review from matrix-org/synapse-core Feb 6, 2019

@richvdh
Copy link
Member

left a comment

nearly!


```
acme:
enabled: true
port: 80

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 6, 2019

Member

this is redundant

enabled: true
port: 8009
```

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 6, 2019

Member

... and restart synapse

This comment has been minimized.

Copy link
@anoadragon453

anoadragon453 Feb 7, 2019

Author Member

It tells you to at the end of the instructions. Is that too far away that people will think to finish at this point?

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 7, 2019

Member

ah ISWYM. hopefully they will figure it out.


```
ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
```

Make sure to restart/reload your webserver after making changes.

Finally, make the relevant changes in `homeserver.yaml` to enable ACME support:

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 6, 2019

Member

not finally, because you have to restart

Once Synapse is able to listen on port 80 for ACME challenge
requests, it must be told to perform ACME provisioning by setting `enabled`
to true under the `acme` section in `homeserver.yaml`:
Make the relevant changes in `homeserver.yaml` to enable ACME support:

This comment has been minimized.

Copy link
@richvdh

richvdh Feb 6, 2019

Member

this would be better before the authbind, because we need to restart synapse afterwards

This comment has been minimized.

Copy link
@anoadragon453

anoadragon453 Feb 7, 2019

Author Member

Not sure I follow.

@richvdh

richvdh approved these changes Feb 7, 2019

Copy link
Member

left a comment

lgtm!

@richvdh richvdh merged commit c17b128 into release-v0.99.0 Feb 7, 2019

1 of 5 checks passed

ci/circleci: sytestpy2merged Your tests failed on CircleCI
Details
ci/circleci: sytestpy2postgresmerged Your tests failed on CircleCI
Details
ci/circleci: sytestpy3merged Your tests failed on CircleCI
Details
ci/circleci: sytestpy3postgresmerged Your tests failed on CircleCI
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

richvdh added a commit that referenced this pull request Feb 14, 2019

Merge tag 'v0.99.1'
Synapse 0.99.1 (2019-02-14)
===========================

Features
--------

- Include m.room.encryption on invites by default ([\#3902](#3902))
- Federation OpenID listener resource can now be activated even if federation is disabled ([\#4420](#4420))
- Synapse's ACME support will now correctly reprovision a certificate that approaches its expiry while Synapse is running. ([\#4522](#4522))
- Add ability to update backup versions ([\#4580](#4580))
- Allow the "unavailable" presence status for /sync.
  This change makes Synapse compliant with r0.4.0 of the Client-Server specification. ([\#4592](#4592))
- There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners ([\#4613](#4613), [\#4615](#4615), [\#4617](#4617), [\#4636](#4636))
- The default configuration no longer requires TLS certificates. ([\#4614](#4614))

Bugfixes
--------

- Copy over room federation ability on room upgrade. ([\#4530](#4530))
- Fix noisy "twisted.internet.task.TaskStopped" errors in logs ([\#4546](#4546))
- Synapse is now tolerant of the `tls_fingerprints` option being None or not specified. ([\#4589](#4589))
- Fix 'no unique or exclusion constraint' error ([\#4591](#4591))
- Transfer Server ACLs on room upgrade. ([\#4608](#4608))
- Fix failure to start when not TLS certificate was given even if TLS was disabled. ([\#4618](#4618))
- Fix self-signed cert notice from generate-config. ([\#4625](#4625))
- Fix performance of `user_ips` table deduplication background update ([\#4626](#4626), [\#4627](#4627))

Internal Changes
----------------

- Change the user directory state query to use a filtered call to the db instead of a generic one. ([\#4462](#4462))
- Reject federation transactions if they include more than 50 PDUs or 100 EDUs. ([\#4513](#4513))
- Reduce duplication of ``synapse.app`` code. ([\#4567](#4567))
- Fix docker upload job to push -py2 images. ([\#4576](#4576))
- Add port configuration information to ACME instructions. ([\#4578](#4578))
- Update MSC1711 FAQ to calrify .well-known usage ([\#4584](#4584))
- Clean up default listener configuration ([\#4586](#4586))
- Clarifications for reverse proxy docs ([\#4607](#4607))
- Move ClientTLSOptionsFactory init out of `refresh_certificates` ([\#4611](#4611))
- Fail cleanly if listener config lacks a 'port' ([\#4616](#4616))
- Remove redundant entries from docker config ([\#4619](#4619))
- README updates ([\#4621](#4621))

@anoadragon453 anoadragon453 deleted the anoa/update_docs_port branch Apr 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.