Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Update ACME docs to include port instructions #4578

Merged
merged 5 commits into from Feb 7, 2019
Merged

Update ACME docs to include port instructions #4578

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
84ee680
Update ACME docs to include port instructions
anoadragon453 Feb 6, 2019
d519fdc
Separate config instructions for rp/authbind
anoadragon453 Feb 6, 2019
5138013
Add changelog
anoadragon453 Feb 6, 2019
47926ce
Simplify things a bit
anoadragon453 Feb 6, 2019
a292168
fixes
anoadragon453 Feb 7, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/4578.misc
View file
Open in desktop
@@ -0,0 +1 @@
Add port configuration information to ACME instructions.
26 changes: 15 additions & 11 deletions docs/ACME.md
View file
Open in desktop
Expand Up @@ -41,10 +41,10 @@ placed in Synapse's config directory without the need for any ACME setup.

The main steps for enabling ACME support in short summary are:

1. Allow Synapse to listen on port 80 with authbind, or forward it from a reverse-proxy.
1. Set `acme:enabled` to `true` in homeserver.yaml.
1. Allow Synapse to listen for incoming ACME challenges.
1. Enable ACME support in `homeserver.yaml`.
1. Move your old certificates (files `example.com.tls.crt` and `example.com.tls.key` out of the way if they currently exist at the paths specified in `homeserver.yaml`.
1. Restart Synapse
1. Restart Synapse.

Detailed instructions for each step are provided below.

Expand All @@ -71,14 +71,22 @@ location /.well-known/acme-challenge {
}
```

For Apache, add the following to your existing webserver config::
For Apache, add the following to your existing webserver config:

```
ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
```

Make sure to restart/reload your webserver after making changes.

Now make the relevant changes in `homeserver.yaml` to enable ACME support:

```
acme:
enabled: true
port: 8009
```

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... and restart synapse

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It tells you to at the end of the instructions. Is that too far away that people will think to finish at this point?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah ISWYM. hopefully they will figure it out.


#### Authbind

Expand All @@ -102,24 +110,20 @@ sudo touch /etc/authbind/byport/80
sudo chmod 777 /etc/authbind/byport/80
```

When Synapse is started, use the following syntax::
When Synapse is started, use the following syntax:

```
authbind --deep <synapse start command>
```

### Config file editing

Once Synapse is able to listen on port 80 for ACME challenge
requests, it must be told to perform ACME provisioning by setting `enabled`
to true under the `acme` section in `homeserver.yaml`:
Make the relevant changes in `homeserver.yaml` to enable ACME support:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this would be better before the authbind, because we need to restart synapse afterwards

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I follow.


```
acme:
enabled: true
```

### Starting synapse
### (Re)starting synapse

Ensure that the certificate paths specified in `homeserver.yaml` (`tls_certificate_path` and `tls_private_key_path`) do not currently point to any files. Synapse will not provision certificates if files exist, as it does not want to overwrite existing certificates.

Expand Down