From 7998ca3a6616653fe8b76da3d7fd3c91d0d9597e Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Wed, 13 Mar 2019 15:26:29 +0000 Subject: [PATCH] Document using a certificate with a full chain (#4849) --- INSTALL.md | 8 ++++++-- changelog.d/4849.misc | 1 + docs/sample_config.yaml | 5 +++++ synapse/config/tls.py | 5 +++++ 4 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 changelog.d/4849.misc diff --git a/INSTALL.md b/INSTALL.md index 76833e0f8c44..de6893530d26 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -375,9 +375,13 @@ To configure Synapse to expose an HTTPS port, you will need to edit * You will also need to uncomment the `tls_certificate_path` and `tls_private_key_path` lines under the `TLS` section. You can either point these settings at an existing certificate and key, or you can - enable Synapse's built-in ACME (Let's Encrypt) support. Instructions + enable Synapse's built-in ACME (Let's Encrypt) support. Instructions for having Synapse automatically provision and renew federation - certificates through ACME can be found at [ACME.md](docs/ACME.md). + certificates through ACME can be found at [ACME.md](docs/ACME.md). If you + are using your own certificate, be sure to use a `.pem` file that includes + the full certificate chain including any intermediate certificates (for + instance, if using certbot, use `fullchain.pem` as your certificate, not + `cert.pem`). For those of you upgrading your TLS certificate in readiness for Synapse 1.0, please take a look at `our guide `_. diff --git a/changelog.d/4849.misc b/changelog.d/4849.misc new file mode 100644 index 000000000000..f2cab20b4476 --- /dev/null +++ b/changelog.d/4849.misc @@ -0,0 +1 @@ +Update install docs to explicitly state a full-chain (not just the top-level) TLS certificate must be provided to Synapse. This caused some people's Synapse ports to appear correct in a browser but still (rightfully so) upset the federation tester. \ No newline at end of file diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 22d5e6b1d78d..5f2534e4654e 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -246,6 +246,11 @@ listeners: # See 'ACME support' below to enable auto-provisioning this certificate via # Let's Encrypt. # +# If supplying your own, be sure to use a `.pem` file that includes the +# full certificate chain including any intermediate certificates (for +# instance, if using certbot, use `fullchain.pem` as your certificate, +# not `cert.pem`). +# #tls_certificate_path: "CONFDIR/SERVERNAME.tls.crt" # PEM-encoded private key for TLS diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 40045de7ace5..f0014902da72 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -181,6 +181,11 @@ def default_config(self, config_dir_path, server_name, **kwargs): # See 'ACME support' below to enable auto-provisioning this certificate via # Let's Encrypt. # + # If supplying your own, be sure to use a `.pem` file that includes the + # full certificate chain including any intermediate certificates (for + # instance, if using certbot, use `fullchain.pem` as your certificate, + # not `cert.pem`). + # #tls_certificate_path: "%(tls_certificate_path)s" # PEM-encoded private key for TLS