Home Explore Help
Sign In
RISCI_ATOM
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Files Issues 3 Wiki
Tree: c24a55d530
Branches Tags
synapse
/
v1.43
/
MSC1711_certificates_FAQ.html

MSC1711_certificates_FAQ.html 38 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531 
  1. <!DOCTYPE HTML>
    2. 

  2. <html lang="en" class="sidebar-visible no-js light">
    3. 

  3.     <head>
    4. 

  4.         <!-- Book generated using mdBook -->
    5. 

  5.         <meta charset="UTF-8">
    6. 

  6.         <title>Upgrading from pre-Synapse 1.0 - Synapse</title>
    7. 

  7.         
    8. 

  8.         
    9. 

  9. 

  10. 

  11.         <!-- Custom HTML head -->
    12. 

  12.         
    13. 

  13. 

  14. 

  15.         <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
    16. 

  16.         <meta name="description" content="">
    17. 

  17.         <meta name="viewport" content="width=device-width, initial-scale=1">
    18. 

  18.         <meta name="theme-color" content="#ffffff" />
    19. 

  19. 

  20.         
    21. 

  21.         <link rel="icon" href="favicon.svg">
    22. 

  22.         
    23. 

  23.         
    24. 

  24.         <link rel="shortcut icon" href="favicon.png">
    25. 

  25.         
    26. 

  26.         <link rel="stylesheet" href="css/variables.css">
    27. 

  27.         <link rel="stylesheet" href="css/general.css">
    28. 

  28.         <link rel="stylesheet" href="css/chrome.css">
    29. 

  29.         
    30. 

  30.         <link rel="stylesheet" href="css/print.css" media="print">
    31. 

  31.         
    32. 

  32. 

  33.         <!-- Fonts -->
    34. 

  34.         <link rel="stylesheet" href="FontAwesome/css/font-awesome.css">
    35. 

  35.         
    36. 

  36.         <link rel="stylesheet" href="fonts/fonts.css">
    37. 

  37.         
    38. 

  38. 

  39.         <!-- Highlight.js Stylesheets -->
    40. 

  40.         <link rel="stylesheet" href="highlight.css">
    41. 

  41.         <link rel="stylesheet" href="tomorrow-night.css">
    42. 

  42.         <link rel="stylesheet" href="ayu-highlight.css">
    43. 

  43. 

  44.         <!-- Custom theme stylesheets -->
    45. 

  45.         
    46. 

  46.         <link rel="stylesheet" href="docs/website_files/table-of-contents.css">
    47. 

  47.         
    48. 

  48.         <link rel="stylesheet" href="docs/website_files/remove-nav-buttons.css">
    49. 

  49.         
    50. 

  50.         <link rel="stylesheet" href="docs/website_files/indent-section-headers.css">
    51. 

  51.         
    52. 

  52. 

  53.         
    54. 

  54.     </head>
    55. 

  55.     <body>
    56. 

  56.         <!-- Provide site root to javascript -->
    57. 

  57.         <script type="text/javascript">
    58. 

  58.             var path_to_root = "";
    59. 

  59.             var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
    60. 

  60.         </script>
    61. 

  61. 

  62.         <!-- Work around some values being stored in localStorage wrapped in quotes -->
    63. 

  63.         <script type="text/javascript">
    64. 

  64.             try {
    65. 

  65.                 var theme = localStorage.getItem('mdbook-theme');
    66. 

  66.                 var sidebar = localStorage.getItem('mdbook-sidebar');
    67. 

  67.                 if (theme.startsWith('"') && theme.endsWith('"')) {
    68. 

  68.                     localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
    69. 

  69.                 }
    70. 

  70.                 if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
    71. 

  71.                     localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
    72. 

  72.                 }
    73. 

  73.             } catch (e) { }
    74. 

  74.         </script>
    75. 

  75. 

  76.         <!-- Set the theme before any content is loaded, prevents flash -->
    77. 

  77.         <script type="text/javascript">
    78. 

  78.             var theme;
    79. 

  79.             try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
    80. 

  80.             if (theme === null || theme === undefined) { theme = default_theme; }
    81. 

  81.             var html = document.querySelector('html');
    82. 

  82.             html.classList.remove('no-js')
    83. 

  83.             html.classList.remove('light')
    84. 

  84.             html.classList.add(theme);
    85. 

  85.             html.classList.add('js');
    86. 

  86.         </script>
    87. 

  87. 

  88.         <!-- Hide / unhide sidebar before it is displayed -->
    89. 

  89.         <script type="text/javascript">
    90. 

  90.             var html = document.querySelector('html');
    91. 

  91.             var sidebar = 'hidden';
    92. 

  92.             if (document.body.clientWidth >= 1080) {
    93. 

  93.                 try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
    94. 

  94.                 sidebar = sidebar || 'visible';
    95. 

  95.             }
    96. 

  96.             html.classList.remove('sidebar-visible');
    97. 

  97.             html.classList.add("sidebar-" + sidebar);
    98. 

  98.         </script>
    99. 

  99. 

  100.         <nav id="sidebar" class="sidebar" aria-label="Table of contents">
    101. 

  101.             <div class="sidebar-scrollbox">
    102. 

  102.                 <ol class="chapter"><li class="chapter-item expanded affix "><li class="part-title">Introduction</li><li class="chapter-item expanded "><a href="welcome_and_overview.html">Welcome and Overview</a></li><li class="chapter-item expanded affix "><li class="part-title">Setup</li><li class="chapter-item expanded "><a href="setup/installation.html">Installation</a></li><li class="chapter-item expanded "><a href="postgres.html">Using Postgres</a></li><li class="chapter-item expanded "><a href="reverse_proxy.html">Configuring a Reverse Proxy</a></li><li class="chapter-item expanded "><a href="setup/forward_proxy.html">Configuring a Forward/Outbound Proxy</a></li><li class="chapter-item expanded "><a href="turn-howto.html">Configuring a Turn Server</a></li><li class="chapter-item expanded "><a href="delegate.html">Delegation</a></li><li class="chapter-item expanded affix "><li class="part-title">Upgrading</li><li class="chapter-item expanded "><a href="upgrade.html">Upgrading between Synapse Versions</a></li><li class="chapter-item expanded "><a href="MSC1711_certificates_FAQ.html" class="active">Upgrading from pre-Synapse 1.0</a></li><li class="chapter-item expanded affix "><li class="part-title">Usage</li><li class="chapter-item expanded "><a href="federate.html">Federation</a></li><li class="chapter-item expanded "><a href="usage/configuration/index.html">Configuration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/configuration/homeserver_sample_config.html">Homeserver Sample Config File</a></li><li class="chapter-item expanded "><a href="usage/configuration/logging_sample_config.html">Logging Sample Config File</a></li><li class="chapter-item expanded "><a href="structured_logging.html">Structured Logging</a></li><li class="chapter-item expanded "><a href="templates.html">Templates</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/index.html">User Authentication</a></li><li><ol class="section"><li class="chapter-item expanded "><div>Single-Sign On</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="openid.html">OpenID Connect</a></li><li class="chapter-item expanded "><div>SAML</div></li><li class="chapter-item expanded "><div>CAS</div></li><li class="chapter-item expanded "><a href="sso_mapping_providers.html">SSO Mapping Providers</a></li></ol></li><li class="chapter-item expanded "><a href="password_auth_providers.html">Password Auth Providers</a></li><li class="chapter-item expanded "><a href="jwt.html">JSON Web Tokens</a></li></ol></li><li class="chapter-item expanded "><a href="CAPTCHA_SETUP.html">Registration Captcha</a></li><li class="chapter-item expanded "><a href="application_services.html">Application Services</a></li><li class="chapter-item expanded "><a href="server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="consent_tracking.html">Consent Tracking</a></li><li class="chapter-item expanded "><a href="development/url_previews.html">URL Previews</a></li><li class="chapter-item expanded "><a href="user_directory.html">User Directory</a></li><li class="chapter-item expanded "><a href="message_retention_policies.html">Message Retention Policies</a></li><li class="chapter-item expanded "><a href="modules/index.html">Pluggable Modules</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="modules/writing_a_module.html">Writing a module</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="modules/spam_checker_callbacks.html">Spam checker callbacks</a></li><li class="chapter-item expanded "><a href="modules/third_party_rules_callbacks.html">Third-party rules callbacks</a></li><li class="chapter-item expanded "><a href="modules/presence_router_callbacks.html">Presence router callbacks</a></li><li class="chapter-item expanded "><a href="modules/account_validity_callbacks.html">Account validity callbacks</a></li><li class="chapter-item expanded "><a href="modules/porting_legacy_module.html">Porting a legacy module to the new interface</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="workers.html">Workers</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="synctl_workers.html">Using synctl with Workers</a></li><li class="chapter-item expanded "><a href="systemd-with-workers/index.html">Systemd</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="usage/administration/index.html">Administration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/administration/admin_api/index.html">Admin API</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="admin_api/account_validity.html">Account Validity</a></li><li class="chapter-item expanded "><a href="admin_api/delete_group.html">Delete Group</a></li><li class="chapter-item expanded "><a href="admin_api/event_reports.html">Event Reports</a></li><li class="chapter-item expanded "><a href="admin_api/media_admin_api.html">Media</a></li><li class="chapter-item expanded "><a href="admin_api/purge_history_api.html">Purge History</a></li><li class="chapter-item expanded "><a href="admin_api/register_api.html">Register Users</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/registration_tokens.html">Registration Tokens</a></li><li class="chapter-item expanded "><a href="admin_api/room_membership.html">Manipulate Room Membership</a></li><li class="chapter-item expanded "><a href="admin_api/rooms.html">Rooms</a></li><li class="chapter-item expanded "><a href="admin_api/server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="admin_api/statistics.html">Statistics</a></li><li class="chapter-item expanded "><a href="admin_api/user_admin_api.html">Users</a></li><li class="chapter-item expanded "><a href="admin_api/version_api.html">Server Version</a></li></ol></li><li class="chapter-item expanded "><a href="manhole.html">Manhole</a></li><li class="chapter-item expanded "><a href="metrics-howto.html">Monitoring</a></li><li class="chapter-item expanded "><a href="usage/administration/request_log.html">Request log format</a></li><li class="chapter-item expanded "><div>Scripts</div></li></ol></li><li class="chapter-item expanded "><li class="part-title">Development</li><li class="chapter-item expanded "><a href="development/contributing_guide.html">Contributing Guide</a></li><li class="chapter-item expanded "><a href="code_style.html">Code Style</a></li><li class="chapter-item expanded "><a href="development/git.html">Git Usage</a></li><li class="chapter-item expanded "><div>Testing</div></li><li class="chapter-item expanded "><a href="opentracing.html">OpenTracing</a></li><li class="chapter-item expanded "><a href="development/database_schema.html">Database Schemas</a></li><li class="chapter-item expanded "><div>Synapse Architecture</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="log_contexts.html">Log Contexts</a></li><li class="chapter-item expanded "><a href="replication.html">Replication</a></li><li class="chapter-item expanded "><a href="tcp_replication.html">TCP Replication</a></li></ol></li><li class="chapter-item expanded "><a href="development/internal_documentation/index.html">Internal Documentation</a></li><li><ol class="section"><li class="chapter-item expanded "><div>Single Sign-On</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="development/cas.html">CAS</a></li></ol></li><li class="chapter-item expanded "><a href="development/room-dag-concepts.html">Room DAG concepts</a></li><li class="chapter-item expanded "><div>State Resolution</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="auth_chain_difference_algorithm.html">The Auth Chain Difference Algorithm</a></li></ol></li><li class="chapter-item expanded "><a href="media_repository.html">Media Repository</a></li><li class="chapter-item expanded "><a href="room_and_user_statistics.html">Room and User Statistics</a></li></ol></li><li class="chapter-item expanded "><div>Scripts</div></li><li class="chapter-item expanded affix "><li class="part-title">Other</li><li class="chapter-item expanded "><a href="deprecation_policy.html">Dependency Deprecation Policy</a></li></ol>
    103. 

  103.             </div>
    104. 

  104.             <div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
    105. 

  105.         </nav>
    106. 

  106. 

  107.         <div id="page-wrapper" class="page-wrapper">
    108. 

  108. 

  109.             <div class="page">
    110. 

  110.                 
    111. 

  111.                 <div id="menu-bar-hover-placeholder"></div>
    112. 

  112.                 <div id="menu-bar" class="menu-bar sticky bordered">
    113. 

  113.                     <div class="left-buttons">
    114. 

  114.                         <button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
    115. 

  115.                             <i class="fa fa-bars"></i>
    116. 

  116.                         </button>
    117. 

  117.                         <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
    118. 

  118.                             <i class="fa fa-paint-brush"></i>
    119. 

  119.                         </button>
    120. 

  120.                         <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
    121. 

  121.                             <li role="none"><button role="menuitem" class="theme" id="light">Light (default)</button></li>
    122. 

  122.                             <li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
    123. 

  123.                             <li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
    124. 

  124.                             <li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
    125. 

  125.                             <li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
    126. 

  126.                         </ul>
    127. 

  127.                         
    128. 

  128.                         <button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
    129. 

  129.                             <i class="fa fa-search"></i>
    130. 

  130.                         </button>
    131. 

  131.                         
    132. 

  132.                     </div>
    133. 

  133. 

  134.                     <h1 class="menu-title">Synapse</h1>
    135. 

  135. 

  136.                     <div class="right-buttons">
    137. 

  137.                         
    138. 

  138.                         <a href="print.html" title="Print this book" aria-label="Print this book">
    139. 

  139.                             <i id="print-button" class="fa fa-print"></i>
    140. 

  140.                         </a>
    141. 

  141.                         
    142. 

  142.                         
    143. 

  143.                         <a href="https://github.com/matrix-org/synapse" title="Git repository" aria-label="Git repository">
    144. 

  144.                             <i id="git-repository-button" class="fa fa-github"></i>
    145. 

  145.                         </a>
    146. 

  146.                         
    147. 

  147.                         
    148. 

  148.                         <a href="https://github.com/matrix-org/synapse/edit/develop/docs/MSC1711_certificates_FAQ.md" title="Suggest an edit" aria-label="Suggest an edit">
    149. 

  149.                             <i id="git-edit-button" class="fa fa-edit"></i>
    150. 

  150.                         </a>
    151. 

  151.                         
    152. 

  152. 

  153.                     </div>
    154. 

  154.                 </div>
    155. 

  155. 

  156.                 
    157. 

  157.                 <div id="search-wrapper" class="hidden">
    158. 

  158.                     <form id="searchbar-outer" class="searchbar-outer">
    159. 

  159.                         <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
    160. 

  160.                     </form>
    161. 

  161.                     <div id="searchresults-outer" class="searchresults-outer hidden">
    162. 

  162.                         <div id="searchresults-header" class="searchresults-header"></div>
    163. 

  163.                         <ul id="searchresults">
    164. 

  164.                         </ul>
    165. 

  165.                     </div>
    166. 

  166.                 </div>
    167. 

  167.                 
    168. 

  168. 

  169.                 <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
    170. 

  170.                 <script type="text/javascript">
    171. 

  171.                     document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
    172. 

  172.                     document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
    173. 

  173.                     Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
    174. 

  174.                         link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
    175. 

  175.                     });
    176. 

  176.                 </script>
    177. 

  177. 

  178.                 <div id="content" class="content">
    179. 

  179.                     <main>
    180. 

  180.                         <!-- Page table of contents -->
    181. 

  181.                         <div class="sidetoc">
    182. 

  182.                             <nav class="pagetoc"></nav>
    183. 

  183.                         </div>
    184. 

  184. 

  185.                         <h1 id="msc1711-certificates-faq"><a class="header" href="#msc1711-certificates-faq">MSC1711 Certificates FAQ</a></h1>
    186. 

  186. <h2 id="historical-note"><a class="header" href="#historical-note">Historical Note</a></h2>
    187. 

  187. <p>This document was originally written to guide server admins through the upgrade
    188. 

  188. path towards Synapse 1.0. Specifically,
    189. 

  189. <a href="https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md">MSC1711</a>
    190. 

  190. required that all servers present valid TLS certificates on their federation
    191. 

  191. API. Admins were encouraged to achieve compliance from version 0.99.0 (released
    192. 

  192. in February 2019) ahead of version 1.0 (released June 2019) enforcing the
    193. 

  193. certificate checks.</p>
    194. 

  194. <p>Much of what follows is now outdated since most admins will have already
    195. 

  195. upgraded, however it may be of use to those with old installs returning to the
    196. 

  196. project.</p>
    197. 

  197. <p>If you are setting up a server from scratch you almost certainly should look at
    198. 

  198. the <a href="setup/installation.html">installation guide</a> instead.</p>
    199. 

  199. <h2 id="introduction"><a class="header" href="#introduction">Introduction</a></h2>
    200. 

  200. <p>The goal of Synapse 0.99.0 is to act as a stepping stone to Synapse 1.0.0. It
    201. 

  201. supports the r0.1 release of the server to server specification, but is
    202. 

  202. compatible with both the legacy Matrix federation behaviour (pre-r0.1) as well
    203. 

  203. as post-r0.1 behaviour, in order to allow for a smooth upgrade across the
    204. 

  204. federation.</p>
    205. 

  205. <p>The most important thing to know is that Synapse 1.0.0 will require a valid TLS
    206. 

  206. certificate on federation endpoints. Self signed certificates will not be
    207. 

  207. sufficient.</p>
    208. 

  208. <p>Synapse 0.99.0 makes it easy to configure TLS certificates and will
    209. 

  209. interoperate with both &gt;= 1.0.0 servers as well as existing servers yet to
    210. 

  210. upgrade.</p>
    211. 

  211. <p><strong>It is critical that all admins upgrade to 0.99.0 and configure a valid TLS
    212. 

  212. certificate.</strong> Admins will have 1 month to do so, after which 1.0.0 will be
    213. 

  213. released and those servers without a valid certificate will not longer be able
    214. 

  214. to federate with &gt;= 1.0.0 servers.</p>
    215. 

  215. <p>Full details on how to carry out this configuration change is given
    216. 

  216. <a href="#configuring-certificates-for-compatibility-with-synapse-100">below</a>. A
    217. 

  217. timeline and some frequently asked questions are also given below.</p>
    218. 

  218. <p>For more details and context on the release of the r0.1 Server/Server API and
    219. 

  219. imminent Matrix 1.0 release, you can also see our
    220. 

  220. <a href="https://matrix.org/blog/2019/02/04/matrix-at-fosdem-2019/">main talk from FOSDEM 2019</a>.</p>
    221. 

  221. <h2 id="contents"><a class="header" href="#contents">Contents</a></h2>
    222. 

  222. <ul>
    223. 

  223. <li>Timeline</li>
    224. 

  224. <li>Configuring certificates for compatibility with Synapse 1.0</li>
    225. 

  225. <li>FAQ
    226. 

  226. <ul>
    227. 

  227. <li>Synapse 0.99.0 has just been released, what do I need to do right now?</li>
    228. 

  228. <li>How do I upgrade?</li>
    229. 

  229. <li>What will happen if I do not set up a valid federation certificate
    230. 

  230. immediately?</li>
    231. 

  231. <li>What will happen if I do nothing at all?</li>
    232. 

  232. <li>When do I need a SRV record or .well-known URI?</li>
    233. 

  233. <li>Can I still use an SRV record?</li>
    234. 

  234. <li>I have created a .well-known URI. Do I still need an SRV record?</li>
    235. 

  235. <li>It used to work just fine, why are you breaking everything?</li>
    236. 

  236. <li>Can I manage my own certificates rather than having Synapse renew
    237. 

  237. certificates itself?</li>
    238. 

  238. <li>Do you still recommend against using a reverse proxy on the federation port?</li>
    239. 

  239. <li>Do I still need to give my TLS certificates to Synapse if I am using a
    240. 

  240. reverse proxy?</li>
    241. 

  241. <li>Do I need the same certificate for the client and federation port?</li>
    242. 

  242. <li>How do I tell Synapse to reload my keys/certificates after I replace them?</li>
    243. 

  243. </ul>
    244. 

  244. </li>
    245. 

  245. </ul>
    246. 

  246. <h2 id="timeline"><a class="header" href="#timeline">Timeline</a></h2>
    247. 

  247. <p><strong>5th Feb 2019  - Synapse 0.99.0 is released.</strong></p>
    248. 

  248. <p>All server admins are encouraged to upgrade.</p>
    249. 

  249. <p>0.99.0:</p>
    250. 

  250. <ul>
    251. 

  251. <li>
    252. 

  252. <p>provides support for ACME to make setting up Let's Encrypt certs easy, as
    253. 

  253. well as .well-known support.</p>
    254. 

  254. </li>
    255. 

  255. <li>
    256. 

  256. <p>does not enforce that a valid CA cert is present on the federation API, but
    257. 

  257. rather makes it easy to set one up.</p>
    258. 

  258. </li>
    259. 

  259. <li>
    260. 

  260. <p>provides support for .well-known</p>
    261. 

  261. </li>
    262. 

  262. </ul>
    263. 

  263. <p>Admins should upgrade and configure a valid CA cert. Homeservers that require a
    264. 

  264. .well-known entry (see below), should retain their SRV record and use it
    265. 

  265. alongside their .well-known record.</p>
    266. 

  266. <p><strong>10th June 2019  - Synapse 1.0.0 is released</strong></p>
    267. 

  267. <p>1.0.0 is scheduled for release on 10th June. In
    268. 

  268. accordance with the the <a href="https://matrix.org/docs/spec/server_server/r0.1.0.html">S2S spec</a>
    269. 

  269. 1.0.0 will enforce certificate validity. This means that any homeserver without a
    270. 

  270. valid certificate after this point will no longer be able to federate with
    271. 

  271. 1.0.0 servers.</p>
    272. 

  272. <h2 id="configuring-certificates-for-compatibility-with-synapse-100"><a class="header" href="#configuring-certificates-for-compatibility-with-synapse-100">Configuring certificates for compatibility with Synapse 1.0.0</a></h2>
    273. 

  273. <h3 id="if-you-do-not-currently-have-an-srv-record"><a class="header" href="#if-you-do-not-currently-have-an-srv-record">If you do not currently have an SRV record</a></h3>
    274. 

  274. <p>In this case, your <code>server_name</code> points to the host where your Synapse is
    275. 

  275. running. There is no need to create a <code>.well-known</code> URI or an SRV record, but
    276. 

  276. you will need to give Synapse a valid, signed, certificate.</p>
    277. 

  277. <h3 id="if-you-do-have-an-srv-record-currently"><a class="header" href="#if-you-do-have-an-srv-record-currently">If you do have an SRV record currently</a></h3>
    278. 

  278. <p>If you are using an SRV record, your matrix domain (<code>server_name</code>) may not
    279. 

  279. point to the same host that your Synapse is running on (the 'target
    280. 

  280. domain'). (If it does, you can follow the recommendation above; otherwise, read
    281. 

  281. on.)</p>
    282. 

  282. <p>Let's assume that your <code>server_name</code> is <code>example.com</code>, and your Synapse is
    283. 

  283. hosted at a target domain of <code>customer.example.net</code>. Currently you should have
    284. 

  284. an SRV record which looks like:</p>
    285. 

  285. <pre><code>_matrix._tcp.example.com. IN SRV 10 5 8000 customer.example.net.
    286. 

  286. </code></pre>
    287. 

  287. <p>In this situation, you have three choices for how to proceed:</p>
    288. 

  288. <h4 id="option-1-give-synapse-a-certificate-for-your-matrix-domain"><a class="header" href="#option-1-give-synapse-a-certificate-for-your-matrix-domain">Option 1: give Synapse a certificate for your matrix domain</a></h4>
    289. 

  289. <p>Synapse 1.0 will expect your server to present a TLS certificate for your
    290. 

  290. <code>server_name</code> (<code>example.com</code> in the above example). You can achieve this by acquiring a
    291. 

  291. certificate for the <code>server_name</code> yourself (for example, using <code>certbot</code>), and giving it
    292. 

  292. and the key to Synapse via <code>tls_certificate_path</code> and <code>tls_private_key_path</code>.</p>
    293. 

  293. <h4 id="option-2-run-synapse-behind-a-reverse-proxy"><a class="header" href="#option-2-run-synapse-behind-a-reverse-proxy">Option 2: run Synapse behind a reverse proxy</a></h4>
    294. 

  294. <p>If you have an existing reverse proxy set up with correct TLS certificates for
    295. 

  295. your domain, you can simply route all traffic through the reverse proxy by
    296. 

  296. updating the SRV record appropriately (or removing it, if the proxy listens on
    297. 

  297. 8448).</p>
    298. 

  298. <p>See <a href="reverse_proxy.html">the reverse proxy documentation</a> for information on setting up a
    299. 

  299. reverse proxy.</p>
    300. 

  300. <h4 id="option-3-add-a-well-known-file-to-delegate-your-matrix-traffic"><a class="header" href="#option-3-add-a-well-known-file-to-delegate-your-matrix-traffic">Option 3: add a .well-known file to delegate your matrix traffic</a></h4>
    301. 

  301. <p>This will allow you to keep Synapse on a separate domain, without having to
    302. 

  302. give it a certificate for the matrix domain.</p>
    303. 

  303. <p>You can do this with a <code>.well-known</code> file as follows:</p>
    304. 

  304. <ol>
    305. 

  305. <li>
    306. 

  306. <p>Keep the SRV record in place - it is needed for backwards compatibility
    307. 

  307. with Synapse 0.34 and earlier.</p>
    308. 

  308. </li>
    309. 

  309. <li>
    310. 

  310. <p>Give Synapse a certificate corresponding to the target domain
    311. 

  311. (<code>customer.example.net</code> in the above example). You can do this by acquire a 
    312. 

  312. certificate for the target domain and giving it to Synapse via <code>tls_certificate_path</code>
    313. 

  313. and <code>tls_private_key_path</code>.</p>
    314. 

  314. </li>
    315. 

  315. <li>
    316. 

  316. <p>Restart Synapse to ensure the new certificate is loaded.</p>
    317. 

  317. </li>
    318. 

  318. <li>
    319. 

  319. <p>Arrange for a <code>.well-known</code> file at
    320. 

  320. <code>https://&lt;server_name&gt;/.well-known/matrix/server</code> with contents:</p>
    321. 

  321. <pre><code class="language-json">{&quot;m.server&quot;: &quot;&lt;target server name&gt;&quot;}
    322. 

  322. </code></pre>
    323. 

  323. <p>where the target server name is resolved as usual (i.e. SRV lookup, falling
    324. 

  324. back to talking to port 8448).</p>
    325. 

  325. <p>In the above example, where synapse is listening on port 8000,
    326. 

  326. <code>https://example.com/.well-known/matrix/server</code> should have <code>m.server</code> set to one of:</p>
    327. 

  327. <ol>
    328. 

  328. <li>
    329. 

  329. <p><code>customer.example.net</code> ─ with a SRV record on
    330. 

  330. <code>_matrix._tcp.customer.example.com</code> pointing to port 8000, or:</p>
    331. 

  331. </li>
    332. 

  332. <li>
    333. 

  333. <p><code>customer.example.net</code> ─ updating synapse to listen on the default port
    334. 

  334. 8448, or:</p>
    335. 

  335. </li>
    336. 

  336. <li>
    337. 

  337. <p><code>customer.example.net:8000</code> ─ ensuring that if there is a reverse proxy
    338. 

  338. on <code>customer.example.net:8000</code> it correctly handles HTTP requests with
    339. 

  339. Host header set to <code>customer.example.net:8000</code>.</p>
    340. 

  340. </li>
    341. 

  341. </ol>
    342. 

  342. </li>
    343. 

  343. </ol>
    344. 

  344. <h2 id="faq"><a class="header" href="#faq">FAQ</a></h2>
    345. 

  345. <h3 id="synapse-0990-has-just-been-released-what-do-i-need-to-do-right-now"><a class="header" href="#synapse-0990-has-just-been-released-what-do-i-need-to-do-right-now">Synapse 0.99.0 has just been released, what do I need to do right now?</a></h3>
    346. 

  346. <p>Upgrade as soon as you can in preparation for Synapse 1.0.0, and update your
    347. 

  347. TLS certificates as <a href="#configuring-certificates-for-compatibility-with-synapse-100">above</a>.</p>
    348. 

  348. <h3 id="what-will-happen-if-i-do-not-set-up-a-valid-federation-certificate-immediately"><a class="header" href="#what-will-happen-if-i-do-not-set-up-a-valid-federation-certificate-immediately">What will happen if I do not set up a valid federation certificate immediately?</a></h3>
    349. 

  349. <p>Nothing initially, but once 1.0.0 is in the wild it will not be possible to
    350. 

  350. federate with 1.0.0 servers.</p>
    351. 

  351. <h3 id="what-will-happen-if-i-do-nothing-at-all"><a class="header" href="#what-will-happen-if-i-do-nothing-at-all">What will happen if I do nothing at all?</a></h3>
    352. 

  352. <p>If the admin takes no action at all, and remains on a Synapse &lt; 0.99.0 then the
    353. 

  353. homeserver will be unable to federate with those who have implemented
    354. 

  354. .well-known. Then, as above, once the month upgrade window has expired the
    355. 

  355. homeserver will not be able to federate with any Synapse &gt;= 1.0.0</p>
    356. 

  356. <h3 id="when-do-i-need-a-srv-record-or-well-known-uri"><a class="header" href="#when-do-i-need-a-srv-record-or-well-known-uri">When do I need a SRV record or .well-known URI?</a></h3>
    357. 

  357. <p>If your homeserver listens on the default federation port (8448), and your
    358. 

  358. <code>server_name</code> points to the host that your homeserver runs on, you do not need an
    359. 

  359. SRV record or <code>.well-known/matrix/server</code> URI.</p>
    360. 

  360. <p>For instance, if you registered <code>example.com</code> and pointed its DNS A record at a
    361. 

  361. fresh Upcloud VPS or similar, you could install Synapse 0.99 on that host,
    362. 

  362. giving it a server_name of <code>example.com</code>, and it would automatically generate a
    363. 

  363. valid TLS certificate for you via Let's Encrypt and no SRV record or
    364. 

  364. <code>.well-known</code> URI would be needed.</p>
    365. 

  365. <p>This is the common case, although you can add an SRV record or
    366. 

  366. <code>.well-known/matrix/server</code> URI for completeness if you wish.</p>
    367. 

  367. <p><strong>However</strong>, if your server does not listen on port 8448, or if your <code>server_name</code>
    368. 

  368. does not point to the host that your homeserver runs on, you will need to let
    369. 

  369. other servers know how to find it.</p>
    370. 

  370. <p>In this case, you should see <a href="#if-you-do-have-an-srv-record-currently">&quot;If you do have an SRV record
    371. 

  371. currently&quot;</a> above.</p>
    372. 

  372. <h3 id="can-i-still-use-an-srv-record"><a class="header" href="#can-i-still-use-an-srv-record">Can I still use an SRV record?</a></h3>
    373. 

  373. <p>Firstly, if you didn't need an SRV record before (because your server is
    374. 

  374. listening on port 8448 of your server_name), you certainly don't need one now:
    375. 

  375. the defaults are still the same.</p>
    376. 

  376. <p>If you previously had an SRV record, you can keep using it provided you are
    377. 

  377. able to give Synapse a TLS certificate corresponding to your server name. For
    378. 

  378. example, suppose you had the following SRV record, which directs matrix traffic
    379. 

  379. for example.com to matrix.example.com:443:</p>
    380. 

  380. <pre><code>_matrix._tcp.example.com. IN SRV 10 5 443 matrix.example.com
    381. 

  381. </code></pre>
    382. 

  382. <p>In this case, Synapse must be given a certificate for example.com - or be
    383. 

  383. configured to acquire one from Let's Encrypt.</p>
    384. 

  384. <p>If you are unable to give Synapse a certificate for your server_name, you will
    385. 

  385. also need to use a .well-known URI instead. However, see also &quot;I have created a
    386. 

  386. .well-known URI. Do I still need an SRV record?&quot;.</p>
    387. 

  387. <h3 id="i-have-created-a-well-known-uri-do-i-still-need-an-srv-record"><a class="header" href="#i-have-created-a-well-known-uri-do-i-still-need-an-srv-record">I have created a .well-known URI. Do I still need an SRV record?</a></h3>
    388. 

  388. <p>As of Synapse 0.99, Synapse will first check for the existence of a <code>.well-known</code>
    389. 

  389. URI and follow any delegation it suggests. It will only then check for the
    390. 

  390. existence of an SRV record.</p>
    391. 

  391. <p>That means that the SRV record will often be redundant. However, you should
    392. 

  392. remember that there may still be older versions of Synapse in the federation
    393. 

  393. which do not understand <code>.well-known</code> URIs, so if you removed your SRV record you
    394. 

  394. would no longer be able to federate with them.</p>
    395. 

  395. <p>It is therefore best to leave the SRV record in place for now. Synapse 0.34 and
    396. 

  396. earlier will follow the SRV record (and not care about the invalid
    397. 

  397. certificate). Synapse 0.99 and later will follow the .well-known URI, with the
    398. 

  398. correct certificate chain.</p>
    399. 

  399. <h3 id="it-used-to-work-just-fine-why-are-you-breaking-everything"><a class="header" href="#it-used-to-work-just-fine-why-are-you-breaking-everything">It used to work just fine, why are you breaking everything?</a></h3>
    400. 

  400. <p>We have always wanted Matrix servers to be as easy to set up as possible, and
    401. 

  401. so back when we started federation in 2014 we didn't want admins to have to go
    402. 

  402. through the cumbersome process of buying a valid TLS certificate to run a
    403. 

  403. server. This was before Let's Encrypt came along and made getting a free and
    404. 

  404. valid TLS certificate straightforward. So instead, we adopted a system based on
    405. 

  405. <a href="https://en.wikipedia.org/wiki/Convergence_(SSL)">Perspectives</a>: an approach
    406. 

  406. where you check a set of &quot;notary servers&quot; (in practice, homeservers) to vouch
    407. 

  407. for the validity of a certificate rather than having it signed by a CA. As long
    408. 

  408. as enough different notaries agree on the certificate's validity, then it is
    409. 

  409. trusted.</p>
    410. 

  410. <p>However, in practice this has never worked properly. Most people only use the
    411. 

  411. default notary server (matrix.org), leading to inadvertent centralisation which
    412. 

  412. we want to eliminate. Meanwhile, we never implemented the full consensus
    413. 

  413. algorithm to query the servers participating in a room to determine consensus
    414. 

  414. on whether a given certificate is valid. This is fiddly to get right
    415. 

  415. (especially in face of sybil attacks), and we found ourselves questioning
    416. 

  416. whether it was worth the effort to finish the work and commit to maintaining a
    417. 

  417. secure certificate validation system as opposed to focusing on core Matrix
    418. 

  418. development.</p>
    419. 

  419. <p>Meanwhile, Let's Encrypt came along in 2016, and put the final nail in the
    420. 

  420. coffin of the Perspectives project (which was already pretty dead). So, the
    421. 

  421. Spec Core Team decided that a better approach would be to mandate valid TLS
    422. 

  422. certificates for federation alongside the rest of the Web. More details can be
    423. 

  423. found in
    424. 

  424. <a href="https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md#background-the-failure-of-the-perspectives-approach">MSC1711</a>.</p>
    425. 

  425. <p>This results in a breaking change, which is disruptive, but absolutely critical
    426. 

  426. for the security model. However, the existence of Let's Encrypt as a trivial
    427. 

  427. way to replace the old self-signed certificates with valid CA-signed ones helps
    428. 

  428. smooth things over massively, especially as Synapse can now automate Let's
    429. 

  429. Encrypt certificate generation if needed.</p>
    430. 

  430. <h3 id="can-i-manage-my-own-certificates-rather-than-having-synapse-renew-certificates-itself"><a class="header" href="#can-i-manage-my-own-certificates-rather-than-having-synapse-renew-certificates-itself">Can I manage my own certificates rather than having Synapse renew certificates itself?</a></h3>
    431. 

  431. <p>Yes, you are welcome to manage your certificates yourself. Synapse will only
    432. 

  432. attempt to obtain certificates from Let's Encrypt if you configure it to do
    433. 

  433. so.The only requirement is that there is a valid TLS cert present for
    434. 

  434. federation end points.</p>
    435. 

  435. <h3 id="do-you-still-recommend-against-using-a-reverse-proxy-on-the-federation-port"><a class="header" href="#do-you-still-recommend-against-using-a-reverse-proxy-on-the-federation-port">Do you still recommend against using a reverse proxy on the federation port?</a></h3>
    436. 

  436. <p>We no longer actively recommend against using a reverse proxy. Many admins will
    437. 

  437. find it easier to direct federation traffic to a reverse proxy and manage their
    438. 

  438. own TLS certificates, and this is a supported configuration.</p>
    439. 

  439. <p>See <a href="reverse_proxy.html">the reverse proxy documentation</a> for information on setting up a
    440. 

  440. reverse proxy.</p>
    441. 

  441. <h3 id="do-i-still-need-to-give-my-tls-certificates-to-synapse-if-i-am-using-a-reverse-proxy"><a class="header" href="#do-i-still-need-to-give-my-tls-certificates-to-synapse-if-i-am-using-a-reverse-proxy">Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?</a></h3>
    442. 

  442. <p>Practically speaking, this is no longer necessary.</p>
    443. 

  443. <p>If you are using a reverse proxy for all of your TLS traffic, then you can set
    444. 

  444. <code>no_tls: True</code>. In that case, the only reason Synapse needs the certificate is
    445. 

  445. to populate a legacy 'tls_fingerprints' field in the federation API. This is
    446. 

  446. ignored by Synapse 0.99.0 and later, and the only time pre-0.99 Synapses will
    447. 

  447. check it is when attempting to fetch the server keys - and generally this is
    448. 

  448. delegated via <code>matrix.org</code>, which is on 0.99.0.</p>
    449. 

  449. <p>However, there is a bug in Synapse 0.99.0
    450. 

  450. <a href="https://github.com/matrix-org/synapse/issues/4554">4554</a> which prevents
    451. 

  451. Synapse from starting if you do not give it a TLS certificate. To work around
    452. 

  452. this, you can give it any TLS certificate at all. This will be fixed soon.</p>
    453. 

  453. <h3 id="do-i-need-the-same-certificate-for-the-client-and-federation-port"><a class="header" href="#do-i-need-the-same-certificate-for-the-client-and-federation-port">Do I need the same certificate for the client and federation port?</a></h3>
    454. 

  454. <p>No. There is nothing stopping you from using different certificates,
    455. 

  455. particularly if you are using a reverse proxy. However, Synapse will use the
    456. 

  456. same certificate on any ports where TLS is configured.</p>
    457. 

  457. <h3 id="how-do-i-tell-synapse-to-reload-my-keyscertificates-after-i-replace-them"><a class="header" href="#how-do-i-tell-synapse-to-reload-my-keyscertificates-after-i-replace-them">How do I tell Synapse to reload my keys/certificates after I replace them?</a></h3>
    458. 

  458. <p>Synapse will reload the keys and certificates when it receives a SIGHUP - for
    459. 

  459. example <code>kill -HUP $(cat homeserver.pid)</code>. Alternatively, simply restart
    460. 

  460. Synapse, though this will result in downtime while it restarts.</p>
    461. 

  461. 

  462.                     </main>
    463. 

  463. 

  464.                     <nav class="nav-wrapper" aria-label="Page navigation">
    465. 

  465.                         <!-- Mobile navigation buttons -->
    466. 

  466.                         
    467. 

  467.                             <a rel="prev" href="upgrade.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
    468. 

  468.                                 <i class="fa fa-angle-left"></i>
    469. 

  469.                             </a>
    470. 

  470.                         
    471. 

  471. 

  472.                         
    473. 

  473.                             <a rel="next" href="federate.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
    474. 

  474.                                 <i class="fa fa-angle-right"></i>
    475. 

  475.                             </a>
    476. 

  476.                         
    477. 

  477. 

  478.                         <div style="clear: both"></div>
    479. 

  479.                     </nav>
    480. 

  480.                 </div>
    481. 

  481.             </div>
    482. 

  482. 

  483.             <nav class="nav-wide-wrapper" aria-label="Page navigation">
    484. 

  484.                 
    485. 

  485.                     <a rel="prev" href="upgrade.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
    486. 

  486.                         <i class="fa fa-angle-left"></i>
    487. 

  487.                     </a>
    488. 

  488.                 
    489. 

  489. 

  490.                 
    491. 

  491.                     <a rel="next" href="federate.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
    492. 

  492.                         <i class="fa fa-angle-right"></i>
    493. 

  493.                     </a>
    494. 

  494.                 
    495. 

  495.             </nav>
    496. 

  496. 

  497.         </div>
    498. 

  498. 

  499.         
    500. 

  500. 

  501.         
    502. 

  502. 

  503.         
    504. 

  504. 

  505.         
    506. 

  506.         <script type="text/javascript">
    507. 

  507.             window.playground_copyable = true;
    508. 

  508.         </script>
    509. 

  509.         
    510. 

  510. 

  511.         
    512. 

  512. 

  513.         
    514. 

  514.         <script src="elasticlunr.min.js" type="text/javascript" charset="utf-8"></script>
    515. 

  515.         <script src="mark.min.js" type="text/javascript" charset="utf-8"></script>
    516. 

  516.         <script src="searcher.js" type="text/javascript" charset="utf-8"></script>
    517. 

  517.         
    518. 

  518. 

  519.         <script src="clipboard.min.js" type="text/javascript" charset="utf-8"></script>
    520. 

  520.         <script src="highlight.js" type="text/javascript" charset="utf-8"></script>
    521. 

  521.         <script src="book.js" type="text/javascript" charset="utf-8"></script>
    522. 

  522. 

  523.         <!-- Custom JS scripts -->
    524. 

  524.         
    525. 

  525.         <script type="text/javascript" src="docs/website_files/table-of-contents.js"></script>
    526. 

  526.         
    527. 

  527. 

  528.         
    529. 

  529. 

  530.     </body>
    531. 

  531. </html>
    532.