From feb4ae84bab475964d62fe3cceeb7ce391b5145d Mon Sep 17 00:00:00 2001 From: lub Date: Sat, 5 Aug 2017 10:53:51 +0000 Subject: [PATCH] use symlinks instead of copy Let's Encrypt creates symlink to the current keys+certs in /etc/letsencrypt/live/ It isn't very useful to copy the link targets, because they rotate with every renewal (max every 90 days, optimally every 60 days). Per default the files (key+cert) have owner root:root and 0644, which should be sufficient for synapse to read. --- supporting-docs/guides/2016-03-15-lets-encrypt.rst | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/supporting-docs/guides/2016-03-15-lets-encrypt.rst b/supporting-docs/guides/2016-03-15-lets-encrypt.rst index 6c6b0ae2..9d078137 100644 --- a/supporting-docs/guides/2016-03-15-lets-encrypt.rst +++ b/supporting-docs/guides/2016-03-15-lets-encrypt.rst @@ -23,10 +23,7 @@ Also, the certificates will be in a folder under /etc/letsencrypt (see below) an :: -# cd (path to synapse) -# ./letsencrypt-auto certonly --standalone -# sudo cp /etc/letsencrypt/live/(your domain name)/* . -# sudo chown (user synapse runs as) *.pem +# letsencrypt-auto certonly --standalone A note about renewal -------------------- @@ -34,7 +31,7 @@ These certificates will expire in 3 months. To renew certificates, just repeat t 2: Install Certificates ======================= -At the top of your homeserver.yaml there should be two keys, ```tls_certificate_path``` and ```tls_private_key_path```. These should be changed so that instead of pointing to the default keys, they now point to the Let's Encrypt keys. ```tls_certificate_path``` should point to the ```fullchain.pem``` in the synapse install directory. ```tls_private_key_path``` should point to the ```privkey.pem``` in the synapse install directory. ```tls_dh_params_path``` can stay the same as before. +At the top of your homeserver.yaml there should be two keys, ```tls_certificate_path``` and ```tls_private_key_path```. These should be changed so that instead of pointing to the default keys, they now point to the Let's Encrypt keys. ```tls_certificate_path``` should point to ```/etc/letsencrypt/live/(your domain name)/fullchain.pem```. ```tls_private_key_path``` should point to ```/etc/letsencrypt/live/(your domain name)/privkey.pem```. ```tls_dh_params_path``` can stay the same as before. .. _Synapse: https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation .. _Let's Encrypt: https://letsencrypt.readthedocs.org/en/latest/using.html#installation