Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-01-28 01:53:43 +01:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
matrix-spec/supporting-docs/guides/2016-03-15-lets-encrypt.rst
lub feb4ae84ba use symlinks instead of copy 
Let's Encrypt creates symlink to the current keys+certs in /etc/letsencrypt/live/

It isn't very useful to copy the link targets, because they rotate with every renewal (max every 90 days, optimally every 60 days). Per default the files (key+cert) have owner root:root and 0644, which should be sufficient for synapse to read.
2017-08-05 10:53:51 +00:00

38 lines
1.9 KiB
ReStructuredText
Raw Blame History

---
layout: post
title: Let's Encrypt Matrix
categories: guides
---
====================
Let's Encrypt Matrix
====================
Let's Encrypt is a free Certificate Authority that makes it easy to secure your server's internet traffic. This makes it really easy to secure your Matrix homeserver, and this guide will explain exactly how you do this. Guide written by William A Stevens - thanks!
0: Prerequisites
================
* Install Synapse_.
* Install (or Download) `Let's Encrypt`_
1: Get certificates
===================
When executing the Let's Encrypt client, it will ask for the domain name of your server, and your email address. The domain list can include multiple names and should include any domain you want to access the server from.
Also, the certificates will be in a folder under /etc/letsencrypt (see below) and owned by root. These files should be copied to the same directory as the synapse install and owned by the user synapse is run as.
::
# letsencrypt-auto certonly --standalone
A note about renewal
--------------------
These certificates will expire in 3 months. To renew certificates, just repeat this step.
2: Install Certificates
=======================
At the top of your homeserver.yaml there should be two keys, ```tls_certificate_path``` and ```tls_private_key_path```. These should be changed so that instead of pointing to the default keys, they now point to the Let's Encrypt keys. ```tls_certificate_path``` should point to ```/etc/letsencrypt/live/(your domain name)/fullchain.pem```. ```tls_private_key_path``` should point to ```/etc/letsencrypt/live/(your domain name)/privkey.pem```. ```tls_dh_params_path``` can stay the same as before.
.. _Synapse: https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation
.. _Let's Encrypt: https://letsencrypt.readthedocs.org/en/latest/using.html#installation
Reference in a new issue View git blame Copy permalink