matrix-spec/supporting-docs/guides/2016-03-15-lets-encrypt.rst

---
layout: post
title: Let's Encrypt Matrix
categories: guides
---

====================
Let's Encrypt Matrix
====================

Let's Encrypt is a free Certificate Authority that makes it easy to secure your server's internet traffic. This makes it really easy to secure your Matrix homeserver, and this guide will explain exactly how you do this. Guide written by William A Stevens - thanks!

0: Prerequisites
================
* Install Synapse_.
* Install (or Download) certbot_

1: Get certificates
===================
When executing the Let's Encrypt client, it will ask for the domain name of your server, and your email address. The domain list can include multiple names and should include any domain you want to access the server from.

Also, the certificates will be in a folder under /etc/letsencrypt (see below) and owned by root.

::

# certbot certonly --standalone

A note about renewal
--------------------
These certificates will expire in 3 months. To renew certificates, run ```certbot renew```. It is recommended to create a cronjob, which attempts renewal twice a day. Depending on your distribution, that could be already configured.

2: Install Certificates
=======================
At the top of your homeserver.yaml there should be two keys, ```tls_certificate_path``` and ```tls_private_key_path```. These should be changed so that instead of pointing to the default keys, they now point to the Let's Encrypt keys. ```tls_certificate_path``` should point to ```/etc/letsencrypt/live/(your domain name)/fullchain.pem```. ```tls_private_key_path``` should point to ```/etc/letsencrypt/live/(your domain name)/privkey.pem```. ```tls_dh_params_path``` can stay the same as before.

.. _Synapse: https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation
.. _certbot: https://certbot.eff.org/
added intro 9 years ago			`---`
			`layout: post`
			`title: Let's Encrypt Matrix`
			`categories: guides`
			`---`

			`====================`
			`Let's Encrypt Matrix`
			`====================`

adding author 9 years ago			`Let's Encrypt is a free Certificate Authority that makes it easy to secure your server's internet traffic. This makes it really easy to secure your Matrix homeserver, and this guide will explain exactly how you do this. Guide written by William A Stevens - thanks!`
added intro 9 years ago
			`0: Prerequisites`
			`================`
			`* Install Synapse_.`
fix link for certbot 7 years ago			`* Install (or Download) certbot_`
added intro 9 years ago
			`1: Get certificates`
			`===================`
			`When executing the Let's Encrypt client, it will ask for the domain name of your server, and your email address. The domain list can include multiple names and should include any domain you want to access the server from.`

remove note to copy cert+key see feb4ae84bab475964d62fe3cceeb7ce391b5145d for explanation 7 years ago			`Also, the certificates will be in a folder under /etc/letsencrypt (see below) and owned by root.`
added intro 9 years ago
			`::`

change binary to certbot out of the certbot/certbot README.rst: > Until May 2016, Certbot was named simply letsencrypt or letsencrypt-auto, depending on install method. Instructions on the Internet, and some pieces of the software, may still refer to this older name. 7 years ago			`# certbot certonly --standalone`
added intro 9 years ago
			`A note about renewal`
			`--------------------`
change binary to certbot out of the certbot/certbot README.rst: > Until May 2016, Certbot was named simply letsencrypt or letsencrypt-auto, depending on install method. Instructions on the Internet, and some pieces of the software, may still refer to this older name. 7 years ago			These certificates will expire in 3 months. To renew certificates, run ```certbot renew```. It is recommended to create a cronjob, which attempts renewal twice a day. Depending on your distribution, that could be already configured.
added intro 9 years ago
			`2: Install Certificates`
			`=======================`
use symlinks instead of copy Let's Encrypt creates symlink to the current keys+certs in /etc/letsencrypt/live/ It isn't very useful to copy the link targets, because they rotate with every renewal (max every 90 days, optimally every 60 days). Per default the files (key+cert) have owner root:root and 0644, which should be sufficient for synapse to read. 7 years ago			At the top of your homeserver.yaml there should be two keys, ```tls_certificate_path``` and ```tls_private_key_path```. These should be changed so that instead of pointing to the default keys, they now point to the Let's Encrypt keys. ```tls_certificate_path``` should point to ```/etc/letsencrypt/live/(your domain name)/fullchain.pem```. ```tls_private_key_path``` should point to ```/etc/letsencrypt/live/(your domain name)/privkey.pem```. ```tls_dh_params_path``` can stay the same as before.
added intro 9 years ago
			`.. _Synapse: https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation`
fix link for certbot 7 years ago			`.. _certbot: https://certbot.eff.org/`