From feb4ae84bab475964d62fe3cceeb7ce391b5145d Mon Sep 17 00:00:00 2001 From: lub Date: Sat, 5 Aug 2017 10:53:51 +0000 Subject: [PATCH 1/5] use symlinks instead of copy Let's Encrypt creates symlink to the current keys+certs in /etc/letsencrypt/live/ It isn't very useful to copy the link targets, because they rotate with every renewal (max every 90 days, optimally every 60 days). Per default the files (key+cert) have owner root:root and 0644, which should be sufficient for synapse to read. --- supporting-docs/guides/2016-03-15-lets-encrypt.rst | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/supporting-docs/guides/2016-03-15-lets-encrypt.rst b/supporting-docs/guides/2016-03-15-lets-encrypt.rst index 6c6b0ae2..9d078137 100644 --- a/supporting-docs/guides/2016-03-15-lets-encrypt.rst +++ b/supporting-docs/guides/2016-03-15-lets-encrypt.rst @@ -23,10 +23,7 @@ Also, the certificates will be in a folder under /etc/letsencrypt (see below) an :: -# cd (path to synapse) -# ./letsencrypt-auto certonly --standalone -# sudo cp /etc/letsencrypt/live/(your domain name)/* . -# sudo chown (user synapse runs as) *.pem +# letsencrypt-auto certonly --standalone A note about renewal -------------------- @@ -34,7 +31,7 @@ These certificates will expire in 3 months. To renew certificates, just repeat t 2: Install Certificates ======================= -At the top of your homeserver.yaml there should be two keys, ```tls_certificate_path``` and ```tls_private_key_path```. These should be changed so that instead of pointing to the default keys, they now point to the Let's Encrypt keys. ```tls_certificate_path``` should point to the ```fullchain.pem``` in the synapse install directory. ```tls_private_key_path``` should point to the ```privkey.pem``` in the synapse install directory. ```tls_dh_params_path``` can stay the same as before. +At the top of your homeserver.yaml there should be two keys, ```tls_certificate_path``` and ```tls_private_key_path```. These should be changed so that instead of pointing to the default keys, they now point to the Let's Encrypt keys. ```tls_certificate_path``` should point to ```/etc/letsencrypt/live/(your domain name)/fullchain.pem```. ```tls_private_key_path``` should point to ```/etc/letsencrypt/live/(your domain name)/privkey.pem```. ```tls_dh_params_path``` can stay the same as before. .. _Synapse: https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation .. _Let's Encrypt: https://letsencrypt.readthedocs.org/en/latest/using.html#installation From 464f5cdff30506ef948cdd45a9d38cb0a2517544 Mon Sep 17 00:00:00 2001 From: lub Date: Sat, 5 Aug 2017 11:45:10 +0000 Subject: [PATCH 2/5] recommend ```renew``` for renewal settings for renewal are stored in /etc/letsencrypt/renewal/.conf - it is not necessary to specify them every time --- supporting-docs/guides/2016-03-15-lets-encrypt.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/supporting-docs/guides/2016-03-15-lets-encrypt.rst b/supporting-docs/guides/2016-03-15-lets-encrypt.rst index 9d078137..5c6390c4 100644 --- a/supporting-docs/guides/2016-03-15-lets-encrypt.rst +++ b/supporting-docs/guides/2016-03-15-lets-encrypt.rst @@ -27,7 +27,7 @@ Also, the certificates will be in a folder under /etc/letsencrypt (see below) an A note about renewal -------------------- -These certificates will expire in 3 months. To renew certificates, just repeat this step. +These certificates will expire in 3 months. To renew certificates, run ```letsencrypt-auto renew```. It is recommended to create a cronjob, which attempts renewal twice a day. Depending on your distribution, that could be already configured. 2: Install Certificates ======================= From ae8c6179f54adc16fc012f6a102579b78a41a736 Mon Sep 17 00:00:00 2001 From: lub Date: Sat, 5 Aug 2017 11:47:56 +0000 Subject: [PATCH 3/5] change binary to certbot out of the certbot/certbot README.rst: > Until May 2016, Certbot was named simply letsencrypt or letsencrypt-auto, depending on install method. Instructions on the Internet, and some pieces of the software, may still refer to this older name. --- supporting-docs/guides/2016-03-15-lets-encrypt.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/supporting-docs/guides/2016-03-15-lets-encrypt.rst b/supporting-docs/guides/2016-03-15-lets-encrypt.rst index 5c6390c4..0a04f47d 100644 --- a/supporting-docs/guides/2016-03-15-lets-encrypt.rst +++ b/supporting-docs/guides/2016-03-15-lets-encrypt.rst @@ -13,7 +13,7 @@ Let's Encrypt is a free Certificate Authority that makes it easy to secure your 0: Prerequisites ================ * Install Synapse_. -* Install (or Download) `Let's Encrypt`_ +* Install (or Download) `certbot`_ 1: Get certificates =================== @@ -23,11 +23,11 @@ Also, the certificates will be in a folder under /etc/letsencrypt (see below) an :: -# letsencrypt-auto certonly --standalone +# certbot certonly --standalone A note about renewal -------------------- -These certificates will expire in 3 months. To renew certificates, run ```letsencrypt-auto renew```. It is recommended to create a cronjob, which attempts renewal twice a day. Depending on your distribution, that could be already configured. +These certificates will expire in 3 months. To renew certificates, run ```certbot renew```. It is recommended to create a cronjob, which attempts renewal twice a day. Depending on your distribution, that could be already configured. 2: Install Certificates ======================= From 9933aee091c6552636a125e99b9aa73a916a69b4 Mon Sep 17 00:00:00 2001 From: lub Date: Tue, 8 Aug 2017 11:39:53 +0200 Subject: [PATCH 4/5] remove note to copy cert+key see feb4ae84bab475964d62fe3cceeb7ce391b5145d for explanation --- supporting-docs/guides/2016-03-15-lets-encrypt.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/supporting-docs/guides/2016-03-15-lets-encrypt.rst b/supporting-docs/guides/2016-03-15-lets-encrypt.rst index 0a04f47d..82506b8d 100644 --- a/supporting-docs/guides/2016-03-15-lets-encrypt.rst +++ b/supporting-docs/guides/2016-03-15-lets-encrypt.rst @@ -19,7 +19,7 @@ Let's Encrypt is a free Certificate Authority that makes it easy to secure your =================== When executing the Let's Encrypt client, it will ask for the domain name of your server, and your email address. The domain list can include multiple names and should include any domain you want to access the server from. -Also, the certificates will be in a folder under /etc/letsencrypt (see below) and owned by root. These files should be copied to the same directory as the synapse install and owned by the user synapse is run as. +Also, the certificates will be in a folder under /etc/letsencrypt (see below) and owned by root. :: From 93271a8f3e9b9918e31703555605b706f3a2ba1f Mon Sep 17 00:00:00 2001 From: lub Date: Tue, 8 Aug 2017 15:21:08 +0200 Subject: [PATCH 5/5] fix link for certbot --- supporting-docs/guides/2016-03-15-lets-encrypt.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/supporting-docs/guides/2016-03-15-lets-encrypt.rst b/supporting-docs/guides/2016-03-15-lets-encrypt.rst index 82506b8d..824e2ed2 100644 --- a/supporting-docs/guides/2016-03-15-lets-encrypt.rst +++ b/supporting-docs/guides/2016-03-15-lets-encrypt.rst @@ -13,7 +13,7 @@ Let's Encrypt is a free Certificate Authority that makes it easy to secure your 0: Prerequisites ================ * Install Synapse_. -* Install (or Download) `certbot`_ +* Install (or Download) certbot_ 1: Get certificates =================== @@ -34,4 +34,4 @@ These certificates will expire in 3 months. To renew certificates, run ```certbo At the top of your homeserver.yaml there should be two keys, ```tls_certificate_path``` and ```tls_private_key_path```. These should be changed so that instead of pointing to the default keys, they now point to the Let's Encrypt keys. ```tls_certificate_path``` should point to ```/etc/letsencrypt/live/(your domain name)/fullchain.pem```. ```tls_private_key_path``` should point to ```/etc/letsencrypt/live/(your domain name)/privkey.pem```. ```tls_dh_params_path``` can stay the same as before. .. _Synapse: https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation -.. _Let's Encrypt: https://letsencrypt.readthedocs.org/en/latest/using.html#installation +.. _certbot: https://certbot.eff.org/