Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Add notes on SRV and .well-known (#4573)
Browse files Browse the repository at this point in the history
  • Loading branch information
@richvdh
richvdh authored Feb 5, 2019
1 parent 61dc53a commit 39bf0ea
Showing 1 changed file with 117 additions and 41 deletions.
158 changes: 117 additions & 41 deletions docs/MSC1711_certificates_FAQ.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,45 +19,36 @@ certificate.** Admins will have 1 month to do so, after which 1.0.0 will be
released and those servers without a valid certificate will not longer be able
to federate with >= 1.0.0 servers.

If you are unable to generate a valid TLS certificate for your server (e.g.
because you run it on behalf of someone who doesn't want to give you a TLS
certificate for their domain, or simply because the matrix domain is hosted on
a different server), then you can now create a /.well-known/matrix/server file
on the matrix domain in order to delegate Matrix hosting to another domain.
 Admins who currently use SRV records to delegate a domain **which they do not
control TLS for** will need to switch to using .well-known/matrix/server - though
they should retain their SRV record while the federation upgrades over the
course of the month.  Other SRV records are unaffected.

Full upgrade notes can be found in
[UPGRADE.rst](https://github.com/matrix-org/synapse/blob/master/UPGRADE.rst).
What follows is a timeline and some frequently asked questions.
Full details on how to carry out this configuration change is given
[below](#configuring-certificates-for-compatibility-with-synapse-100). A
timeline and some frequently asked questions are also given below.

For more details and context on the release of the r0.1 Server/Server API and
imminent Matrix 1.0 release, you can also see our
[main talk from FOSDEM 2019](https://matrix.org/blog/2019/02/04/matrix-at-fosdem-2019/).

## Contents
* Timeline
* Synapse 0.99.0 has just been released, what do I need to do right now?
* How do I upgrade?
* What will happen if I do not set up a valid federation certificate
immediately?
* What will happen if I do nothing at all?
* When do I need a SRV record or .well-known URI?
* Can I still use an SRV record?
* I have created a .well-known URI. Do I still need an SRV record?
* It used to work just fine, why are you breaking everything?
* Can I manage my own certificates rather than having Synapse renew
certificates itself?
* Do you still recommend against using a reverse-proxy on the federation port?
* Do I still need to give my TLS certificates to Synapse if I am using a
reverse-proxy?
* Do I need the same certificate for the client and federation port?
* How do I tell Synapse to reload my keys/certificates after I replace them?


### Timeline
* Configuring certificates for compatibility with Synapse 1.0
* FAQ
* Synapse 0.99.0 has just been released, what do I need to do right now?
* How do I upgrade?
* What will happen if I do not set up a valid federation certificate
immediately?
* What will happen if I do nothing at all?
* When do I need a SRV record or .well-known URI?
* Can I still use an SRV record?
* I have created a .well-known URI. Do I still need an SRV record?
* It used to work just fine, why are you breaking everything?
* Can I manage my own certificates rather than having Synapse renew
certificates itself?
* Do you still recommend against using a reverse-proxy on the federation port?
* Do I still need to give my TLS certificates to Synapse if I am using a
reverse-proxy?
* Do I need the same certificate for the client and federation port?
* How do I tell Synapse to reload my keys/certificates after I replace them?

## Timeline

**5th Feb 2019 - Synapse 0.99.0 is released.**

Expand All @@ -82,10 +73,96 @@ alongside their .well-known record.
1.0.0 will land no sooner than 1 month after 0.99.0, leaving server admins one
month after 5th February to upgrade to 0.99.0 and deploy their certificates. In
accordance with the the [S2S spec](https://matrix.org/docs/spec/server_server/r0.1.0.html)
1.0.0 will enforce federation checks. This means that any homeserver without a
1.0.0 will enforce certificate validity. This means that any homeserver without a
valid certificate after this point will no longer be able to federate with
1.0.0 servers.


## Configuring certificates for compatibility with Synapse 1.0.0

### If you do not currently have an SRV record

In this case, your `server_name` points to the host where your Synapse is
running. There is no need to create a `.well-known` URI or an SRV record, but
you will need to give Synapse a valid, signed, certificate.

The easiest way to do that is with Synapse's built-in ACME (Let's Encrypt)
support. Full details are in [ACME.md](./ACME.md) but, in a nutshell:

1. Allow Synapse to listen on port 80 with `authbind`, or forward it from a
reverse proxy.
2. Enable acme support in `homeserver.yaml`.
3. Move your old certificates out of the way.
4. Restart Synapse.

### If you do have an SRV record currently

If you are using an SRV record, your matrix domain (`server_name`) may not
point to the same host that your Synapse is running on (the 'target
domain'). (If it does, you can follow the recommendation above; otherwise, read
on.)

Let's assume that your `server_name` is `example.com`, and your Synapse is
hosted at a target domain of `customer.example.net`. Currently you should have
an SRV record which looks like:

```
_matrix._tcp.example.com. IN SRV 10 5 443 customer.example.net.
```

In this situation, you have two choices for how to proceed:

#### Option 1: give Synapse a certificate for your matrix domain

Synapse 1.0 will expect your server to present a TLS certificate for your
`server_name` (`example.com` in the above example). You can achieve this by
doing one of the following:

* Acquire a certificate for the `server_name` yourself (for example, using
`certbot`), and give it and the key to Synapse via `tls_certificate_path`
and `tls_private_key_path`, or:

* Use Synapse's [ACME support](./ACME.md), and forward port 80 on the
`server_name` domain to your Synapse instance, or:

* Set up a reverse-proxy on port 8448 on the `server_name` domain, which
forwards to Synapse. Once it is set up, you can remove the SRV record.

#### Option 2: add a .well-known file to delegate your matrix traffic

This will allow you to keep Synapse on a separate domain, without having to
give it a certificate for the matrix domain.

You can do this with a `.well-known` file as follows:

1. Keep the SRV record in place - it is needed for backwards compatibility
with Synapse 0.34 and earlier.

2. Give synapse a certificate corresponding to the target domain
(`customer.example.net` in the above example). Currently Synapse's ACME
support [does not support
this](https://github.com/matrix-org/synapse/issues/4552), so you will have
to acquire a certificate yourself and give it to Synapse via
`tls_certificate_path` and `tls_private_key_path`.

3. Restart Synapse to ensure the new certificate is loaded.

4. Arrange for a `.well-known` file at
`https://<server_name>/.well-known/matrix/server` with contents:

```json
{"m.server": "<target domain>:<port>"}
```

In the above example, `https://example.com/.well-known/matrix/server`
should have the contents:

```json
{"m.server": "customer.example.net:443"}
```

## FAQ

### Synapse 0.99.0 has just been released, what do I need to do right now?

Upgrade as soon as you can in preparation for Synapse 1.0.0.
Expand Down Expand Up @@ -126,14 +203,13 @@ other servers know how to find it.

The easiest way to do this is with a .well-known/matrix/server URI on the
webroot of the domain to advertise your server. For instance, if you ran
"matrixhosting.com" and you were hosting a Matrix server for example.com, you
would ask example.com to create a file at:

`https://example.com/.well-known/matrix/server`
"matrixhosting.com" and you were hosting a Matrix server for `example.com`, you
would ask `example.com` to create a file at
`https://example.com/.well-known/matrix/server` with contents:

with contents:

`{"m.server": "example.matrixhosting.com:8448"}`
```json
{"m.server": "example.matrixhosting.com:8448"}
```

...which would tell servers trying to connect to example.com to instead connect
to example.matrixhosting.com on port 8448. You would then configure Synapse
Expand Down Expand Up @@ -231,7 +307,7 @@ We no longer actively recommend against using a reverse proxy. Many admins will
find it easier to direct federation traffic to a reverse-proxy and manage their
own TLS certificates, and this is a supported configuration.

### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?
### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?

Practically speaking, this is no longer necessary.

Expand Down

0 comments on commit 39bf0ea

Please sign in to comment.