Synapse: Tell people to give synapse the full certificate chain, not just the single certificate

Created on 28 Feb 2019  路  3Comments  路  Source: matrix-org/synapse

When using certbot to generate certificates, it generates the following files:

root@errol:~# ls /etc/letsencrypt/live/chat.abolivier.bzh/
cert.pem  chain.pem  fullchain.pem  privkey.pem  README
root@errol:~#

Since the Synapse docs don't say anything about which one to use, and the relevant config option is named tls_certificate_path, people might tell Synapse to use cert.pem whereas it should be using fullchain.pem, which contains the complete certificate chain. This will likely prevent these people from federating once we start enforcing valid certs.

docs p2
Source
picture babolivier
👍2

Most helpful comment

Yes, my issue was very specific to certbot (thought it would be useful for context), but a simple note of "use the full chain, not just the cert" would be helpful

picture babolivier on 28 Feb 2019
👍6

All 3 comments

we don't really document how to use certbot at all, and I'm not sure it should be our job to do so?

richvdh picture richvdh on 28 Feb 2019

Yes, my issue was very specific to certbot (thought it would be useful for context), but a simple note of "use the full chain, not just the cert" would be helpful

babolivier picture babolivier on 28 Feb 2019
👍6

I believe this has been solved now.

anoadragon453 picture anoadragon453 on 21 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

clokep picture clokep  路  4Comments
ptman picture ptman  路  3Comments
AnwariasEu picture AnwariasEu  路  3Comments
MurzNN picture MurzNN  路  5Comments
alexrashed picture alexrashed  路  4Comments