As described here ( https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711 ), using own SSL certificates for the federation port is more fragile, as renewing them could cause federation outages. The recommended setup is to use the self-signed certificates generated by Synapse. On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt certificates, which ensures API consumers work without having to trust "our own CA". Having done this, we also don't need to ever restart Synapse anymore, as no new SSL certificates need to be applied there. It's just matrix-nginx-proxy that needs to be restarted, and it doesn't even need a full restart as an "nginx reload" does the job of swithing to the new SSL certificates.development
parent
6962bfcc42
commit
3a5f82267b
@ -0,0 +1,8 @@
|
|||||||
|
MAILTO="{{ matrix_ssl_support_email }}"
|
||||||
|
|
||||||
|
# This periodically reloads the matrix-nginx-proxy service
|
||||||
|
# to ensure it's using the latest SSL certificate
|
||||||
|
# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
|
||||||
|
# (which happens once every ~2-3 months).
|
||||||
|
|
||||||
|
{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service
|
@ -1,11 +0,0 @@
|
|||||||
MAILTO="{{ matrix_ssl_support_email }}"
|
|
||||||
|
|
||||||
# This periodically restarts the Matrix services
|
|
||||||
# to ensure they're using the latest SSL certificate
|
|
||||||
# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
|
|
||||||
# (which happens once every ~2-3 months).
|
|
||||||
#
|
|
||||||
# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,
|
|
||||||
# both would be restarted.
|
|
||||||
|
|
||||||
{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service
|
|
Loading…
Reference in new issue