Package: matrix-synapse Version: 0.34.1.1-4 Severity: important Dear maintainer,
Context: Matrix Synapse has two ports - 8008 for communication with clients and 8448 for federation with other servers. Both need some kind of TLS certificates. Usually, the certificates on the reverse proxy server are used for communication with clients (8008). Port 8448 is left open in the firewall for federation. Problem: Matrix versions before 0.99 have used self-signed certificates for server to server communication (found in /etc/matrix-synapse/). Synapse 0.99 will transparently talk to Let's Encrypt and obtain the certificate of the Matrix server to be used for federation as well. Version 1.0 onwards, all server to server communication will require each server to have a CA-issued certificate. Suggested fix: The action recommended by the upstream is to delete the self-signed certificates before upgrading to 0.99. I think the preinst script of the package should do this deletion, so that once Synapse 0.99 comes up, it will detect that the certificates are missing and obtain new ones from Let's Encrypt. Reference: See the following FOSDEM video at around 35 minutes https://video.fosdem.org/2019/Janson/matrix_french_state.webm -- Regards, Joseph Nuthalapati
signature.asc
Description: OpenPGP digital signature
