Solved how to enable synapse tls in freebsd14.1 ?

Dear all :
i have create matrix chat server with py311-matrix-synapse-1.116.0 in freebsd14.1 . but i want to enable tls support for chat encrypt .......how to generate below pem ? thanks.
tls_certificate_path:?????.pem
tls_private_key_path:?????.pem

did i add those lines to my homeserver.yaml can be enable tls ? thanks.
 
Only internally? Or does it need a 'proper' SSL/TLS certificate? If you're only using this internally you could generate self-signed certificates.
 
Only internally? Or does it need a 'proper' SSL/TLS certificate? If you're only using this internally you could generate self-signed certificates.
Dear sirdice:
thanks. i just build this for test . below is the synapse info .
TLS:
This option specifies a PEM-encoded X509 certificate for TLS. This certificate, as of Synapse 1.0, will need to be a valid and verifiable certificate, signed by a recognised Certificate Authority. Defaults to none.

Be sure to use a .pem file that includes the full certificate chain including any intermediate certificates (for instance, if using certbot, use fullchain.pem as your certificate, not cert.pem).

and i have try below command for pem. but it's not work for me
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout private_key.pem -out mycert.pem -days 3650
tls_certificate_path:mycert.pem
tls_private_key_path: private_key.pem


i don't know how to build the pem and key . can you show me the step ? thanks.
 
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout private_key.pem -out mycert.pem -days 3650
This only generates a CSR; Certificate Signing Request. That request has to be signed by a CA; Certificate Authority. The signed result is the actual certificate you use. You have to trust a CA, so anything it has signed can also be trusted to be valid. Normally you would use existing CAs, like Letsencrypt, Digisign, GoDaddy, GlobalSign, etc. You send them the CSR and they'll return a signed certificate (usually for a fee, some are free).

Now, a so-called "self-signed" certificate means you have generated and signed your own CA certificate. You can use that CA certificate to sign certificate requests.
 
This only generates a CSR; Certificate Signing Request. That request has to be signed by a CA; Certificate Authority. The signed result is the actual certificate you use. You have to trust a CA, so anything it has signed can also be trusted to be valid. Normally you would use existing CAs, like Letsencrypt, Digisign, GoDaddy, GlobalSign, etc. You send them the CSR and they'll return a signed certificate (usually for a fee, some are free).

Now, a so-called "self-signed" certificate means you have generated and signed your own CA certificate. You can use that CA certificate to sign certificate requests.
Dear sirdice :
thanks. below is my step :
openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ca.crt #----->generate person ca organize
openssl req -days 365 -nodes -new -keyout server.key -out server.csr #----->generate server csr and key
openssl x509 -req -days 365 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial #----->generate server crt

but when i put the result in homeserver.yaml in below , i have still get errors same. thanks.
#30 line #
tls_certificate_path:server.crt
#31 line #
tls_private_key_path: server.key


File "/usr/local/lib/python3.11/site-packages/yaml/scanner.py", line 291, in stale_possible_simple_keys
raise ScannerError("while scanning a simple key", key.mark,
yaml.scanner.ScannerError: while scanning a simple key
in "homeserver.yaml", line 30, column 1
could not find expected ':'
in "homeserver.yaml", line 31, column 1
 
Dear richardtoohey2:
thanks for your yaml format scanner. the yaml format now is correct. but the crt can't work.
errors:
#curl https://192.168.122.111:8448/
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.


do you know how to generate self-signed pem that must be full certificate chain ? thanks.
Be sure to use a .pem file that includes the full certificate chain including any intermediate certificates (for instance, if using certbot, use fullchain.pem as your certificate, not cert.pem).

Dear dice :
thanks.
 
Back
Top