LetsEncrypt is a trusted CA that provides free security certificates. Unlike previously self-signed certificates, we can use LetsEncrypt Certificates to certify your domains from a trusted source. To do this, remote into the server hosting Tigase, or login to the computer locally and begin to install git if that is not already on the system.
sudo apt-get install git
Once the machine installs git, use the following command to download the LetsEncrypt Tools.
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
This will download the tools into the computers' /opt/letsencrypt directory. You will now need to generate the certificates using this tool using the next command.
sudo -H ./letsencrypt-auto certonly --standalone -d domain.com
where domain.com is your currently hosted domain. Be sure that port 443 is forwarded to this computer, and that proper A and DNS records are registered for your domain.
Note
Letsencrypt does not allow for wildcards in the domain name, you will need to generate certificates for each subdomain you wish certified by the CA.
Those certificates will be created and will be stored in /etc/letsencrypt/live/$domain and you will need admin privladges to see them.
sudo -i ********** cd /etc/letsencrypt/live/$domain ls cert.pem chain.pem fullchain.pem privkey.pem
In that directory, you will find four certificates: - cert.pem - chain.pem - fullchain.pem - privkey.pem
For Tigase, we are only concerned with privkey.pem contents. Copy that certificate to another directory.
cp privkey.pem /home/user
At this point we will need to obtain the root and intermediate certificates, this can be done by downloading these certificates from the LetsEncrypt website.
Alternatively, you may obtain them using wget:
wget https://letsencrypt.org/certs/isrgrootx1.pem wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem
These are the root certificate, and the intermediate certificate signed by root certificate. NOTE: IdenTrust cross-signed certificate will not function properly.
Take the contents of your privkey.pem, and combine them with the contents of isrgrootx1.pem and letsencryptauthorityx3.pem into a single pem certificate. You may wish to name the file after your domain such as mydomain.com.pem. Your certificate should look something like this:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAUAqqKu7Z4odo ... og89F9AbWr1mNmyRoScyqMXo -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 ... TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtU ... bmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRp -----END CERTIFICATE-----
Place that certificate into your /certs folder of Tigase, and installation of this certificate is done.
You will need to do this for all subdomains you wish to have a certificate for, however, you may be able to import the root and intermediate certificates to your keystore to avoid having to paste the chain certificates for each subdomain.
Warning
LetsEncrypt certificates expire 90 days from issue and need to be renewed in order for them to remain valid!