LetsEncrypt is a trusted CA that provides free security certificates. Unlike previously self-signed certificates, we can use LetsEncrypt Certificates to certify your domains from a trusted source.
Please refer to official [certbot User Guide](https://certbot.eff.org/docs/using.html) for details how to install and operate the tool, choosing desired method of domain authentication (DNS or webserver). After
successful execution the certificate with all related files will be stored under /etc/letsencrypt/live/$domain
$ sudo ls /etc/letsencrypt/live/$domain cert.pem chain.pem fullchain.pem privkey.pem README
In that directory, you will find four files:
- privkey.pem
- private key for the certificate
- cert.pem
- contains the server certificate by itself
- chain.pem
- contains the additional intermediate certificate or certificates
- fullchain.pem
- all certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate
is the first one in this file, followed by any intermediates.
For Tigase XMPP Server, we are only concerned with privkey.pem
and fullchain.pem
.
At this point we will need to obtain the root and intermediate certificates, this can be done by downloading these certificates from the LetsEncrypt website.
Alternatively, you may obtain them using wget:
wget https://letsencrypt.org/certs/isrgrootx1.pem wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem
These are the root certificate, and the intermediate certificate signed by root certificate.
Note
IdenTrust cross-signed certificate will not function properly.
Take the contents of your privkey.pem
, certificate, and combine them with the contents of isrgrootx1.pem
and letsencryptauthorityx3.pem
into a single pem certificate. You need to name the file after your domain such as mydomain.com.pem
and place it under certs/
subdirectory of Tigase XMPP Server installation
If you moved all certs to a single directory, you may combine them using the following command under *nix operating systems:.
cat ./cert.pem ./privkey.pem ./letsencryptauthorityx3.pem ./isrgrootx1.pem > mydomain.com.pem
Your certificate should look something like this:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAUAqqKu7Z4odo ... og89F9AbWr1mNmyRoScyqMXo -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 ... TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtU ... bmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRp -----END CERTIFICATE-----
Warning
LetsEncrypt certificates expire 90 days from issue and need to be renewed in order for them to remain valid!