Installing LetsEncrypt Certificates in Your Linux System

LetsEncrypt is a trusted CA that provides free security certificates. Unlike previously self-signed certificates, we can use LetsEncrypt Certificates to certify your domains from a trusted source.

Please refer to official certbot User Guide for details how to install and operate the tool, choosing desired method of domain authentication (DNS or webserver). After successful execution the certificate with all related files will be stored under /etc/letsencrypt/live/$domain

$ sudo ls  /etc/letsencrypt/live/$domain
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

In that directory, you will find four files:

  • privkey.pem - private key for the certificate
  • cert.pem - contains the server certificate by itself
  • chain.pem - contains the additional intermediate certificate or certificates
  • fullchain.pem - all certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates.

For Tigase XMPP Server, we are only concerned with privkey.pem and fullchain.pem (or chain.pem - please consider actual issuers and certification chain!).

At this point we will need to obtain the root and intermediate certificates, this can be done by downloading these certificates from the LetsEncrypt Chain of Trust website.


Please pay utmost attention to the actual certificate issuers and make sure that the certification chain is maintained!

On the time of the writing, LetsEncrypt was providing domain certificates issued by R3 CertificateAuthorigy (CA). In order to provide complete chain to the root CA you should get Let’s Encrypt R3 (RSA 2048, O = Let’s Encrypt, CN = R3) certificate. Depending on desired certification chain you have two options: 1) (default and recommended) using own LetsEncrypt CA: a) R3 certificate signed by ISRG Root X1: b) ISRG Root X1 root certificate: 2) (legacy, option more compatible with old systems): cross-signed certificate by IdenTrust: a) R3 certificate cross-signed by IdenTrust: b) TrustID X3 Root from IdenTrust:

Considering first (recommended) option, you may obtain them using wget:


These are the root certificate, and the intermediate certificate signed by root certificate.


IdenTrust cross-signed certificate will not function properly in the future!

Take the contents of your privkey.pem, certificate, and combine them with the contents of isrgrootx1.pem and lets-encrypt-r3.pem into a single pem certificate.

Depending on your configuration you either need to name the file after your domain such as and place it under certs/ subdirectory of Tigase XMPP Server installation or update it using admin ad-hoc (see the section called “Storing and managing certificates”)

If you moved all certs to a single directory, you may combine them using the following command under *nix operating systems:.

cat ./cert.pem ./privkey.pem ./lets-encrypt-r3.pem ./isrgrootx1.pem >


If you are using isrgrootx1 root make sure you use cert.pem file instead of fullchain.pem, which uses different intermediate certificate ( Let’s Encrypt Authority X3 (IdenTrust cross-signed) ) and you will have to use DST Root CA X3 certificate!

Your certificate should look something like this:



LetsEncrypt certificates expire 90 days from issue and need to be renewed in order for them to remain valid!

You can check your certificate with utility class:

java -cp <path_to_tigase-server_installation>/jars/tigase-utils.jar tigase.cert.CertificateUtil -lc -simple