Applying Let's Encrypt certificates

This topic describes how to replace the self-signed certificate with a third-party certificate.

About this task

The Sametime server is preconfigured with a self-signed certificate.

Note: Let's Encrypt certificates expire every 90 days. To automatically renew the certificates, users can use Certbot. Otherwise, users can renew certificates when they expire. For details on setting up automatic renewal, refer to the Certbot documentation.

Kubernetes

About this task

Obtain one or more certificates and private key. Afterward, run the following commands to configure the Ingress to use them.

Procedure

  1. Run the following command to verify if the secret currently exists.
    kubectl get secrets
  2. If the tls-secret exists, delete it.
    kubectl delete secret tls-secret
  3. Create a new tls-secret secret with the new certificate and private key.
    create secret tls tls-secret --key tls.key --cert tls.crt
    Where the value for key is the private key file and cert is the certificate file.
  4. Verify
    kubectl get secret tls-secret -o yaml

Docker

About this task

Generate a Let's Encrypt certificate. Afterward, apply the encryption certificate on the Sametime server.

Procedure

  1. Set ENABLE_LETSENCRYPT to 1 in the docker-compose.yml file.
  2. Retrieve the PEM files provided by Let's Encrypt and locate the following files
    • fullchain.pem
    • privkey.pem
  3. Copy the specified files in the folder below:
    sametime-config/web/acme-certs/
    Note: If a value for the LETSENCRYPT_DOMAIN is specified, then the path is sametime-config/web/acme-certs/<LETSENCRYPT_DOMAIN>/.
  4. Restart the server to apply the changes.
    
    docker-compose down
    docker-compose up -d