Let's Encrypt

Let's Encrypt is a free automated Certificate Authority, which is capable of issuing certificates compatible with Prosody.

This page provides some techniques on using Let's Encrypt with Prosody.

This page does not cover actually setting up Let's Encrypt itself. If you have not yet done this, please proceed to set up a client such as certbot, dehydrated, or any of the other clients.

Permissions issues

Generally Prosody is unable to use certificates directly from the letsencrypt directory, because for security reasons the clients always ensure that the private key is only accessible by the root user. Meanwhile, also for security, Prosody does not run as root.

There are a number of solutions, such as running a script to make the files readable by Prosody after every renewal. You can also change the groups of the Prosody user to give it access to the files that way, however this method can be tricky to get working on some systems.

Our recommended method, if you have Prosody 0.10 or later, is to use prosodyctl cert import, as described on this page.

If you are using Prosody 0.9 or earlier, you will need to do this manually.

Manual or other clients

prosodyctl --root cert import /etc/letsencrypt/live

If you are using Prosody 0.9 or earlier, you will need to add a certificate configuration section to your config file, and copy the files into place with the correct permissions using a script.

certbot

certbot is the recommended client by the Let's Encrypt organisation. If you are using certbot, integration with Prosody 0.10+ is quite simple. Simply add a --deploy-hook to your renewal command:

certbot renew --deploy-hook "prosodyctl --root cert import /etc/letsencrypt/live"
 
doc/letsencrypt.txt · Last modified: 2017/09/18 12:57 by Matthew Wild