Let's Encrypt is a free automated Certificate Authority, which is capable of issuing certificates compatible with Prosody.
This page provides some techniques on using Let's Encrypt with Prosody.
Generally Prosody is unable to use certificates directly from the letsencrypt directory, because for security reasons the clients always ensure that the private key is only accessible by the root user. Meanwhile, also for security, Prosody does not run as root.
There are a number of solutions, such as running a script to make the files readable by Prosody after every renewal. You can also change the groups of the Prosody user to give it access to the files that way, however this method can be tricky to get working on some systems.
Our recommended method, if you have Prosody 0.10 or later, is to use
prosodyctl cert import, as described on this page.
If you are using Prosody 0.9 or earlier, you will need to do this manually.
prosodyctl --root cert import /etc/letsencrypt/live
certbot is the recommended client by the Let's Encrypt organisation. If you are using certbot, integration with Prosody 0.10+ is quite simple. Simply add a
--deploy-hook to your renewal command:
certbot renew --deploy-hook "prosodyctl --root cert import /etc/letsencrypt/live"