Prosody IM Website

file doc/ in changeset 25bd39f4d5a0

View latest ↓ Download file

line wrap: on
line source

title: 'Let\''s Encrypt'

[Let\'s Encrypt]( is a free automated
Certificate Authority, which is capable of issuing certificates
compatible with Prosody.

This page provides some techniques on using Let\'s Encrypt with Prosody.

This page does not cover actually setting up Let\'s Encrypt itself. If
you have not yet done this, please proceed to set up a client such as
[dehydrated](, or any
of the [other clients](

# Permissions issues {#permissions_issues}

Generally Prosody is unable to use certificates directly from the
letsencrypt directory, because for security reasons the clients always
ensure that the private key is only accessible by the root user.
Meanwhile, also for security, Prosody does not run as root.

There are a number of solutions, such as running a script to make the
files readable by Prosody after every renewal. You can also change the
groups of the Prosody user to give it access to the files that way,
however this method can be tricky to get working on some systems.

Our recommended method, if you have Prosody 0.10 or later, is to use
`prosodyctl cert import`, as described on this page.

If you are using Prosody 0.9 or earlier, you will need to [do this

# Manual or other clients {#manual_or_other_clients}

``` {.code}
prosodyctl --root cert import /etc/letsencrypt/live

If you are using Prosody 0.9 or earlier, you will need to [add a
certificate configuration section](/doc/configure#certificates_-_09) to
your config file, and copy the files into place with the [correct
permissions](/doc/certificates#permissions) using a script.

# certbot

certbot is the recommended client by the Let\'s Encrypt organisation. If
you are using certbot, integration with Prosody 0.10+ is quite simple.
Simply add a `--deploy-hook` to your renewal command:

``` {.code}
certbot renew --deploy-hook "prosodyctl --root cert import /etc/letsencrypt/live"

Alternatively a deploy hook script like the following could be created
in `/etc/letsencrypt/renewal-hooks/deploy/`:

/usr/bin/prosodyctl --root cert import /etc/letsencrypt/live