Applying Let's Encrypt certificates

This topic describes how to replace the self-signed certificate with a third-party certificate.

The Sametime server is preconfigured with a self-signed certificate.

Note: Let's Encrypt certificates expire every 90 days. To automatically renew the certificates, users can use Certbot. Otherwise, users can renew certificates when they expire. For details on setting up automatic renewal, refer to the Certbot documentation.

Parent Topic: Securing

Kubernetes

Obtain one or more certificates and private key. Afterward, run the following commands to configure the Ingress to use them.

Run the following command to verify if the secret currently exists.
```
kubectl get secrets
```
If the tls-secret exists, delete it.
```
kubectl delete secret tls-secret
```
Create a new tls-secret secret with the new certificate and private key.
```
create secret tls tls-secret --key tls.key --cert tls.crt
```
Where the value for key is the private key file and cert is the certificate file.
Verify
```
kubectl get secret tls-secret -o yaml
```

Docker

Generate a Let's Encrypt certificate. Afterward, apply the encryption certificate on the Sametime server.

Set ENABLE_LETSENCRYPT to 1 in the docker-compose.yml file.
Retrieve the PEM files provided by Let's Encrypt and locate the following files
- fullchain.pem
- privkey.pem
- Copy the specified files in the folder below:
```
sametime-config/web/acme-certs/
```
Note: If a value for the LETSENCRYPT_DOMAIN is specified, then the path is sametime-config/web/acme-certs/<LETSENCRYPT_DOMAIN>/.

Restart the server to apply the changes.

docker-compose down
docker-compose up -d