Applying Let's Encrypt certificates

This topic describes how to replace the self-signed certificate with a third-party certificate.

The Sametime server is preconfigured with a self-signed certificate.

Note: Let's Encrypt certificates expire every 90 days. To automatically renew the certificates, users can use Certbot. Otherwise, users can renew certificates when they expire. For details on setting up automatic renewal, refer to the Certbot documentation.

Parent Topic: Securing

Kubernetes

Obtain one or more certificates and private key. Afterward, run the following commands to configure the Ingress to use them.

1. Run the following command to verify if the secret currently exists.

   kubectl get secrets
   

2. If the tls-secret exists, delete it.

   kubectl delete secret tls-secret
   

3. Create a new tls-secret secret with the new certificate and private key.

   create secret tls tls-secret --key tls.key --cert tls.crt
   

   Where the value for key is the private key file and cert is the certificate file.

4. Verify

   kubectl get secret tls-secret -o yaml
   

Docker

Generate a Let's Encrypt certificate. Afterward, apply the encryption certificate on the Sametime server.

1. Set ENABLE_LETSENCRYPT to 1 in the docker-compose.yml file.

2. Retrieve the PEM files provided by Let's Encrypt and locate the following files

   • fullchain.pem
   • privkey.pem
   • Copy the specified files in the folder below:

   sametime-config/web/acme-certs/
   

   Note: If a value for the LETSENCRYPT_DOMAIN is specified, then the path is sametime-config/web/acme-certs/<LETSENCRYPT_DOMAIN>/.

3. Restart the server to apply the changes.

   docker-compose down
   docker-compose up -d
   

Windows

Windows deployments use Traefik for the front end that handles all incoming web traffic. Traefik has a robust implementation of the ACME protocol for automatic certificate generation and renewals. Documentation can be found here: Traefik: Let's Encrypt for details about how this works and the various options and providers that can be used.

The basic configuration using Let's Encrypt is shown below.

1. In the file <InstallationFolder>\traefik-windows-amd64\conf\traefik.yml, add a web: entryPoint alongside the websecure: one that is already there and add the certificatesResolvers: section like:

   entryPoints:
     web:
       address: ":80"
     websecure:
       address: ":443"
   
   ...
   
   certificatesResolvers:
     myresolver:
       acme:
         email: your-email@example.com
         storage: "./conf/acme.json"
         httpChallenge:
           entryPoint: web
   

2. In the file <InstallationFolder>\traefik-windows-amd64\conf\dynamic.yml, modify the tls: section to remove the existing self-signed certificates and instead use a stores: section configured with the defined certificate resolver for the default certificate. Make sure to configure the fully-qualified domain name of the server so that the configuration now looks like this:

   tls:
     stores:
       default:
         defaultGeneratedCert:
           resolver: myresolver
           domain:
             main: sametime-server.example.com
     ...
     # certificates:
     #    - certFile: "./conf/keys/cert.crt"
     #      keyFile: "./conf/keys/cert.key"
   

3. Restart the ST Ingress service. You will notice the file <InstallationFolder>\traefik-windows-amd64\conf\acme.json appear. Initially, it will contain only a private key, but a certificate will be generated for the configured FQDN and stored in this file after a brief moment.