Upgrade Sametime 12.03 SSL certificates with LetsEncrypt

A few weeks ago I had to update the certificates used by Sametime for a customer. Since they use LetsEncrypt certificate, I had set the renewal to be automatic, but it did not happen. I started looking at the issue with the invaluable help of my friend and Sametime guru Carsten Gericke and after digging in a bit we found the solution.

First of all, there are two things to take note of:

1) When using LetsEncrypt, Sametime does not use the certificates in the /sametime/sametime-config/web/keys but those in the /sametime/sametime-config /web/acme-certs/server.domain.com directory, for example /sametime/sametime-config/web/acme-certs/st.eld.it

2) Now LetsEncrypt creates by default certificates with ECDSA keys rather than RSA keys.

In 12.0.3, in the /web/acme.sh directory there are two directories st.eld.it and st.eld.it_ecc, those directories are where the certificates requested to LetsEncrypt are stored
The first one contains the RSA certificates the second one the ECDSA certificates

The problem with upgrading the certificates in 12.0.3 is that if Sametime, specifically the nginx container, that uses certbot, finds that the st.eld.it directory exist, it tries to install the certificates from there to the /sametime/sametime-config/web/acme-certs/st.eld.it. But now the new certificates are in the ../st.eld.it_ecc directory and the ../st.eld.it directory contains still the old files.

This problem does not happen in a new installation of ST 12.0.3 because the directory used to store the RSA certificates does not exist anymore, it happens when you upgrade from a previous version to 12.0.3.

The solution to this problem is to delete the /sametime/sametime-config/web/acme.sh/st.eld.it directory.
Doing so will make certbot look only for the directory with the ECDSA certificates, ../st.eld.it_ecc. The certificate from that directory will be installed in the ../web/acme-certs/st.eld.it directory and everything will work.

Looking at the nginx container log you should see this

[Tue May 19 14:17:02 EDT 2026] Your cert is in: /config/acme.sh/st.eld.it_ecc/st.eld.it.cer
[Tue May 19 14:17:02 EDT 2026] Your cert key is in: /config/acme.sh/st.eld.it_ecc/st.eld.it.key
[Tue May 19 14:17:02 EDT 2026] The intermediate CA cert is in: /config/acme.sh/st.eld.it_ecc/ca.cer
[Tue May 19 14:17:02 EDT 2026] And the full chain certs is there: /config/acme.sh/st.eld.it_ecc/fullchain.cer
[Tue May 19 14:17:02 EDT 2026] Run post hook:’if [[ -d /run/service/nginx ]]; then s6-svc -u /run/service/nginx; fi’
[Tue May 19 14:17:02 EDT 2026] The domain ‘st.eld.it’ seems to have a ECC cert already, lets use ecc cert.
[Tue May 19 14:17:02 EDT 2026] Installing key to: /config/acme-certs/st.eld.it/key.pem
[Tue May 19 14:17:02 EDT 2026] Installing full chain to: /config/acme-certs/st.eld.it/fullchain.pem

The correct directory structure will be this

roberto 29th May 2026

Engage 2026

Leave a Reply

Your email address will not be published / Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.