SSL Certs workflow - self signed to CA

I’m planning on using letsencrpyt for ssl certificates on my production mender server. Currently it’s all self signed. I have the domain name all setup.

I am kind of lost as to what files need to be replaced/updated after I run certbot. It looks like I’ll need to replace the files in keys-generated. Do I only need to update the certs directory? Am I also updating the keys?

It also looks like I’ll need to update the prod.yml file so I can include the new URL (for new DNS name).

The documentation doesn’t say much at all about how to go about using certs from a CA. If I just run the keygen tool again, it will all be self-signed.

I guess I’m looking for a workflow for updating from self-signed to CA certs using letsencrypt/certbot.

Thank you,


Thanks for posting this here @ryanbedford.

@tranchitella @merlin can either of you comment?

Hi Ryan!

Thanks for using Mender!
I would start here:
(as actually I usually do start)
Lets Encrypt will give you fullchain.pem (with the certificate) and privkey.pem (with the private key). You should be good to go with the above link, let me know if you encounter any obstacles.


I’ve used the link you sent me many times. It gives some help, but not really anything about using a CA, maybe one line.

Cert bot needs to know what web server is being used… is it --nginx?


The Mender API gateway does not provide built-in integration with LetsEncrypt and certbot, so you cannot automate the certificate issuing and renewal.

One option is running certbot independently from the Mender server, for example using the DNS challenge. You can use the manual flag and the certonly command:

certbot --manual --preferred-challenges=dns -d certonly

You can then use the certificates in your Mender server as pointed out in the official documentation linked above.

Another option is using your own nginx/traefik reverse proxy in front of Mender, and managing the certificate with letsencrypt from there. You can then proxy_pass (or equivalent in traefik) to the Mender API gateway, which can use a self-signed certificate because it is not directly exposed to the clients.

Thank you @tranchitella and @peter. I was able to get this working in pretty short order. Just ran certbot on my server and swapped out certs in keys_generated directory. When doing this, in order for clients to connect both api and storage need the full chain. I found this out in another post SSL CA certificate setup on mender production it was very helpful as well.

In the end it wasn’t as complicated as I thought it was going to be. Swapping out certs and updating my URL since I changed to registered domain.

Thank you Mender community!