diff --git a/data_bags/credentials/gandi_api.json b/data_bags/credentials/gandi_api.json
index cf08cef..8423ba8 100644
--- a/data_bags/credentials/gandi_api.json
+++ b/data_bags/credentials/gandi_api.json
@@ -1,23 +1,23 @@
 {
   "id": "gandi_api",
   "key": {
-    "encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
-    "iv": "15YVAYla7PqqVOab\n",
-    "auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
+    "encrypted_data": "Ky1/PdywtEIl5vVXhzu3n2JetqOxnNjpjQ7yCao6qwIAn8oYxnv1c1hFAQ==\n",
+    "iv": "stAc2FxDvUqrh0kt\n",
+    "auth_tag": "rcK4Qt+f2O4Zo5IMmG0fkw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "access_token": {
-    "encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
-    "iv": "1sj58eyooOZ8FTYn\n",
-    "auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
+    "encrypted_data": "J7zoLhEbPfPjnVWBmFmDdPKRer5GGw2o6Ad0uinznANugfaDiqjyYinOdEDF\nHlAqLmXv4J40rr3F+o4=\n",
+    "iv": "fAxFqVh9QqrfBsPW\n",
+    "auth_tag": "9ugi4frDLv8f7X0X1+k4DA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "domains": {
-    "encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
-    "iv": "LWlx98NSS1/ngCH1\n",
-    "auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
+    "encrypted_data": "X0KOKlJp5GYbKcq/jzmlaMmTXV1U7exWSqi3UxX9Sw==\n",
+    "iv": "9JucnYLlYdQ9N6pd\n",
+    "auth_tag": "sERYPDnVUJwVfSS8/xrPpQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index 2b10718..33cee41 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -84,6 +84,12 @@ hosts = [
     sql_database: "ejabberd",
     ldap_enabled: true,
     ldap_password: ejabberd_credentials['kosmos_ldap_password'],
+    certfiles: [
+      "/opt/ejabberd/conf/kosmos.org.crt",
+      "/opt/ejabberd/conf/kosmos.org.key",
+      "/opt/ejabberd/conf/kosmos.chat.crt",
+      "/opt/ejabberd/conf/kosmos.chat.key"
+    ],
     append_host_config: <<-EOF
     modules:
       mod_disco:
@@ -114,6 +120,10 @@ hosts = [
     sql_database: "ejabberd_5apps",
     ldap_enabled: true,
     ldap_password: ejabberd_credentials['5apps_ldap_password'],
+    certfiles: [
+      "/opt/ejabberd/conf/5apps.com.crt",
+      "/opt/ejabberd/conf/5apps.com.key"
+    ],
     append_host_config: <<-EOF
     modules:
       mod_disco:
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
index fcf29a3..83650d1 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@@ -15,7 +15,7 @@ set -e
 # letsencrypt live folder
 for domain in $RENEWED_DOMAINS; do
   case $domain in
-  kosmos.org|5apps.com)
+  kosmos.org|kosmos.chat|5apps.com)
     cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
     cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
     chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
@@ -42,13 +42,20 @@ end
 
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
-execute "letsencrypt cert for kosmos xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
+execute "letsencrypt cert for kosmos.org domains" do
+  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d uploads.xmpp.kosmos.org -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
   end
 end
 
+execute "letsencrypt cert for kosmos.chat" do
+  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
+  not_if do
+    File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
+  end
+end
+
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
index 4424256..35058b6 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@@ -1,7 +1,8 @@
 # Generated by Chef for <%= @host[:name] %>
 certfiles:
-  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
-  - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
+<% @host[:certfiles].each do |certfile| %>
+  - <%= certfile %>
+<% end %>
 host_config:
   "<%= @host[:name] %>":
     sql_type: pgsql
diff --git a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
index 62470a9..3d028c2 100644
--- a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
@@ -4,6 +4,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 
 tls_cert_for domain do
   auth "gandi_dns"
+  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 
diff --git a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
index f6bc2b3..072760e 100644
--- a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
@@ -5,6 +5,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 
 tls_cert_for domain do
   auth "gandi_dns"
+  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 
diff --git a/site-cookbooks/kosmos_website/recipes/redirects.rb b/site-cookbooks/kosmos_website/recipes/redirects.rb
index 451c2f6..34cf81b 100644
--- a/site-cookbooks/kosmos_website/recipes/redirects.rb
+++ b/site-cookbooks/kosmos_website/recipes/redirects.rb
@@ -6,6 +6,7 @@
 redirects = [
   {
     domain: "kosmos.chat",
+    acme_domain: "letsencrypt.kosmos.org",
     target: "https://kosmos.org",
     http_status: 307
   },