Skip to main content


 

XMPP VirtualHosts, SRV records and letsencrypt certificates


When I set up my XMPP server, a friend of mine asked if I was willing to have a virtualhost with his domain on my server, using the same address as the email.

Setting up prosody and the SRV record on the DNS was quite easy, but then we stumbled on the issue of certificates: of course we would like to use letsencrypt, but as far as we know that means that we would have to setup something custom so that the certificate gets renewed on his server and then sent to mine, and that looks more of a hassle than just him setting up his own prosody/ejabberd on his server.

So I was wondering: dear lazyweb, did any of you have the same issue and already came up with a solution that is easy to implement and trivial to maintain that we missed?
blog
Fabio 1 mese fa da Friendly
Host xmmp server on a subdomain (you can have user@eample.com jid on xmpp.eample.com server). Point subdomain to you ip, request certificate for that subdomain. Reply to LE requests from your ip.

@Fabio uhm, maybe I should have mentioned that "using the same address as the email" was a hard requirement because usability and nontechnical contacts.

uhm, and now that I've had breakfast I realize that you were using user@example.com as the jid... sorry

Elena ``of Valhalla'' 4 settimane fa
from IRC:

<nicoo> Anyhow, the issue is that, for a X.509 cert to be valid for XMPP for example.com, it needs to have either example.com in its subjectAltNames (making it able to impersonate any other service on that domain, esp. HTTPS)
<nicoo> or it can have an SRV-ID in subjectAltName
<nicoo> Unfortunately, the CA/B rules don't allow CAs to issue SRV-ID names
<nicoo> There has been some tentative effort to change that, but it seems to be stalled: https://cabforum.org/pipermail/public/2016-September/008473.html
<nicoo> Here is the matching Let's Encrypt thread: https://github.com/letsencrypt/boulder/issues/1309
<nicoo> I did actually offer to implement it in Boulder (and had a stab at that on a local fork) but it's pointless as long as nothing changes on the CA/B side