When I set up my XMPP server, a friend of mine asked if I was willing to have a virtualhost with his domain on my server, using the same address as the email.
Setting up prosody and the SRV record on the DNS was quite easy, but then we stumbled on the issue of certificates: of course we would like to use letsencrypt, but as far as we know that means that we would have to setup something custom so that the certificate gets renewed on his server and then sent to mine, and that looks more of a hassle than just him setting up his own prosody/ejabberd on his server.
So I was wondering: dear lazyweb, did any of you have the same issue and already came up with a solution that is easy to implement and trivial to maintain that we missed?
<nicoo> Anyhow, the issue is that, for a X.509 cert to be valid for XMPP for example.com, it needs to have either example.com in its subjectAltNames (making it able to impersonate any other service on that domain, esp. HTTPS) <nicoo> or it can have an SRV-ID in subjectAltName <nicoo> Unfortunately, the CA/B rules don't allow CAs to issue SRV-ID names <nicoo> There has been some tentative effort to change that, but it seems to be stalled: https://cabforum.org/pipermail/public/2016-September/008473.html <nicoo> Here is the matching Let's Encrypt thread: https://github.com/letsencrypt/boulder/issues/1309 <nicoo> I did actually offer to implement it in Boulder (and had a stab at that on a local fork) but it's pointless as long as nothing changes on the CA/B side