Certbot + Prosody


#1

Hello guys,
i’ve got a problem with importing or generating LE certs into my prosody.

My xmpp server is (include version): prosody 10.2
The operating system my web server runs on is (include version): raspbian stretch
My hosting provider, if applicable, is: selfhosted with dyndns from nbiserv.de

I ran this command:
sudo /opt/certbot/certbot-auto certonly --standalone --rsa-key-size 4096 -d domain.de -d upload.domain.de -d conference.domain.de

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for conference.domain.de
http-01 challenge for domain.de
http-01 challenge for upload.domain.de
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/domain.de/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/domain.de/privkey.pem
    Your cert will expire on 2019-01-23.

Then I ran this command:
sudo prosodyctl --root cert import /etc/letsencrypt/live

It produced this output:
No certificate for host conference.domain.de found :frowning:
No certificate for host upload.domain.de found :frowning:
No certificate for host localhost found :frowning:
Imported certificate and key for hosts domain.de

How can i check if there is really no cert for the subdomain?
In the folder /etc/letsencrypt/live is ony one folder: domain.de

Thank you for helping. :slight_smile:
Best wishes from germany. :de:


#2

It looks like you are running 3 separate hosts and have only 1 cert (with the three names on them).
Perhaps you need to issue the certs individually - my best guess.

Please show:
sudo /opt/certbot/certbot-auto certificates


#3

Thank for your response.


Found the following certs:
Certificate Name: domain.de
Domains: domain.de conference.domain.de upload.domain.de
Expiry Date: 2019-01-23 09:53:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.de/privkey.pem



#4

In this guide, he has also only one cert, copies this to the prosody folder and it works? :thinking:


#6

So it found the one cert but doesn’t understand how to use it for your 3 sites?


#7

Exact.
I’m possible to send/receive messages, but I’m not able to send media like pictures.
I think the problem is the cert for upload.domain.de


#8

If you can, manually insert the cert settings into the other vhost configs (probably way too difficult and high probability of making things worse.)

Or, maybe you can separate the one cert into individually certs and have them all imported automatically:

sudo /opt/certbot/certbot-auto certonly --standalone --rsa-key-size 4096 -d domain.de

sudo /opt/certbot/certbot-auto certonly --standalone --rsa-key-size 4096 -d upload.domain.de

sudo /opt/certbot/certbot-auto certonly --standalone --rsa-key-size 4096 -d conference.domain.de

sudo prosodyctl --root cert import /etc/letsencrypt/live


#9

Thank you. I’ve thinking about this too.
How would you do the cronjob for renewing the certs? Likely during tls-sni


#10

I would just do multiple cron job entries (four separate lines)