Certbot + Prosody

anon7mous · October 25, 2018, 11:17am

Hello guys,
i’ve got a problem with importing or generating LE certs into my prosody.

My xmpp server is (include version): prosody 10.2
The operating system my web server runs on is (include version): raspbian stretch
My hosting provider, if applicable, is: selfhosted with dyndns from nbiserv.de

I ran this command:
sudo /opt/certbot/certbot-auto certonly --standalone --rsa-key-size 4096 -d domain.de -d upload.domain.de -d conference.domain.de

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for conference.domain.de
http-01 challenge for domain.de
http-01 challenge for upload.domain.de
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.de/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.de/privkey.pem
Your cert will expire on 2019-01-23.

Then I ran this command:
sudo prosodyctl --root cert import /etc/letsencrypt/live

It produced this output:
No certificate for host conference.domain.de found
No certificate for host upload.domain.de found
No certificate for host localhost found
Imported certificate and key for hosts domain.de

How can i check if there is really no cert for the subdomain?
In the folder /etc/letsencrypt/live is ony one folder: domain.de

Thank you for helping.
Best wishes from germany.

rg305 · October 25, 2018, 12:33pm

It looks like you are running 3 separate hosts and have only 1 cert (with the three names on them).
Perhaps you need to issue the certs individually - my best guess.

Please show:
sudo /opt/certbot/certbot-auto certificates

anon7mous · October 25, 2018, 7:12pm

Thank for your response.

Found the following certs:
Certificate Name: domain.de
Domains: domain.de conference.domain.de upload.domain.de
Expiry Date: 2019-01-23 09:53:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.de/privkey.pem

anon7mous · October 25, 2018, 7:21pm

In this guide, he has also only one cert, copies this to the prosody folder and it works?

rg305 · October 25, 2018, 9:20pm

So it found the one cert but doesn't understand how to use it for your 3 sites?

anon7mous · October 27, 2018, 2:41pm

Exact.
I’m possible to send/receive messages, but I’m not able to send media like pictures.
I think the problem is the cert for upload.domain.de

rg305 · October 27, 2018, 5:20pm

If you can, manually insert the cert settings into the other vhost configs (probably way too difficult and high probability of making things worse.)

Or, maybe you can separate the one cert into individually certs and have them all imported automatically:

sudo /opt/certbot/certbot-auto certonly --standalone --rsa-key-size 4096 -d domain.de

sudo /opt/certbot/certbot-auto certonly --standalone --rsa-key-size 4096 -d upload.domain.de

sudo /opt/certbot/certbot-auto certonly --standalone --rsa-key-size 4096 -d conference.domain.de

sudo prosodyctl --root cert import /etc/letsencrypt/live

anon7mous · October 27, 2018, 8:12pm

Thank you. I’ve thinking about this too.
How would you do the cronjob for renewing the certs? Likely during tls-sni

rg305 · October 28, 2018, 3:01am

I would just do multiple cron job entries (four separate lines)

system · November 27, 2018, 3:01am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.