I have a domain example.com hosted at a web hosting service provider. For the same domain I want to run a XMPP server on a vserver. Therefore my web hosting service allows me to set the DNS entries to forward the XMPP ports 5222 and 5269 from example.com to xmpp.myvserver.com. Because the XMPP server will be known as example.com I need to create valid SSL certificate for example.com but not on the web hosting service (where example.com is hosted for port 80 and 443) but on my vserver.
As long as you can solve one of the domain ownership challenges supported by Let’s Encrypt, the certificates can be used for any kind of TLS server, independent of whether that server is the actual web server for that domain. The tricky part is just figuring out how to solve the ownership challenge - that’s very easy for web servers, but might be a bit more tricky in other cases. Here are some possible solutions:
If your web host has some way for you to upload files (SSH/SFTP/FTP), you can use the HTTP-01 challenge. GetSSL is a great client for this purpose, as it allows you to remotely upload the challenge verification files to your web host (while GetSSL itself would run on your XMPP server).
Another option would be to use the DNS-01 challenge type. If your DNS provider allows you to modify DNS records through some API, you can verify domain ownership by creating a TXT record. This is supported by a number of clients like lego or the bash clients, the links can be found here.
Finally, if none of these options work for you, you can try certbot's manual plugin, which allows you to upload the challenge files manually (through your web hosts’s control panel or whatever). Note that this is something you’ll have to repeat manually at least once every 3 months.
Thanks, this sounds like some really good options! I will look into it and come back if I have any additional questions or need any help to implement it.
I will look into it and come back if I have any additional questions or need any help to implement it.