Solve challenge on two servers for the same domain

At first some background:

I would like to integrate my ejabbberd server into my Kubernetes cluster.

My server runs on the main domain example.com and is routed with a few DNS records such as _xmpp-server._tcp.example.com, which is updated from my IPfire and forwards the required ports to the ejabberd server.

Up to now I copied certificates from my hoster via cronjob to the ejabberd. But now the cert-manager should do this and there is my problem at the moment.

The port to solve the acme challenge for my main domain points to my hoster, because the website is still running there. Is there a way to solve the second challenge for example.com with the cert-manager on my bare metal kubernetes-homeserver anyway?

I am vaguely familiar with cert-manager. But, can't Kubernetes use certs you obtain somewhere else so you can just continue copying the cert from your hoster? Searching the Kubernetes docs I see references for custom certs which seems applicable.

2 Likes

Hi @sjyvxq, and welcome to the LE community forum :slight_smile:

I wonder if the underscores in the name will present a problem...?

2 Likes

It will:

Error creating new order :: Cannot issue for "_test.example.com": Domain name contains an invalid character

Although that specific hostname containing underscores is probably for a SRV RR which would point to the actual Jabber server. So I'm guessing the SRV hostname doesn't require a certificate itself, only the hostname in its contents, right?

6 Likes

The DNS name shown is most likely a SRV RR. There is no need to obtain a certificate for a SRV RR, it's a dynamically constructed lookup query only used for service discovery. The actual certificate would be issued for a proper FQDN.

Edit: @Osiris was faster.

5 Likes

first of all, thank you for your feedback and for welcoming us.

@MikeMcQ:
I think copying is only a workaround and I would prefer a native kubernetes/cert-manager solution.

Cert-manager is already running successfully with other subdomains, only I haven't found a solution for the main domain yet.

@Nummer378 and @Osiris are right:

I need a certificate for example.com and a few subdomains, but the subdomains are not the problem.

I have set the following DNS records at my hoster:

_xmpp-client._tcp.example.com. 	300 	SRV 	-Port: 5222  Ziel: xmpp.example.com	
_xmpp-server._tcp.example.com. 	300 	SRV 	-Port: 5269  Ziel: xmpp.example.com
conference.example.com. 	14400 	CNAME 	xmpp.example.com
pubsub.example.com. 	14400 	CNAME 	xmpp.example.com
upload.example.com. 	14400 	CNAME 	xmpp.example.com
_xmpps-client._tcp.example.com. 	300 	SRV 	-Port: 443  Ziel: xmpp.example.com
_xmpps-server._tcp.example.com. 	300 	SRV 	-Port: 5270 Ziel: xmpp.example.com
xmpp.example.com. 	A 	48.133.81.66

Now I have added the following:

_acme-challenge._tcp.example.com. 	300 	SRV 	Ziel: xmpp.example.com
_acme-challenge._tcp.example.com. 	300 	SRV 	Ziel: xmpp.example.com

Unfortunately without success, the challenge is not solved:

Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'

Did you have to create similar _acme-challenge._tcp.example.com entries in the other working zones (for the certs)?

Pardon my ignorance with cert-manager.

2 Likes

@rg305
No, I didn't have to, but my hoster automatically creates such TXT records as this one for the main domain:

_acme-challenge.example.com. 	14400 	TXT 	qW1CSWWrA0EsaeWQ4_JbesHasvweaif33fYH7dewVLviDsEy1

So I wanted to test if I can delegate the challenge to my home server.

So that is the deviation [from the norm].

Can your "home server" be reached from the Internet via port 53 [TCP and UDP]?
How did you "delegate the challenge"?

2 Likes

if i set my firewall accordingly, yes

I don't understand the question, which challenge?

For the subdomains it is a CNAME enough and for the main domain i'm searching a solution.

I used the exact same wording from your request ("delegate the challenge").

If the end result points to the correct IP, then yes.
If not, then you need to make that happen.

"Delegation" is a term typically used with DNS zones.
We spoke about port 53 [TCP and UDP] - those are DNS ports.
If you can run your own DNS server, then you can handle the DNS authentication within it [locally].
But you would first have to "delegate" the DNS authority of a single name (or an entire folder/sub-zone) to your IP.

2 Likes