Solve challenge on two servers for the same domain

At first some background:

I would like to integrate my ejabbberd server into my Kubernetes cluster.

My server runs on the main domain and is routed with a few DNS records such as, which is updated from my IPfire and forwards the required ports to the ejabberd server.

Up to now I copied certificates from my hoster via cronjob to the ejabberd. But now the cert-manager should do this and there is my problem at the moment.

The port to solve the acme challenge for my main domain points to my hoster, because the website is still running there. Is there a way to solve the second challenge for with the cert-manager on my bare metal kubernetes-homeserver anyway?

I am vaguely familiar with cert-manager. But, can't Kubernetes use certs you obtain somewhere else so you can just continue copying the cert from your hoster? Searching the Kubernetes docs I see references for custom certs which seems applicable.


Hi @sjyvxq, and welcome to the LE community forum :slight_smile:

I wonder if the underscores in the name will present a problem...?


It will:

Error creating new order :: Cannot issue for "": Domain name contains an invalid character

Although that specific hostname containing underscores is probably for a SRV RR which would point to the actual Jabber server. So I'm guessing the SRV hostname doesn't require a certificate itself, only the hostname in its contents, right?


The DNS name shown is most likely a SRV RR. There is no need to obtain a certificate for a SRV RR, it's a dynamically constructed lookup query only used for service discovery. The actual certificate would be issued for a proper FQDN.

Edit: @Osiris was faster.


first of all, thank you for your feedback and for welcoming us.

I think copying is only a workaround and I would prefer a native kubernetes/cert-manager solution.

Cert-manager is already running successfully with other subdomains, only I haven't found a solution for the main domain yet.

@Nummer378 and @Osiris are right:

I need a certificate for and a few subdomains, but the subdomains are not the problem.

I have set the following DNS records at my hoster: 	300 	SRV 	-Port: 5222  Ziel: 	300 	SRV 	-Port: 5269  Ziel: 	14400 	CNAME 	14400 	CNAME 	14400 	CNAME 	300 	SRV 	-Port: 443  Ziel: 	300 	SRV 	-Port: 5270 Ziel: 	A

Now I have added the following: 	300 	SRV 	Ziel: 	300 	SRV 	Ziel:

Unfortunately without success, the challenge is not solved:

Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'

Did you have to create similar entries in the other working zones (for the certs)?

Pardon my ignorance with cert-manager.


No, I didn't have to, but my hoster automatically creates such TXT records as this one for the main domain: 	14400 	TXT 	qW1CSWWrA0EsaeWQ4_JbesHasvweaif33fYH7dewVLviDsEy1

So I wanted to test if I can delegate the challenge to my home server.

So that is the deviation [from the norm].

Can your "home server" be reached from the Internet via port 53 [TCP and UDP]?
How did you "delegate the challenge"?


if i set my firewall accordingly, yes

I don't understand the question, which challenge?

For the subdomains it is a CNAME enough and for the main domain i'm searching a solution.

I used the exact same wording from your request ("delegate the challenge").

If the end result points to the correct IP, then yes.
If not, then you need to make that happen.

"Delegation" is a term typically used with DNS zones.
We spoke about port 53 [TCP and UDP] - those are DNS ports.
If you can run your own DNS server, then you can handle the DNS authentication within it [locally].
But you would first have to "delegate" the DNS authority of a single name (or an entire folder/sub-zone) to your IP.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.