Solve challenge on two servers for the same domain

sjyvxq · August 1, 2022, 9:54am

At first some background:

I would like to integrate my ejabbberd server into my Kubernetes cluster.

My server runs on the main domain example.com and is routed with a few DNS records such as _xmpp-server._tcp.example.com, which is updated from my IPfire and forwards the required ports to the ejabberd server.

Up to now I copied certificates from my hoster via cronjob to the ejabberd. But now the cert-manager should do this and there is my problem at the moment.

The port to solve the acme challenge for my main domain points to my hoster, because the website is still running there. Is there a way to solve the second challenge for example.com with the cert-manager on my bare metal kubernetes-homeserver anyway?

MikeMcQ · August 1, 2022, 1:48pm

I am vaguely familiar with cert-manager. But, can't Kubernetes use certs you obtain somewhere else so you can just continue copying the cert from your hoster? Searching the Kubernetes docs I see references for custom certs which seems applicable.

rg305 · August 1, 2022, 3:02pm

Hi @sjyvxq, and welcome to the LE community forum

I wonder if the underscores in the name will present a problem...?

Osiris · August 1, 2022, 3:52pm

It will:

Error creating new order :: Cannot issue for "_test.example.com": Domain name contains an invalid character

Although that specific hostname containing underscores is probably for a SRV RR which would point to the actual Jabber server. So I'm guessing the SRV hostname doesn't require a certificate itself, only the hostname in its contents, right?

Nummer378 · August 1, 2022, 3:57pm

The DNS name shown is most likely a SRV RR. There is no need to obtain a certificate for a SRV RR, it's a dynamically constructed lookup query only used for service discovery. The actual certificate would be issued for a proper FQDN.

Edit: @Osiris was faster.

sjyvxq · August 1, 2022, 7:09pm

first of all, thank you for your feedback and for welcoming us.

@MikeMcQ:
I think copying is only a workaround and I would prefer a native kubernetes/cert-manager solution.

Cert-manager is already running successfully with other subdomains, only I haven't found a solution for the main domain yet.

@Nummer378 and @Osiris are right:

I need a certificate for example.com and a few subdomains, but the subdomains are not the problem.

I have set the following DNS records at my hoster:

_xmpp-client._tcp.example.com. 	300 	SRV 	-Port: 5222  Ziel: xmpp.example.com	
_xmpp-server._tcp.example.com. 	300 	SRV 	-Port: 5269  Ziel: xmpp.example.com
conference.example.com. 	14400 	CNAME 	xmpp.example.com
pubsub.example.com. 	14400 	CNAME 	xmpp.example.com
upload.example.com. 	14400 	CNAME 	xmpp.example.com
_xmpps-client._tcp.example.com. 	300 	SRV 	-Port: 443  Ziel: xmpp.example.com
_xmpps-server._tcp.example.com. 	300 	SRV 	-Port: 5270 Ziel: xmpp.example.com
xmpp.example.com. 	A 	48.133.81.66

Now I have added the following:

_acme-challenge._tcp.example.com. 	300 	SRV 	Ziel: xmpp.example.com
_acme-challenge._tcp.example.com. 	300 	SRV 	Ziel: xmpp.example.com

Unfortunately without success, the challenge is not solved:

Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200'

rg305 · August 1, 2022, 7:28pm

Did you have to create similar _acme-challenge._tcp.example.com entries in the other working zones (for the certs)?

Pardon my ignorance with cert-manager.

sjyvxq · August 1, 2022, 7:36pm

@rg305
No, I didn't have to, but my hoster automatically creates such TXT records as this one for the main domain:

_acme-challenge.example.com. 	14400 	TXT 	qW1CSWWrA0EsaeWQ4_JbesHasvweaif33fYH7dewVLviDsEy1

So I wanted to test if I can delegate the challenge to my home server.

rg305 · August 1, 2022, 8:51pm

So that is the deviation [from the norm].

Can your "home server" be reached from the Internet via port 53 [TCP and UDP]?
How did you "delegate the challenge"?

sjyvxq · August 2, 2022, 6:05am

if i set my firewall accordingly, yes

I don't understand the question, which challenge?

For the subdomains it is a CNAME enough and for the main domain i'm searching a solution.

rg305 · August 2, 2022, 1:58pm

I used the exact same wording from your request ("delegate the challenge").

If the end result points to the correct IP, then yes.
If not, then you need to make that happen.

"Delegation" is a term typically used with DNS zones.
We spoke about port 53 [TCP and UDP] - those are DNS ports.
If you can run your own DNS server, then you can handle the DNS authentication within it [locally].
But you would first have to "delegate" the DNS authority of a single name (or an entire folder/sub-zone) to your IP.

system · September 1, 2022, 1:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split-server certificate (server cert domain list includes a hostname pointing to a different IP) for XMPP/Jabber server Help	3	1578	July 22, 2017
[SOLVED] Creating an LE certificate for an XMPP server: See last update for the eventual solution Server	7	4858	September 8, 2017
Help regarding timeout issues Help	22	3270	August 10, 2022
Internal Network and DNS challenge with Cert Manager Help	6	5099	July 14, 2019
Question about using the same account from multiple systems Issuance Tech	5	991	September 15, 2023

Solve challenge on two servers for the same domain

Related topics