I tried following up an older thread hoping for an answer, but no joy so far. So let’s set out the problem afresh, since it’s not QUITE on topic for the original thread.
The situation is as follows:
I have a single public IP with a number of hosts behind it, one of which is my main app server. The app server runs, among other things, both Apache (all-SSL; all incoming HTTP traffic is redirected to HTTPS) and ejabberd. Apache answers as www.my-domain; ejabberd answers as jabber.my-domain, and as chat.my-domain for multi-user conferences. (Why two separate subdomains for Jabber? That’s just the way the standards say XMPP MUC works.)
Now, I already have a LE cert for Apache, and it’s working perfectly. But I have only a self-signed certificate for ejabberd, and I’d like to use a better one. So, easy: Just add jabber.my-domain and chat.my-domain to the certificate, right? That won’t PRECISELY give me a certificate ejabberd can use, but I can trivially make one from the certs it does give me.
So what’s the problem? Well, the problem is that I can’t figure out a way to get acme to properly verify jabber.my-domain and chat.my-domain to generate the extended certificate. And I can’t just use a wildcard certificate because those aren’t supported by LE yet. (I’m using certbot, by the way.)
Can anyone advise on how to solve this verification problem? I’ve tried setting up a minimal web vhost for jabber.my-domain:80/443, but this gambit fails because apparently acme gets the same tls-sni-01 cert from jabber.my-domain that it issued to www.my-domain, and therefore jabber.my-domain fails verification.
Are you using Certbot to issue certificates? It sounds like you want to be using an HTTP-01 (or "webroot" in Certbot terms) challenge in order for a validation HTTP request to arrive on 80 and get sent to the vihost for jabber.my-domain
I’m using certbot so far, yes, but I’m open to alternate solutions if they’ll get the job done better. @netrixx just suggested using dehydrated, but if I can tell certbot to do it in a way that gets the job done, I’m good with that too.
Pretty sure my original invocation was simply: certbot certonly --apache --domains www.caerllewys.net
This is working fine for apache serving that domain ONLY, but fails to work for jabber.caerllewys.net. I’ve discovered though that a part of this problem is that connections to the jabber.caerllewys.net VHOST are correctly directed by Apache if they originate from inside the firewall, but not if they originate from outside the firewall. If I could just figure out why that’s not working, I imagine the problem would likely be much simpler.
I’m still not certain why I can’t get the stub named virtual hosts simultaneously working from inside and outside my firewall, but as long as they work from outside, certbot --webroot works to auth all three vhosts, and I have my certificate extended and a renew --post-hook set up to assemble the certificate for ejabberd.
This is the certbot invocation that gave me the certificate I wanted once I had the stub vhosts working: