[SOLVED] Creating an LE certificate for an XMPP server: See last update for the eventual solution

I tried following up an older thread hoping for an answer, but no joy so far. So let’s set out the problem afresh, since it’s not QUITE on topic for the original thread.

The situation is as follows:

I have a single public IP with a number of hosts behind it, one of which is my main app server. The app server runs, among other things, both Apache (all-SSL; all incoming HTTP traffic is redirected to HTTPS) and ejabberd. Apache answers as www.my-domain; ejabberd answers as jabber.my-domain, and as chat.my-domain for multi-user conferences. (Why two separate subdomains for Jabber? That’s just the way the standards say XMPP MUC works.)

Now, I already have a LE cert for Apache, and it’s working perfectly. But I have only a self-signed certificate for ejabberd, and I’d like to use a better one. So, easy: Just add jabber.my-domain and chat.my-domain to the certificate, right? That won’t PRECISELY give me a certificate ejabberd can use, but I can trivially make one from the certs it does give me.

So what’s the problem? Well, the problem is that I can’t figure out a way to get acme to properly verify jabber.my-domain and chat.my-domain to generate the extended certificate. And I can’t just use a wildcard certificate because those aren’t supported by LE yet. (I’m using certbot, by the way.)

Can anyone advise on how to solve this verification problem? I’ve tried setting up a minimal web vhost for jabber.my-domain:80/443, but this gambit fails because apparently acme gets the same tls-sni-01 cert from jabber.my-domain that it issued to www.my-domain, and therefore jabber.my-domain fails verification.

Hi @UnixRonin,

Are you using Certbot to issue certificates? It sounds like you want to be using an HTTP-01 (or “webroot” in Certbot terms) challenge in order for a validation HTTP request to arrive on 80 and get sent to the vihost for jabber.my-domain

I’m using certbot so far, yes, but I’m open to alternate solutions if they’ll get the job done better. @netrixx just suggested using dehydrated, but if I can tell certbot to do it in a way that gets the job done, I’m good with that too.

Can you share how you’re running Certbot now? Likely someone will be able to give some concrete advice with that information available.

Pretty sure my original invocation was simply: certbot certonly --apache --domains www.caerllewys.net

This is working fine for apache serving that domain ONLY, but fails to work for jabber.caerllewys.net. I’ve discovered though that a part of this problem is that connections to the jabber.caerllewys.net VHOST are correctly directed by Apache if they originate from inside the firewall, but not if they originate from outside the firewall. If I could just figure out why that’s not working, I imagine the problem would likely be much simpler.

SOLVED

I’m still not certain why I can’t get the stub named virtual hosts simultaneously working from inside and outside my firewall, but as long as they work from outside, certbot --webroot works to auth all three vhosts, and I have my certificate extended and a renew --post-hook set up to assemble the certificate for ejabberd.

This is the certbot invocation that gave me the certificate I wanted once I had the stub vhosts working:

certbot certonly --webroot -w /var/httpd/htdocs -d www.caerllewys.net -w /var/httpd/htdocs/jabber -d jabber.caerllewys.net -d chat.caerllewys.net --force-renewal --rsa-key-size 4096

And the renewal command:

certbot renew --post-hook ‘cat /etc/letsencrypt/live/www.caerllewys.net/privkey.pem /etc/letsencrypt/live/www.caerllewys.net/fullchain.pem > /etc/jabber/server.pem’

1 Like

Thanks for sharing your solution, @UnixRonin.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.