Split-server certificate (server cert domain list includes a hostname pointing to a different IP) for XMPP/Jabber server

pkirkovsky · June 22, 2017, 9:12am

I use LetsEncrypt for two servers, one hosting my website and one for my XMPP (Jabber) chat server.

The XMPP server's real hostname is "xmpp.services.kirkovsky.com" but it's also aliased as "conference.services.kirkovsky.com" and "xmpp-proxy.services.kirkovsky.com"

The web server's hostname is "web.services.kirkovsky.com" and it's also aliased as "www.kirkovsky.com" and "kirkovsky.com"

For technical reasons, the XMPP server's certificate must also include the bare domain "kirkovsky.com" in the domain list. The problem lies in the fact that the bare domain is already handled by the web server, which is a separate box.

Renewing the web server's certificate is easy — I just use the automatic webroot method since it's already running nginx.

The renewal command on the XMPP box looks like this:

letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini -a manual --agree-tos --renew-by-default
-d xmpp.services.kirkovsky.com
-d conference.services.kirkovsky.com
-d xmpp-proxy.services.kirkovsky.com
-d kirkovsky.com

For the first 3 domains, I run the Python webserver along with the commands to generate the acme challenge files on the XMPP box. The XMPP box doesn't run a web server normally, and I don't want it to.

Since "kirkovsky.com" points to the web server machine, the final step is to SSH into it and create the verification file by hand, then continue with the certbot process on the XMPP machine so that it can check the challenge file.

I have to do this every time I renew the XMPP server's cert. It's a huge hassle!

I want to automate this process. I could cobble together a shell script but I'm hoping that certbot or another utility has something built-in.

Any ideas?

rg305 · June 22, 2017, 10:49am

Two potential points of advice.

all names resolve to IPv4 and IPv6 addresses.
LE prefers IPv6 over IPv4 - insure that you are properly handling IPv6.
if all certs could best be handled by one system (IP), you could redirect [301] all challenge requests to just one system.
Insert something like on other system vhost file:
Redirect permanent /.well-known/acme-challenge http://xmpp.services.kirkovsky.com/.well-known/acme-challenge

mnordhoff · June 22, 2017, 11:03am

If they're not best handled by one system, some web servers support "serve the file if it exists, redirect to the other web server if it doesn't". That would allow you to use HTTP-01 validation with more than one system. For example, in Nginx:

location /.well-known/acme-challenge/ {
    try_files $uri @redirect;
}
location @redirect {
    return http://xmpp.services.kirkovsky.com$request_uri;
}

You might consider it less brittle, or otherwise prefer, to use DNS-01 validation. I don't know if NFSN has a DNS API. If they do, you'd likely have to write the script for it on your own. If not, you can integrate another DNS provider (though not necessarily for free).

system · July 22, 2017, 11:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[SOLVED] Creating an LE certificate for an XMPP server: See last update for the eventual solution Server	7	4858	September 8, 2017
Create certificate for xmpp server (port 80 and 443 for the requested domain are not on the same server) Help	3	2255	August 30, 2016
Solve challenge on two servers for the same domain Help	11	687	September 1, 2022
Certificate Score F Help	13	2758	January 31, 2017
Can not install certificate into xmpp Help	13	2775	March 1, 2019

Split-server certificate (server cert domain list includes a hostname pointing to a different IP) for XMPP/Jabber server

Related topics