Split-server certificate (server cert domain list includes a hostname pointing to a different IP) for XMPP/Jabber server

I use LetsEncrypt for two servers, one hosting my website and one for my XMPP (Jabber) chat server.

The XMPP server’s real hostname is “xmpp.services.kirkovsky.com” but it’s also aliased as “conference.services.kirkovsky.com” and “xmpp-proxy.services.kirkovsky.com

The web server’s hostname is “web.services.kirkovsky.com” and it’s also aliased as “www.kirkovsky.com” and “kirkovsky.com

For technical reasons, the XMPP server’s certificate must also include the bare domain “kirkovsky.com” in the domain list. The problem lies in the fact that the bare domain is already handled by the web server, which is a separate box.

Renewing the web server’s certificate is easy — I just use the automatic webroot method since it’s already running nginx.

The renewal command on the XMPP box looks like this:

letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini -a manual --agree-tos --renew-by-default
-d xmpp.services.kirkovsky.com
-d conference.services.kirkovsky.com
-d xmpp-proxy.services.kirkovsky.com
-d kirkovsky.com

For the first 3 domains, I run the Python webserver along with the commands to generate the acme challenge files on the XMPP box. The XMPP box doesn’t run a web server normally, and I don’t want it to.

Since “kirkovsky.com” points to the web server machine, the final step is to SSH into it and create the verification file by hand, then continue with the certbot process on the XMPP machine so that it can check the challenge file.

I have to do this every time I renew the XMPP server’s cert. It’s a huge hassle!

I want to automate this process. I could cobble together a shell script but I’m hoping that certbot or another utility has something built-in.

Any ideas?

Two potential points of advice.

  1. all names resolve to IPv4 and IPv6 addresses.
    LE prefers IPv6 over IPv4 - insure that you are properly handling IPv6.

  2. if all certs could best be handled by one system (IP), you could redirect [301] all challenge requests to just one system.
    Insert something like on other system vhost file:
    Redirect permanent /.well-known/acme-challenge http://xmpp.services.kirkovsky.com/.well-known/acme-challenge

If they’re not best handled by one system, some web servers support “serve the file if it exists, redirect to the other web server if it doesn’t”. That would allow you to use HTTP-01 validation with more than one system. For example, in Nginx:

location /.well-known/acme-challenge/ {
    try_files $uri @redirect;
location @redirect {
    return http://xmpp.services.kirkovsky.com$request_uri;

You might consider it less brittle, or otherwise prefer, to use DNS-01 validation. I don’t know if NFSN has a DNS API. If they do, you’d likely have to write the script for it on your own. If not, you can integrate another DNS provider (though not necessarily for free).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.