XMPP VirtualHosts, SRV records and letsencrypt certificates
When I set up my XMPP server, a friend of mine asked if I was willing to have a virtualhost with his domain on my server, using the same address as the email.
Setting up prosody and the SRV record on the DNS was quite easy, but then we stumbled on the issue of certificates: of course we would like to use letsencrypt, but as far as we know that means that we would have to setup something custom so that the certificate gets renewed on his server and then sent to mine, and that looks more of a hassle than just him setting up his own prosody/ejabberd on his server.
So I was wondering: dear lazyweb, did any of you have the same issue and already came up with a solution that is easy to implement and trivial to maintain that we missed?
Setting up prosody and the SRV record on the DNS was quite easy, but then we stumbled on the issue of certificates: of course we would like to use letsencrypt, but as far as we know that means that we would have to setup something custom so that the certificate gets renewed on his server and then sent to mine, and that looks more of a hassle than just him setting up his own prosody/ejabberd on his server.
So I was wondering: dear lazyweb, did any of you have the same issue and already came up with a solution that is easy to implement and trivial to maintain that we missed?
This is easy: Use your own TLS certificate (for your the XMPP server's domain) The XMPP server that handles a given domain doesn't have to be in that domain (i.e., you have the SRV record for your friend's domain list your domain name for the target.) Clients and other XMPP servers connect to that domain name, thereby expecting your domain name and ta da - life is good.
Or if you don't want to do that use a subdomain, which can be renewed on your XMPP server assuming that the DNS records resolve to the IP of the XMPP server. But really, the first option is probably the better one. It's what I do - look up the DNS SRV records for jxself.org for an example. Both domains are controlled by me.
Or if you don't want to do that use a subdomain, which can be renewed on your XMPP server assuming that the DNS records resolve to the IP of the XMPP server. But really, the first option is probably the better one. It's what I do - look up the DNS SRV records for jxself.org for an example. Both domains are controlled by me.
For me lets encrypt read something, I'm assuming my apache config and offered to generate a cert with subject alternative names for the other virtual hosts I was running.
You would need to turn on SNI for that to work though. (Lets encrypt might offer to enable that for you for apache)
You would need to turn on SNI for that to work though. (Lets encrypt might offer to enable that for you for apache)