Certificate verification and SRV record...

[Marco Gaiarin]

I manage a little home-based prosody server, for my personal use.

Until now, i've used a self-made certificate, binded on a internal CA. The
certificate is wildcarded (*.lilliput.linux.it).
In this way all works, but S2S communication with some other XMPP server does
not work, because there's no certification validation.

Also, i use SRV records:

gaio@hermione:~$ dig -4 srv _xmpp-client._tcp.lilliput.linux.it +short
0 5 5222 xmpp.lilliput.linux.it.
gaio@hermione:~$ dig -4 srv _xmpp-server._tcp.lilliput.linux.it +short
0 5 5222 xmpp.lilliput.linux.it.


So i've tried to switch to Let'sEncrypt certs, defining a cert for
'xmpp.lilliput.linux.it', but now if i try to connect with a client, i got:
'domain not verifiable'.


What i'm missing? Thanks.

--
Principio di Napoleone: non attribuire a malintenzione ciò che può
essere semplicemente spiegato come imbecillità.
(Davide Bianchi da icols)

[Marco Gaiarin]

Mandi! Marco Gaiarin
In chel di` si favelave...

> What i'm missing? Thanks.

sorry, it was written here:

https://prosody.im/doc/certificates

Which domain?
Sometimes there is confusion about which domain to get a certificate for, if your service uses SRV records to delegate XMPP services to a second domain (e.g. xmpp.example.com).
The answer is simple - your certificate simply needs to match whatever you have in your VirtualHost and Component definitions (e.g. example.com and conference.example.com), as these are the services you need to authenticate as. When you use the prosodyctl cert commands (see below), the correct entries are always included.

--
Sbagliare è umano. Propagare l'errore a tutti i server in modo
automatico è #devops (@sco...@mastodon.bida.im)