Hi Daniel,
On Tue, Jul 12, 2016 at 03:28:43PM +0200, Daniel Pocock wrote:
Has anybody else tried the certificates with any servers for SIP, XMPP or other RTC services?
Yes, I'm currently using acmetool[1] to fetch LE certificates that are used for Mail and XMPP. Acmetool can execute hook scripts after renewal so it's easy to trigger a reload of prosody/postfix/kamailo etc.
It's very easy to do if the server using a certificate has a A record for the certificate's domain.
So if xmpp.example.com serves XMPP for example.com w/ correct SRV records but the A record for example.com goes elsewhere you need to fetch the certificate on the example.com webserver and not on the XMPP server. It would be nice if LE would support some form of validation that takes the SRV records into account. Maybe stateless mode[2] helps here but I guess that would collide if the webserver uses a different LE account for it's own certificates. Haven't tried that though.
Has anybody looked at integrating certbot[3] or any of the other tools for automatic certificate renewal?
In my experience certbot (the former official LE client) is a huge mess of Python code and a large number of dependencies that is difficult to install and maintain. Also I didn't need/want a LE client to modify my web server configuration, so that's a huge source of complexity in certbot that I didn't need. Otherwise it worked flawlessly for me, although the last version I tried didn't have automatic renewal functionality, I guess that's included now.
So I'm a happy user of acmetool[1] because it's simple to deploy, has extendable renewal functionality out of the box and is very well documented.
Regards, Markus
1. https://github.com/hlandau/acme 2. https://hlandau.github.io/acme/userguide#web-server-configuration-challenges