[Free-RTC] using Let's Encrypt free certificates for SIP, XMPP, WebRTC, TURN, etc

Markus Lindenberg markus at lindenberg.io
Tue Jul 12 15:52:17 CEST 2016


Hi Daniel, 

On Tue, Jul 12, 2016 at 03:28:43PM +0200, Daniel Pocock wrote:
> Has anybody else tried the certificates with any servers for SIP, XMPP
> or other RTC services?

Yes, I'm currently using acmetool[1] to fetch LE certificates that are used for
Mail and XMPP. Acmetool can execute hook scripts after renewal so it's
easy to trigger a reload of prosody/postfix/kamailo etc.

It's very easy to do if the server using a certificate
has a A record for the certificate's domain. 

So if xmpp.example.com serves XMPP for example.com w/ correct SRV
records but the A record for example.com goes elsewhere you need to
fetch the certificate on the example.com webserver and not on the XMPP
server. It would be nice if  LE would support some form of validation
that takes the SRV records into account. Maybe stateless mode[2] helps
here but I guess that would collide if the webserver uses a different LE
account for it's own certificates. Haven't tried that though.

> Has anybody looked at integrating certbot[3] or any of the other tools
> for automatic certificate renewal?

In my experience certbot (the former official LE client) is a huge mess
of Python code and a large number of dependencies that is difficult to
install and maintain. Also I didn't need/want a LE client to modify my
web server configuration, so that's a huge source of complexity in
certbot that I didn't need. Otherwise it worked flawlessly for me,
although the last version I tried didn't have automatic renewal
functionality, I guess that's included now.

So I'm a happy user of acmetool[1] because it's simple to deploy, has
extendable renewal functionality out of the box and is very well documented.

Regards, Markus

1. https://github.com/hlandau/acme
2. https://hlandau.github.io/acme/userguide#web-server-configuration-challenges



More information about the Free-RTC mailing list