LetsEncrypt challenges and SRV records

Question

The SRV record allows hosting a service for a specific domain (commonly XMPP) on a different host than the A/AAAA record indicates. However, from what I can read in the documentation, the host that provides a service must still have a certificate authorizing it for the original domain name.

So: Is there any good solution that would allow me to run a secure XMPP server and an HTTP server for the same domain on different machines?

As an example, consider this zone for example.com:

@ 10800 IN A 0.0.0.0
_xmpp-client._tcp 10800 IN SRV 5 0 5222 xmpp.example.com.
_xmpp-server._tcp 10800 IN SRV 5 0 5269 xmpp.example.com.
xmpp 10800 IN A 0.0.0.1

The server at 0.0.0.1 must have a certificate that authenticates it for the name example.com, but only 0.0.0.0 (as the A record for example.com) can acquire that certificate from LetsEncrypt.

Do I just... generate the certificate on 0.0.0.0 and then transfer it over the network each time? Or temporarily set the web server on 0.0.0.0 to forward the /.well-known/acme-challenge/ requests to 0.0.0.1? Neither of these seems very robust or secure.

Are SRV records essentially unusable in the https-everywhere world?

Indeed, browsers do not take care of SRV records. – Patrick Mevzek Jan 17 '18 at 04:10 — Patrick Mevzek, Jan 17 '18 at 04:10

score 1 · Accepted Answer · edited Oct 07 '21 at 07:24

1

Ah.

LetsEncrypt supports other challenges that don't rely on the A record; specifically a DNS challenge: https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-01#section-7.5

This merely requires the XMPP server to have access to the DNS registrar's API to allow it to temporarily set a TXT record.

edited Oct 07 '21 at 07:24

Community

1
1

answered Jan 15 '18 at 18:38

Christoph Burschka

4,467
3
16
31

1

acme.sh (available at https://github.com/Neilpang/acme.sh) makes it easy to do DNS-based verifications. – Marcel Waldvogel Sep 08 '18 at 09:01

LetsEncrypt challenges and SRV records

1 Answers1