0

Suppose I run a service on example.com that relies on a SRV record to direct clients to it (in my case it's xmpp, but I think this applies to anything really). The service needs a certificate to identify itself to clients, and I want to use certbot/letsencrypt to get one. However, example.com's A record points to a web host on a different server.

Is there any way to request that letsencrypt "call me back" using the SRV record rather than the A record? If not, is there a way to control its callback URL pattern, such that I can configure the web host at the A record to proxy the callback to the host that is actually requesting the certificate?

I am aware of DNS challenges as alternative verification, but for purposes of this question, assume that I don't want to keep credentials for my DNS provider on the service host.

Andrew
  • 1,084
  • 2
  • 10
  • 16

2 Answers2

1

I'm fairly sure LE does want you want. You can configure your web host to just get the certs (certbot certonly ...) and then copy them to your XMPP server. Similarly the DNS-01 challenge does not need to be run on the host itself. You can use a tool like dehydrated to get the certs on any system and then push them out to where the need to be. You don't then, need to store your DNS service creds on the XMPP server. This is what I do for a number of certs that I subsequently use Puppet to deploy.

user9517
  • 114,104
  • 20
  • 206
  • 289
1

Let's Encrypt does not check any SRV record in the verification process.

You should instead set up a TXT record, more info at:

How to use Let's Encrypt DNS challenge validation?

Orphans
  • 1,404
  • 17
  • 26