#1318 Multiple domain certificate for different services is not working
Reporter
sven222
Owner
Nobody
Created
Updated
Stars
★★ (2)
Tags
Priority-Medium
Status-NeedInfo
Type-Defect
sven222
on
What steps will reproduce the problem?
1. I did installation of prosody 0.11 on a raw debian stretch with documentation from homebreserver.club
2. In old documentation certificate was catched for all subdomains with one certbot call. Like:
"certbot certonly -d myserver.org -d proxy.myserver.org -d dump.myserver.org -muc.myserver.org"
Because of the bug I try to file they changed to 4 seperate calls of certbot. Like:
certbot certonly -d myserver.org
certbot certonly -d muc.myserver.org
.
.
3. After doing "prosodyctl --root cert import /etc/letsencrypt/live/ " I have some errors for the certificates in prosody.err amd prosody.log. In log only, if I change before to debug from info.
What is the expected output?
Expected output is to import the certificates, if you have only one for the complete server.
What do you see instead?
I made a dump of prosody.err and prosody.log, that you can check
dump.err: https://cloud.hardwarepunk.de/s/yteirYQ33xLPpWA
dump.log: https://cloud.hardwarepunk.de/s/aZQBf9ptZMM77nn
What version of the product are you using? On what operating system?
0.11 on Debian Stretch (9)
Please provide any additional information below.
Zash
on
Thanks for the report. Currently prosodyctl only looks at filenames and not at the contents of certs, doing deeper inspection for certificates with multiple names was on the TODO from the start, but this has not been completed yet.
What is the output of the `cert import` command, and the names of the certificate files imported, if any?
As you can see in the log, it looks for certs matching the parent domain of each component or host, so if "myserver.org" has a cert, that should be selected in this case.
Changes
tags Status-NeedInfo
Will Tuladhar-Douglas
on
I have the same, or a closely related, problem. I've anonymised the domain names.
I use certbot to generate a single certificate that covers the root domain (example.com) as well as several subdomains (muc.example.com, mail.example.com, pleroma.example.com and so forth). In order to run Prosody, I've added muc.example.com after setting up the DNS.
sudo certbot renew -d example.com,mail.example.com,pleroma.example.com,muc.example.com
Now, when I run
sudo certbot renew --deploy-hook "prosodyctl --root cert import /etc/letsencrypt/live" --force-renew
I get back this in among the other output from certbot, which is otherwise normal.
...
Running deploy-hook command: prosodyctl --root cert import /etc/letsencrypt/live
Output from prosodyctl:
No certificate for host muc.example.com found :(
No certificate for host pleroma.example.com found :(
No certificate for host mail.example.com found :(
Imported certificate and key for hosts example.com
...
MattJ
on
Hi Will, thanks for contributing to this report.
Unless you're seeing evidence to the contrary (apart from those messages) I suspect your setup will still work just fine. Prosody will automatically use the certificate of 'example.com' for direct subdomains like 'muc.example.com'.
The problem arises when you have multiple unrelated domains in a single certificate, because the certificate can only have one filename and the filename is all that prosodyctl currently looks at.
We are planning to make prosodyctl more 'smart' in the future, so that it will look inside the certificates and silence these warnings for any domains it sees listed in them.
Martin
on
I have a certificate with a different name than prosody is using as domains, and am seeing this issue.
As the certificate name has no relation to the prosody configuration, prosodyctl claims that it is not valid for my domains (although it is).
I am solving this problem with a custom deploy-hook for Certbot, but it would be nice if prosody were "smarter" in this regard ;-)
What steps will reproduce the problem? 1. I did installation of prosody 0.11 on a raw debian stretch with documentation from homebreserver.club 2. In old documentation certificate was catched for all subdomains with one certbot call. Like: "certbot certonly -d myserver.org -d proxy.myserver.org -d dump.myserver.org -muc.myserver.org" Because of the bug I try to file they changed to 4 seperate calls of certbot. Like: certbot certonly -d myserver.org certbot certonly -d muc.myserver.org . . 3. After doing "prosodyctl --root cert import /etc/letsencrypt/live/ " I have some errors for the certificates in prosody.err amd prosody.log. In log only, if I change before to debug from info. What is the expected output? Expected output is to import the certificates, if you have only one for the complete server. What do you see instead? I made a dump of prosody.err and prosody.log, that you can check dump.err: https://cloud.hardwarepunk.de/s/yteirYQ33xLPpWA dump.log: https://cloud.hardwarepunk.de/s/aZQBf9ptZMM77nn What version of the product are you using? On what operating system? 0.11 on Debian Stretch (9) Please provide any additional information below.
Thanks for the report. Currently prosodyctl only looks at filenames and not at the contents of certs, doing deeper inspection for certificates with multiple names was on the TODO from the start, but this has not been completed yet. What is the output of the `cert import` command, and the names of the certificate files imported, if any? As you can see in the log, it looks for certs matching the parent domain of each component or host, so if "myserver.org" has a cert, that should be selected in this case.
ChangesI have the same, or a closely related, problem. I've anonymised the domain names. I use certbot to generate a single certificate that covers the root domain (example.com) as well as several subdomains (muc.example.com, mail.example.com, pleroma.example.com and so forth). In order to run Prosody, I've added muc.example.com after setting up the DNS. sudo certbot renew -d example.com,mail.example.com,pleroma.example.com,muc.example.com Now, when I run sudo certbot renew --deploy-hook "prosodyctl --root cert import /etc/letsencrypt/live" --force-renew I get back this in among the other output from certbot, which is otherwise normal. ... Running deploy-hook command: prosodyctl --root cert import /etc/letsencrypt/live Output from prosodyctl: No certificate for host muc.example.com found :( No certificate for host pleroma.example.com found :( No certificate for host mail.example.com found :( Imported certificate and key for hosts example.com ...
Hi Will, thanks for contributing to this report. Unless you're seeing evidence to the contrary (apart from those messages) I suspect your setup will still work just fine. Prosody will automatically use the certificate of 'example.com' for direct subdomains like 'muc.example.com'. The problem arises when you have multiple unrelated domains in a single certificate, because the certificate can only have one filename and the filename is all that prosodyctl currently looks at. We are planning to make prosodyctl more 'smart' in the future, so that it will look inside the certificates and silence these warnings for any domains it sees listed in them.
I have a certificate with a different name than prosody is using as domains, and am seeing this issue. As the certificate name has no relation to the prosody configuration, prosodyctl claims that it is not valid for my domains (although it is). I am solving this problem with a custom deploy-hook for Certbot, but it would be nice if prosody were "smarter" in this regard ;-)