Current behaviour of automated certificate search does not work well with certs issued for multiple domains as in my understanding one should either override the setting completely in Prosody configuration file or create subdirectory for each hostname domain even if that means copying the same certificate to the multiple locations.
My suggestion is to treat fullchain.pem and privkey.pem as the global certificates if they are placed in the main directory specified in "certificates = " setting and override it if HOSTNAME.pem or HOSTNAME subdirectory with proper files exist. That would not break compatibility with existing installations but improve (at least in my opinion) the general procedure.
Zash
on
Prosody now inspects all certificates in the certificates directory and catalogues them by the hostnames they cover, then picks from that when initializing TLS states for the various services.
Current behaviour of automated certificate search does not work well with certs issued for multiple domains as in my understanding one should either override the setting completely in Prosody configuration file or create subdirectory for each hostname domain even if that means copying the same certificate to the multiple locations. My suggestion is to treat fullchain.pem and privkey.pem as the global certificates if they are placed in the main directory specified in "certificates = " setting and override it if HOSTNAME.pem or HOSTNAME subdirectory with proper files exist. That would not break compatibility with existing installations but improve (at least in my opinion) the general procedure.
Prosody now inspects all certificates in the certificates directory and catalogues them by the hostnames they cover, then picks from that when initializing TLS states for the various services.
Changes