When using a SRV entry for domain, the certificate check fails, because it expects the domain name to match instead of the host name, it connected to.
What happens
For:
_matrix._tcp.example.com. 3600 IN SRV 10 0 8448 matrix.example.com.
The tester connects to matrix.example.com but checks for certificate for example.com.
What I expect
The tester connects to matrix.example.com and checks for certificate for matrix.example.com.
It is not only impracticable to use the main domain (causes a lots of problems with automatically issued certificates), it also differs from the behavior that occurs with the .well-known entry on web server hosting on example.com:
Ah, I understand. This is still really confusing. I realize, I cannot use SRV records for my scenario, even the federation docs recommend it. The .well-known way is my solution here.
When using a SRV entry for domain, the certificate check fails, because it expects the domain name to match instead of the host name, it connected to.
What happens
For:
The tester connects to
matrix.example.com
but checks for certificate forexample.com
.What I expect
The tester connects to
matrix.example.com
and checks for certificate formatrix.example.com
.It is not only impracticable to use the main domain (causes a lots of problems with automatically issued certificates), it also differs from the behavior that occurs with the
.well-known
entry on web server hosting onexample.com
: