zinid
commented
5 years ago I don't think we need to overcomplicate ACME support, because the main goal of built-in ACME client is to simplify ejabberd configuration for newcomers and for admins with simple setups (e.g. XMPP server only - I have such a setup for my personal server). Thus ejabberd only cares about the domains it serves by itself. Your example with the upload component is an exception - ejabberd's ACME client doesn't know anything about modules and external_secret option of mod_http_upload in particular.
Anyway, I keep the issue opened for a while to hear other people's opinions.
licaon-kter
Neustradamus
The current implementation just uses ACME to get certs for:
domain.tld,upload.domain.tld,conference.domain.tld,proxy.domain.tld,pubsubdomain.tldwhich, I guess, are extracted from the currently hosted ones by ejabberd.ejabberd, at least in my case, is not just a single daemon for everything on this domain, I might have others too in need of certs, like
web.domain.tld(hosting Converse.js on nginx) or anything else really.So I am forced to add some other ACME tool to generate some certs that might not share the same domain key, so basically different certs with different SANs and expiration dates, on the same base domain.
Now, I do see the point of keeping it strictly related to ejabberd, but the whole thing is rather odd:
web.domain.tldwhy should I bother with the included ACME? I can use this for the ejabberd domains too, right?upload.domain.tldeven if that is NOT hosted by itself (put_urlpoints to a nginx instance, and withexternal_secretvia ngx_http_upload) ? nginx should now use one cert forupload.and another forweb.Maybe add an option
additional_domains:where the admin can, besides whatever ejabberd is setup, add other domains.Right now this feels artificially limited for some reason.