When using ACME/LetsEncrypt SSL certs on Expressway and using the Expressway for XMPP Federation we experienced issues with SSL cert.
Using JIDs in the form of firstname.lastname@example.org we added entries for CollabEdge DNS, the correct A records to additional alternate names and IM&P chat node aliases to the CSR, no XMPP federation domains (as service partner instructed us).
We then get a working SSL cert from LetsEncrypt, but that is missing domain.com entry. Although it might look currently as if everything is working, I'm unsure, because the IM Observatory server report on XMPP.net does report an issue with the SSL cert from LetsEncrypt missing domain.com:
A working exmaple not using LetsEncrypt is this one:
In my understanding of reading https://xmpp.org/rfcs/rfc6120.html#security-certificates it is mandatory to have domain.com when JID is email@example.com - unless the domain.com zone would be signed by DNSSEC and _xmpp-server._tcp.domain.com record would have a TLSA RR as well, correct?
If so ACME/LetsEncrypt in the current implementation in Expressway is rather useless when Expressway is used in Enterprises for XMPP Federation, because it is rather unlikely (if not impossible) to have domain.com point to Expressway for ACME challenge/response. Similar unlikely like having major domain.com webserver farm redirecting /.well-known/acme-challenge to Expressway, also this would be possible.
Is this correct? Are there any other solutions for this kind of problem beside:
buying a SSL cert instead of using LetsEncrypt/ACME
signing the zone with DNSSEC and generate TLSA records
redirect ACME challenge to Expressway on webserver farm?
Hi, My name is JanetMy portal ID is https://nwswdvcas-taw.my.webex.com/meet/janet.dvcasI do want you please to delete both my accounts with Webex (free and Paid)So my organisation can join me on another Webex Account as another Host. I did foll...
Our beginner online classes are designed to help IT Admins plan, deploy, and manage their Webex Control Hub environment. Start off by learning what critical elements are needed to deploy Control Hub or move into Webex features that can be used to better ...
I need to modify the SIP header. When I call to the PSTN, the header SIP show From firstname.lastname@example.org (Gateway - Private IP 172.24.10.6) and i need email@example.com (Gateway - Public IP 22.214.171.124). How can I change in theGateway the ...