Showing results for 
Search instead for 
Did you mean: 

Expressway ACME/LetsEncrypt SSL Cert & XMPP Federation



When using ACME/LetsEncrypt SSL certs on Expressway and using the Expressway for XMPP Federation we experienced issues with SSL cert. 

Using JIDs in the form of we added entries for CollabEdge DNS, the correct A records to additional alternate names and IM&P chat node aliases to the CSR, no XMPP federation domains (as service partner instructed us).

We then get a working SSL cert from LetsEncrypt, but that is missing entry. Although it might look currently as if everything is working, I'm unsure, because the IM Observatory server report on does report an issue with the SSL cert from LetsEncrypt missing 

Bildschirmfoto 2020-01-08 um 10.28.10.png


A working exmaple not using LetsEncrypt is this one:

Bildschirmfoto 2020-01-08 um 10.25.17.png

In my understanding of reading it is mandatory to have when JID is - unless the zone would be signed by DNSSEC and record would have a TLSA RR as well, correct?


If so ACME/LetsEncrypt in the current implementation in Expressway is rather useless when Expressway is used in Enterprises for XMPP Federation, because it is rather unlikely (if not impossible) to have point to Expressway for ACME challenge/response. Similar unlikely like having major webserver farm redirecting /.well-known/acme-challenge to Expressway, also this would be possible. 

Is this correct? Are there any other solutions for this kind of problem beside: 

  1. buying a SSL cert instead of using LetsEncrypt/ACME
  2. signing the zone with DNSSEC and generate TLSA records
  3. redirect ACME challenge to Expressway on webserver farm?
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers