I have a server I use to host Jabber instant messenger for brainonfire.net. I currently use an SSL cert from StartSSL, but they're known to be sketchy and I don't know how long various IM clients will continue to trust them. I'd like to set up the server to use certs from Let's Encrypt, but it's not clear to me what the least worst way of doing this is, given that the website for that domain is hosted elsewhere.
I host www.brainonfire.net on nearlyfreespeech.net, which has a nice little utility to automatically get and install certs from Let's Encrypt. The cert files end up in a place I can SSH to. The home server I host Jabber on (named kibble) just has Jabber-related ports open, and in particular ports 80 and 443 on that IP go to a different server, named toster. Here are the options I can picture:
- Manually copy the certs over every 30 days. (I could start with this.)
- Have kibble automatically SSH into my web host and grab the certs periodically, then install them into Prosody. (I would be *really* leery of doing this -- that SSH environment in my web host has a ton of access, and this would require passwordless SSH keys.)
- Point the A record for brainonfire.net to toster, which would use haproxy or nginx to forward brainonfire.net requests to kibble, which would just intercept ACME challenges and otherwise send redirects to www.brainonfire.net just like nearlyfreespeech.net would normally do. (This is awful in several ways.)
- ETA: Have a cron job on the web host copy the keys directly to kibble, into a limited user directory, and then have a cron job on kibble pick up the keys and install them. (This... might work?)
I don't think I can manipulate brainonfire.net's DNS from any of my servers (this is a good thing) and I don't think my web site can see the cert files in order to serve them up to kibble via an authenticated request (this is probably *also* a good thing). I don't want to host my website on kibble, and I can't host Jabber at nearlyfreespeech.net. Are there any other options I've missed?