Probs with Let's Encrypt certificates when needing a second TLD for password protection

Hi folks,

I’m pretty new to jitsi and as far as I can say up to now it’s just what I was looking for since a while. Great work!

New users only can create two links, so please replace AAA by “

What did I do so far?

  1. Book a vServer with 2 cores and 8GB RAM, fixed IPv4 and IPv6.
  2. Get a domain “AAA” at another provider and made an A record for “*.AAA” to the fixed IP of the server (1). Also changed a setting at the provider which is called something like “main IP of the domain” to the IP of the server (1). Now every ping is answered by the server (1).
  3. Installed Debian Buster on server (1), nginx and jitsi. Set up the whole thing to “AAA” and got a Let’s Encrypt certificate working using jitsi’s client for that.

So far, so great. Everything runs smooth and easy until I want to use password protection. Therefore I have to use some other TLD like “join.AAA” or “admin.AAA”, but as far as I see the server didn’t get a wildcard certificate.

When I manually add some certificates for “join.AAA” or other TLD, I get this work, but they will not to be renewed in three months. I then should do the whole renewal by hand.

As far as I see there are also some TLDs which are used by jitsi as default. They might also need some certificate to run.

Searching this forum and the web I found this problem several times, but no solution to it.

Maybe anyone here has an idea about a solution?


Why do you need those? For password protection you don’t need it.

There are number of XMPP domains used in the whole system but all of those are virtual used only internally and does not need to be resolvable and does not need a certificate, what is needed is generated on install time. The only DNS and certificate you need is the main domain you use to access the deployment “”.

Thanks for your answer :slight_smile:

I’m pretty new to Jitsi, but as far as I understood I will need one Domain where I show up to start a new session and there has to be a second domain where the guests show up.

I would be really glad not to have a bunch of TLD. Even more glad to have none of them. Explains that you need to add new virtualhost for the guest domains, but this one is just an internal xmpp domain and does not need DNS.
You open the for a meeting that has not started and you are asked are you the host, if yes then you enter credentials and you create the meeting, otherwise, you wait and once the meeting is created you will automatically join.

:man_facepalming: Ok!

but this one is just an internal xmpp domain and does not need DNS.

Got it! Thanks a lot. I will test that tomorrow morning and make a fresh install from the roots (not that I have to like in Windows, but I’d like to have the feeling of a fresh machine if it is just for one purpose)

It looks like some things are sometimes much easier than they seem to be.