Prosody check returns DNS and certificate problems - What is the purpose of those DNS entries and certificates?

Out of curiosity I executed the command prosodyctl check. It returns a lot of DNS errors and also some certificate errors. The (anonymized) output is

Checking config...
Done.

Checking DNS for host jitsi.my-domain.tld...
    Host jitsi.my-domain.tld does not seem to resolve to this server (IPv4/IPv6)

Checking DNS for component conferenceduration.jitsi.my-domain.tld...
    Host conferenceduration.jitsi.my-domain.tld does not seem to resolve to this server (IPv4/IPv6)

Checking DNS for component speakerstats.jitsi.my-domain.tld...
    Host speakerstats.jitsi.my-domain.tld does not seem to resolve to this server (IPv4/IPv6)

Checking DNS for host localhost...
    Target 'localhost' cannot be accessed from other servers

Checking DNS for component conference.jitsi.my-domain.tld...
    Host conference.jitsi.my-domain.tld does not seem to resolve to this server (IPv4/IPv6)

Checking DNS for host auth.jitsi.my-domain.tld...
    Host auth.jitsi.my-domain.tld does not seem to resolve to this server (IPv4/IPv6)

Checking DNS for component focus.jitsi.my-domain.tld...
    Host focus.jitsi.my-domain.tld does not seem to resolve to this server (IPv4/IPv6)

Checking DNS for component internal.auth.jitsi.my-domain.tld...
    Host internal.auth.jitsi.my-domain.tld does not seem to resolve to this server (IPv4/IPv6)

Checking DNS for component lobby.jitsi.my-domain.tld...
    Host lobby.jitsi.my-domain.tld does not seem to resolve to this server (IPv4/IPv6)

Checking certificates...
Checking certificate for jitsi.my-domain.tld
  Certificate: /etc/prosody/certs/jitsi.my-domain.tld.crt
Checking certificate for conferenceduration.jitsi.my-domain.tld
  Certificate: /etc/prosody/certs/jitsi.my-domain.tld.crt
Checking certificate for speakerstats.jitsi.my-domain.tld
  Certificate: /etc/prosody/certs/jitsi.my-domain.tld.crt
Checking certificate for localhost
  Certificate: /etc/prosody/certs/localhost.crt
    Not valid for client connections to localhost.
    Not valid for server-to-server connections to localhost.
Checking certificate for conference.jitsi.my-domain.tld
  Certificate: /etc/prosody/certs/jitsi.my-domain.tld.crt
Checking certificate for auth.jitsi.my-domain.tld
  Certificate: /etc/prosody/certs/auth.jitsi.my-domain.tld.crt
Checking certificate for focus.jitsi.my-domain.tld
  Certificate: /etc/prosody/certs/jitsi.my-domain.tld.crt
Checking certificate for internal.auth.jitsi.my-domain.tld
  Certificate: /etc/prosody/certs/auth.jitsi.my-domain.tld.crt
Checking certificate for lobby.jitsi.my-domain.tld
  Certificate: /etc/prosody/certs/jitsi.my-domain.tld.crt

For more information about certificates please see https://prosody.im/doc/certificates

Problems found, see above.

According to the installation guide, I only setup a DNS record for the main domain jitsi.my-domain.tld. The certificates seem to be self-signed, but are accepted, except of the certificate for localhost. Somewhere (but I don’t remember where), I even read that one should not and must not create DNS records for those subdomains which are listed above and cause errors. The answer in Questions about the prosody certificates says that one should not care about the certificates, because they are somehow “internal” to Prosody.

Nonetheless it would be nice to have some more background information about the DNS hosts and those certificates

  1. What are those DNS hosts for? Why does it not matter, if they resolve to a real host?
  2. What are those certificates for? Why do they not need to be replaced by “real” properly signed certificates by a real CA? Why does it not matter, that the certificate for localhost seems to be invalid?
  3. If nothing of the above matters and is a “don’t-care”, why does prosodyctl check report it as errors?

Non-important background information: I run a self-hosted Jitsi installation and installed it from the Ubuntu repositories as described in the Self-Hosting Guide for Debian/Ubuntu . I also enabled a Secure Domain setup and created some users with prosodyctl register <username> jitsi.my-domain.tld <password>. The TLS certificate which is served to clients from the reverse proxy are proper certificates signed by LetsEncrypt and everything seems to work smoothly.

These are not DNS hosts. These are components and virtualhosts and are internal to the system, there are no need of DNS for those.

Same and for the certs, the only valid certificate you need on the webserver that is terminating the ssl connection.

that check command is probably used when you use the xmpp server as a public xmpp server (I have never seen it or use it), where here it is used as part of a larger system and those are not needed …