From 0bd717a21e5567269abb7c98a003fa8fd019f020 Mon Sep 17 00:00:00 2001 From: pitchum Date: Sun, 22 Mar 2020 12:17:08 +0100 Subject: [PATCH] Include XMPP subdomain in certificate when possible. --- locales/en.json | 1 + src/yunohost/certificate.py | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/locales/en.json b/locales/en.json index d6784a78d..d2117b7d0 100644 --- a/locales/en.json +++ b/locales/en.json @@ -133,6 +133,7 @@ "certmanager_domain_http_not_working": "It seems the domain {domain:s} cannot be accessed through HTTP. Check that your DNS and NGINX configuration is correct", "certmanager_domain_unknown": "Unknown domain '{domain:s}'", "certmanager_error_no_A_record": "No DNS 'A' record found for '{domain:s}'. You need to make your domain name point to your machine to be able to install a Let's Encrypt certificate. (If you know what you are doing, use '--no-checks' to turn off those checks.)", + "certmanager_warning_subdomain_dns_record": "Subdomain '{subdomain:s}' does not resolve to the same IP address as '{domain:s}'. Some features will not be available until you fix this and regenerate the certificate.", "certmanager_hit_rate_limit": "Too many certificates already issued for this exact set of domains {domain:s} recently. Please try again later. See https://letsencrypt.org/docs/rate-limits/ for more details", "certmanager_http_check_timeout": "Timed out when server tried to contact itself through HTTP using a public IP address (domain '{domain:s}' with IP '{ip:s}'). You may be experiencing a hairpinning issue, or the firewall/router ahead of your server is misconfigured.", "certmanager_no_cert_file": "Could not read the certificate file for the domain {domain:s} (file: {file:s})", diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index 9b50749ea..e49db9733 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -639,8 +639,14 @@ def _prepare_certificate_signing_request(domain, key_file, output_folder): # Set the domain csr.get_subject().CN = domain - # Include xmpp-upload subdomain as subject alternate names - csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:xmpp-upload." + domain)]) + # Include xmpp-upload subdomain in subject alternate names + subdomain="xmpp-upload." + domain + try: + _check_domain_is_ready_for_ACME(subdomain) + logger.info("Subdmain {} is ready for ACME and will be included in the certificate.".format(subdomain)) + csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:" + subdomain)]) + except YunohostError: + logger.warning(m18n.n('certmanager_warning_subdomain_dns_record', subdomain=subdomain, domain=domain)) # Set the key with open(key_file, 'rt') as f: