From 4432d28c098d85184bab20ad9f98851b1810b698 Mon Sep 17 00:00:00 2001
From: Gabriel <gabriel@skazki.fr>
Date: Thu, 4 Feb 2021 20:21:49 +0100
Subject: [PATCH] [muc subdomain] add to domain's certificate the alt subdomain
 muc

---
 data/templates/nginx/server.tpl.conf |  2 +-
 src/yunohost/certificate.py          | 31 ++++++++++++++++------------
 2 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index 8bd689a92..8a57dda55 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -6,7 +6,7 @@ map $http_upgrade $connection_upgrade {
 server {
     listen 80;
     listen [::]:80;
-    server_name {{ domain }} xmpp-upload.{{ domain }};
+    server_name {{ domain }} xmpp-upload.{{ domain }} muc.{{ domain }};
 
     access_by_lua_file /usr/share/ssowat/access.lua;
 
diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py
index c48af2c07..f97cb42e5 100644
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@@ -659,34 +659,39 @@ def _prepare_certificate_signing_request(domain, key_file, output_folder):
     csr.get_subject().CN = domain
 
     from yunohost.domain import domain_list
-
-    # For "parent" domains, include xmpp-upload subdomain in subject alternate names
+    # For "parent" domains, include xmpp-upload and muc subdomains in subject
+    # alternate names
     if domain in domain_list(exclude_subdomains=True)["domains"]:
-        subdomain = "xmpp-upload." + domain
         xmpp_records = (
             Diagnoser.get_cached_report(
                 "dnsrecords", item={"domain": domain, "category": "xmpp"}
             ).get("data")
             or {}
         )
-        if xmpp_records.get("CNAME:xmpp-upload") == "OK":
+        sanlist = []
+        for sub in ('xmpp-upload', 'muc'):
+            subdomain = sub + "." + domain
+            if xmpp_records.get("CNAME:" + sub) == "OK":
+                sanlist.append(("DNS:" + subdomain))
+            else:
+                logger.warning(
+                    m18n.n(
+                        "certmanager_warning_subdomain_dns_record",
+                        subdomain=subdomain,
+                        domain=domain,
+                    )
+                )
+
+        if sanlist:
             csr.add_extensions(
                 [
                     crypto.X509Extension(
                         "subjectAltName".encode("utf8"),
                         False,
-                        ("DNS:" + subdomain).encode("utf8"),
+                        (", ".join(sanlist)).encode("utf-8"),
                     )
                 ]
             )
-        else:
-            logger.warning(
-                m18n.n(
-                    "certmanager_warning_subdomain_dns_record",
-                    subdomain=subdomain,
-                    domain=domain,
-                )
-            )
 
     # Set the key
     with open(key_file, "rt") as f: