From c42f7172f7a4ada26209cac392c844a2d57c6d01 Mon Sep 17 00:00:00 2001 From: pitchum Date: Wed, 22 Apr 2020 10:34:40 +0200 Subject: [PATCH] Do not include xmpp-upload in certificates of "child" domains Co-Authored-By: Alexandre Aubin --- src/yunohost/certificate.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index c6f520b4e..aa137c784 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -639,13 +639,15 @@ def _prepare_certificate_signing_request(domain, key_file, output_folder): # Set the domain csr.get_subject().CN = domain - # Include xmpp-upload subdomain in subject alternate names - subdomain="xmpp-upload." + domain - try: - _dns_ip_match_public_ip(get_public_ip(), subdomain) - csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:" + subdomain)]) - except YunohostError: - logger.warning(m18n.n('certmanager_warning_subdomain_dns_record', subdomain=subdomain, domain=domain)) + from yunohost.domain import domain_list + # For "parent" domains, include xmpp-upload subdomain in subject alternate names + if domain in domain_list(exclude_subdomains=True)["domains"]: + subdomain="xmpp-upload." + domain + try: + _dns_ip_match_public_ip(get_public_ip(), subdomain) + csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:" + subdomain)]) + except YunohostError: + logger.warning(m18n.n('certmanager_warning_subdomain_dns_record', subdomain=subdomain, domain=domain)) # Set the key with open(key_file, 'rt') as f: