From c6e8bb5d26bb9bf85ded4902f409204c9d3825bc Mon Sep 17 00:00:00 2001
From: pitchum <pitchum@users.noreply.github.com>
Date: Wed, 30 Oct 2019 09:07:58 +0100
Subject: [PATCH] Always expect subdomain xmpp-upload.domain.net.

This subdomain will be part of Letsencrypt certificate so
it MUST be defined in DNS zone otherwise certificate renewal will fail.
---
 data/templates/ssl/openssl.cnf | 2 +-
 src/yunohost/certificate.py    | 3 +++
 src/yunohost/domain.py         | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/data/templates/ssl/openssl.cnf b/data/templates/ssl/openssl.cnf
index fa5d19fa3..3ef7d80c3 100644
--- a/data/templates/ssl/openssl.cnf
+++ b/data/templates/ssl/openssl.cnf
@@ -192,7 +192,7 @@ authorityKeyIdentifier=keyid,issuer
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
-subjectAltName=DNS:yunohost.org,DNS:www.yunohost.org,DNS:ns.yunohost.org
+subjectAltName=DNS:yunohost.org,DNS:www.yunohost.org,DNS:ns.yunohost.org,DNS:xmpp-upload.yunohost.org
 
 [ v3_ca ]
 
diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py
index d141ac8e5..9b50749ea 100644
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@@ -639,6 +639,9 @@ def _prepare_certificate_signing_request(domain, key_file, output_folder):
     # Set the domain
     csr.get_subject().CN = domain
 
+    # Include xmpp-upload subdomain as subject alternate names
+    csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:xmpp-upload." + domain)])
+
     # Set the key
     with open(key_file, 'rt') as f:
         key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
diff --git a/src/yunohost/domain.py b/src/yunohost/domain.py
index 8f8a68812..5037e9334 100644
--- a/src/yunohost/domain.py
+++ b/src/yunohost/domain.py
@@ -412,6 +412,7 @@ def _build_dns_conf(domain, ttl=3600):
             {"type": "CNAME", "name": "muc", "value": "@", "ttl": 3600},
             {"type": "CNAME", "name": "pubsub", "value": "@", "ttl": 3600},
             {"type": "CNAME", "name": "vjud", "value": "@", "ttl": 3600}
+            {"type": "CNAME", "name": "xmpp-upload", "value": "@", "ttl": 3600}
         ],
         "mail": [
             {"type": "MX", "name": "@", "value": "10 domain.tld.", "ttl": 3600},
@@ -453,6 +454,7 @@ def _build_dns_conf(domain, ttl=3600):
         ["muc", ttl, "CNAME", "@"],
         ["pubsub", ttl, "CNAME", "@"],
         ["vjud", ttl, "CNAME", "@"],
+        ["xmpp-upload", ttl, "CNAME", "@"],
     ]
 
     # SPF record