Manually adding a domain (xmpp-upload) to an existing certificate

Discuss Advanced use case
, , ,
1

Hi there! I need some advice for a slightly advanced XMPP setup.

YunoHost version: 11.2.9.1
Primary Domain: sub.domain.tld
Also present, but may move: domain.tld
Problem: xmpp-upload cert not generated

I have YunoHost set up with the main server on main.domain.tld. XMPP wasn’t enabled so far, but now I’m trying to enable it for the domain domain.tld To do this, I’ve added SRV and CNAME records pointing to sub.domain.tld instead of to domain.tId as recommended by the admin console.

_xmpp-client._tcp 3600 IN SRV 0 5 5222 sub.domain.tld.
_xmpp-server._tcp 3600 IN SRV 0 5 5269 sub.domain.tld.
muc 3600 IN CNAME sub.domain.tld.
pubsub 3600 IN CNAME sub.domain.tld.
vjud 3600 IN CNAME sub.domain.tld.
xmpp-upload 3600 IN CNAME sub.domain.tld.

So the XMPP domain shows as domain.tld, but in reality it is all hosted on the server at sub.domain.tld.

The problem: Now I can log in to XMPP and send messages without any issues. But when I try to upload files I get an “invalid certificate” error. This is even after renewing certificates and reloading nginx and Metronome. I suspect it’s because xmpp-upload.domain.tId is not included in the certificate. In fact, the log gives a warning that this domain is pointed to sub.domain.tld instead of domain.tld

Is there a way to manually include the xmpp-upload.domain.tld domain (and others like muc and pubsub in the domain.tld certificate? If I were using certbot manually I would have done something like,

certbot cert-only domain.tld xmpp-upload.domain.tld pubsub.domain.tld ...

but I couldn’t find a way to do that with YunoHost.

Some notes:

  • I had this setup with an older installation, and it was working fine, but I forgot how exactly it was set up. Maybe it’s related to changes in the way YunoHost handles domains, or to do with the fact that I’m only enabling XMPP now, after setup, rather than in the beginning?

  • domain.tld is also hosted on the same server at the moment, but it might move (which is why I didn’t direct the DNS records there to start with). Could this be causing the problem? The thing is I’m planning to continue using domain.tld under YunoHost for email and XMPP even if the HTTP website is hosted elsewhere, so this domain will always be there in the config even if the DNS points elsewhere. That means I can change the SRV records to point to domain.tld for now, but will run into this problem again when I need to switch.

1 Like