Hi,
I think I have found the PROBLEM 
for my own domain, not for domain.noho.st
TL;DR
change issue to issuewild in the CAA record for @ letsencrypt
@ 3600 IN CAA 128 issuewild "letsencrypt.org"
so now, when renewed letsencrypt certificate it does found and verify xmpp-upload subdomain.
root@ynh:~# yunohost domain cert-renew --no-checks --force domain.tld
Warning: 'yunohost domain cert-renew' is deprecated and will be removed in the future
Warning: 'yunohost domain cert-renew' is deprecated and will be removed in the future
Info: Now attempting renewing of certificate for domain domain.tld !
Info: Parsing account key...
Info: Parsing CSR...
Info: Found domains: xmpp-upload.domain.tld, domain.tld
... and so on
Info: xmpp-upload.domain.tld verified!
Info: Signing certificate...
Info: Certificate signed!
Success! Let's Encrypt certificate renewed for the domain 'domain.tld'
At least it works in one of my domains
So I would suggest adding issuewild to the letsencrypt CAA record config, OR, creating an A-record for xmpp-upload subdomain I guess (?) would also do the trick.
Question
please, where are yunohost’s domain dns config stored? (domain.noho.st in my case).
so I could change CAA value, try at least, from issue to issuewild.
and
could it be that “*” A record from Extra would be missing from dns config?
IDK, just guessing.
Thank you.