YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

More exception handling, this time for previous acme challenge conf already existing in nginx

Browse source
This commit is contained in:
Alexandre Aubin 2016-11-23 21:36:34 -05:00
parent e66a708520
commit 195c675c59
2 changed files with 27 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
locales/en.json
View file

@ -254,5 +254,6 @@
"certmanager_old_letsencrypt_app_detected" : "\nYunohost detected that the 'letsencrypt' app is installed, which conflits with the new built-in certificate management features in Yunohost. If you wish to use the new built-in features, please run the following commands to migrate your installation :\n\n yunohost app remove letsencrypt\n yunohost domain cert-install\n\nN.B. : this will attempt to re-install certificates for all domains with a Let's Encrypt certificate or self-signed certificate.", "certmanager_old_letsencrypt_app_detected" : "\nYunohost detected that the 'letsencrypt' app is installed, which conflits with the new built-in certificate management features in Yunohost. If you wish to use the new built-in features, please run the following commands to migrate your installation :\n\n yunohost app remove letsencrypt\n yunohost domain cert-install\n\nN.B. : this will attempt to re-install certificates for all domains with a Let's Encrypt certificate or self-signed certificate.",
"certmanager_hit_rate_limit" :"Too many certificates already issued for exact set of domains {domain:s} recently. Please try again later. See https://letsencrypt.org/docs/rate-limits/ for more details.", "certmanager_hit_rate_limit" :"Too many certificates already issued for exact set of domains {domain:s} recently. Please try again later. See https://letsencrypt.org/docs/rate-limits/ for more details.",
"certmanager_cert_signing_failed" : "Signing the new certificate failed.", "certmanager_cert_signing_failed" : "Signing the new certificate failed.",
"certmanager_no_cert_file" : "Unable to read certificate file for domain {domain:s} (file : {file:s})" "certmanager_no_cert_file" : "Unable to read certificate file for domain {domain:s} (file : {file:s})",
"certmanager_conflicting_nginx_file": "Unable to prepare domain for ACME challenge : the nginx configuration file {filepath:s} is conflicting and should be removed first."
} }

31
src/yunohost/certificate.py
View file

@ -32,6 +32,7 @@ import smtplib
import requests import requests
import subprocess import subprocess
import dns.resolver import dns.resolver
import glob
from OpenSSL import crypto from OpenSSL import crypto
from datetime import datetime from datetime import datetime
@ -152,15 +153,9 @@ def certificate_install(auth, domain_list, force=False, no_checks=False, self_si
def _certificate_install_selfsigned(domain_list, force=False): def _certificate_install_selfsigned(domain_list, force=False):
for domain in domain_list: for domain in domain_list:
# Check we ain't trying to overwrite a good cert !
if (not force) :
status = _get_status(domain)
if status["summary"]["code"] in ('good', 'great') :
raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_attempt_to_replace_valid_cert', domain=domain))
# Paths of files and folder we'll need # Paths of files and folder we'll need
date_tag = datetime.now().strftime("%Y%m%d.%H%M%S") date_tag = datetime.now().strftime("%Y%m%d.%H%M%S")
new_cert_folder = "%s/%s-history/%s-selfsigned" % (CERT_FOLDER, domain, date_tag) new_cert_folder = "%s/%s-history/%s-selfsigned" % (CERT_FOLDER, domain, date_tag)
@ -175,6 +170,14 @@ def _certificate_install_selfsigned(domain_list, force=False):
crt_file = os.path.join(new_cert_folder, "crt.pem") crt_file = os.path.join(new_cert_folder, "crt.pem")
ca_file = os.path.join(new_cert_folder, "ca.pem") ca_file = os.path.join(new_cert_folder, "ca.pem")
# Check we ain't trying to overwrite a good cert !
current_cert_file = os.path.join(CERT_FOLDER, domain, "crt.pem")
if (not force) and (os.path.isfile(current_cert_file)):
status = _get_status(domain)
if status["summary"]["code"] in ('good', 'great') :
raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_attempt_to_replace_valid_cert', domain=domain))
# Create output folder for new certificate stuff # Create output folder for new certificate stuff
os.makedirs(new_cert_folder) os.makedirs(new_cert_folder)
@ -421,7 +424,9 @@ Subject: %s
def _configure_for_acme_challenge(auth, domain): def _configure_for_acme_challenge(auth, domain):
nginx_conf_file = "/etc/nginx/conf.d/%s.d/000-acmechallenge.conf" % domain
nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain
nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder
nginx_configuration = ''' nginx_configuration = '''
location '/.well-known/acme-challenge' location '/.well-known/acme-challenge'
@ -431,6 +436,15 @@ location '/.well-known/acme-challenge'
} }
''' % WEBROOT_FOLDER ''' % WEBROOT_FOLDER
# Check there isn't a conflicting file for the acme-challenge well-known uri
for path in glob.glob('%s/*.conf' % nginx_conf_folder):
if (path == nginx_conf_file) :
continue
with open(path) as f:
contents = f.read()
if ('/.well-known/acme-challenge' in contents) :
raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_conflicting_nginx_file', filepath=path))
# Write the conf # Write the conf
if os.path.exists(nginx_conf_file): if os.path.exists(nginx_conf_file):
logger.info("Nginx configuration file for ACME challenge already exists for domain, skipping.") logger.info("Nginx configuration file for ACME challenge already exists for domain, skipping.")
@ -564,6 +578,7 @@ def _prepare_certificate_signing_request(domain, key_file, output_folder):
def _get_status(domain): def _get_status(domain):
cert_file = os.path.join(CERT_FOLDER, domain, "crt.pem") cert_file = os.path.join(CERT_FOLDER, domain, "crt.pem")
if not os.path.isfile(cert_file): if not os.path.isfile(cert_file):