From b89228426667105eb1bc5164c7dd30fa5ba1f6a9 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 13 Aug 2017 12:59:39 -0400 Subject: [PATCH 1/3] [fix] Remove check that domain is resolved locally --- src/yunohost/certificate.py | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index a6a084d9a..6a5397e99 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -819,13 +819,6 @@ def _check_domain_is_ready_for_ACME(domain): raise MoulinetteError(errno.EINVAL, m18n.n( 'certmanager_domain_http_not_working', domain=domain)) - # Check if domain is resolved locally (Might happen despite the previous - # checks because of dns propagation ?... Acme-tiny won't work in that case, - # because it explicitly requests() the domain.) - if not _domain_is_resolved_locally(public_ip, domain): - raise MoulinetteError(errno.EINVAL, m18n.n( - 'certmanager_domain_not_resolved_locally', domain=domain)) - def _dns_ip_match_public_ip(public_ip, domain): try: @@ -854,17 +847,6 @@ def _domain_is_accessible_through_HTTP(ip, domain): return True -def _domain_is_resolved_locally(public_ip, domain): - try: - ip = socket.gethostbyname(domain) - except socket.error as e: - logger.debug("Couldn't get domain '%s' ip because: %s" % (domain, e)) - return False - - logger.debug("Domain '%s' IP address is resolved to %s, expect it to be %s or in the 127.0.0.0/8 address block" % (domain, public_ip, ip)) - return ip.startswith("127.") or ip == public_ip - - def _name_self_CA(): ca_conf = os.path.join(SSL_DIR, "openssl.ca.cnf") From a050b405591ffa1f802671a12cc7847d27320919 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 13 Aug 2017 17:07:20 -0400 Subject: [PATCH 2/3] Removed unusted socket import --- src/yunohost/certificate.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index 6a5397e99..a2726e84f 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -31,7 +31,6 @@ import grp import smtplib import requests import subprocess -import socket import dns.resolver import glob From 951589ad07e8c35dd7a9a54e162a044eb885f285 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 13 Aug 2017 17:16:07 -0400 Subject: [PATCH 3/3] Regen dnsmasq conf if it's not up to date :| --- src/yunohost/certificate.py | 47 ++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index a2726e84f..b6fb0e275 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -47,7 +47,7 @@ import yunohost.domain from moulinette import m18n from yunohost.app import app_ssowatconf -from yunohost.service import _run_service_command +from yunohost.service import _run_service_command, service_regen_conf logger = getActionLogger('yunohost.certmanager') @@ -528,6 +528,9 @@ def _fetch_and_enable_new_certificate(domain, staging=False): _set_permissions(WEBROOT_FOLDER, "root", "www-data", 0650) _set_permissions(TMP_FOLDER, "root", "root", 0640) + # Regen conf for dnsmasq if needed + _regen_dnsmasq_if_needed() + # Prepare certificate signing request logger.info( "Prepare key and certificate signing request (CSR) for %s...", domain) @@ -846,6 +849,48 @@ def _domain_is_accessible_through_HTTP(ip, domain): return True +# FIXME / TODO : ideally this should not be needed. There should be a proper +# mechanism to regularly check the value of the public IP and trigger +# corresponding hooks (e.g. dyndns update and dnsmasq regen-conf) +def _regen_dnsmasq_if_needed(): + """ + Update the dnsmasq conf if some IPs are not up to date... + """ + try: + ipv4 = yunohost.domain.get_public_ip() + except: + ipv4 = None + try: + ipv6 = yunohost.domain.get_public_ip(6) + except: + ipv6 = None + + do_regen = False + + # For all domain files in DNSmasq conf... + domainsconf = glob.glob("/etc/dnsmasq.d/*.*") + for domainconf in domainsconf: + + # Look for the IP, it's in the lines with this format : + # address=/the.domain.tld/11.22.33.44 + for line in open(domainconf).readlines(): + if not line.startswith("address"): + continue + ip = line.strip().split("/")[2] + + # Compared found IP to current IPv4 / IPv6 + # IPv6 IPv4 + if (":" in ip and ip != ipv6) or (ip != ipv4): + do_regen = True + break + + if do_regen: + break + + if do_regen: + service_regen_conf(["dnsmasq"]) + + def _name_self_CA(): ca_conf = os.path.join(SSL_DIR, "openssl.ca.cnf")