Merge pull request #349 from YunoHost/fix-925-local-domain-resolution

[fix] Local domain resolution in cert-install/renew

src/yunohost/certificate.py

@@ -31,7 +31,6 @@ import grp
 import smtplib
 import requests
 import subprocess
-import socket
 import dns.resolver
 import glob
 
@@ -48,7 +47,7 @@ import yunohost.domain
 
 from moulinette import m18n
 from yunohost.app import app_ssowatconf
-from yunohost.service import _run_service_command
+from yunohost.service import _run_service_command, service_regen_conf
 
 
 logger = getActionLogger('yunohost.certmanager')
@@ -529,6 +528,9 @@ def _fetch_and_enable_new_certificate(domain, staging=False):
     _set_permissions(WEBROOT_FOLDER, "root", "www-data", 0650)
     _set_permissions(TMP_FOLDER, "root", "root", 0640)
 
+    # Regen conf for dnsmasq if needed
+    _regen_dnsmasq_if_needed()
+
     # Prepare certificate signing request
     logger.info(
         "Prepare key and certificate signing request (CSR) for %s...", domain)
@@ -819,13 +821,6 @@ def _check_domain_is_ready_for_ACME(domain):
         raise MoulinetteError(errno.EINVAL, m18n.n(
             'certmanager_domain_http_not_working', domain=domain))
 
-    # Check if domain is resolved locally (Might happen despite the previous
-    # checks because of dns propagation ?... Acme-tiny won't work in that case,
-    # because it explicitly requests() the domain.)
-    if not _domain_is_resolved_locally(public_ip, domain):
-        raise MoulinetteError(errno.EINVAL, m18n.n(
-            'certmanager_domain_not_resolved_locally', domain=domain))
-
 
 def _dns_ip_match_public_ip(public_ip, domain):
     try:
@@ -854,15 +849,46 @@ def _domain_is_accessible_through_HTTP(ip, domain):
     return True
 
 
-def _domain_is_resolved_locally(public_ip, domain):
+# FIXME / TODO : ideally this should not be needed. There should be a proper
+# mechanism to regularly check the value of the public IP and trigger
+# corresponding hooks (e.g. dyndns update and dnsmasq regen-conf)
+def _regen_dnsmasq_if_needed():
+    """
+    Update the dnsmasq conf if some IPs are not up to date...
+    """
     try:
-        ip = socket.gethostbyname(domain)
+        ipv4 = yunohost.domain.get_public_ip()
-    except socket.error as e:
+    except:
-        logger.debug("Couldn't get domain '%s' ip because: %s" % (domain, e))
+        ipv4 = None
-        return False
+    try:
+        ipv6 = yunohost.domain.get_public_ip(6)
+    except:
+        ipv6 = None
 
-    logger.debug("Domain '%s' IP address is resolved to %s, expect it to be %s or in the 127.0.0.0/8 address block" % (domain, public_ip, ip))
+    do_regen = False
-    return ip.startswith("127.") or ip == public_ip
+
+    # For all domain files in DNSmasq conf...
+    domainsconf = glob.glob("/etc/dnsmasq.d/*.*")
+    for domainconf in domainsconf:
+
+        # Look for the IP, it's in the lines with this format :
+        # address=/the.domain.tld/11.22.33.44
+        for line in open(domainconf).readlines():
+            if not line.startswith("address"):
+                continue
+            ip = line.strip().split("/")[2]
+
+            # Compared found IP to current IPv4 / IPv6
+            #             IPv6                   IPv4
+            if (":" in ip and ip != ipv6) or (ip != ipv4):
+                do_regen = True
+                break
+
+        if do_regen:
+            break
+
+    if do_regen:
+        service_regen_conf(["dnsmasq"])
 
 
 def _name_self_CA():