Merge pull request #349 from YunoHost/fix-925-local-domain-resolution

[fix] Local domain resolution in cert-install/renew
2024-09-03 20:06:10 +02:00 · 2017-08-18 03:44:46 +02:00 · 2017-08-18 03:44:46 +02:00 · 20c3c8386d
commit 20c3c8386d
parent 8567164d58 951589ad07
1 changed files with 42 additions and 16 deletions
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@ -31,7 +31,6 @@ import grp
 import smtplib
 import requests
 import subprocess
-import socket
 import dns.resolver
 import glob

@ -48,7 +47,7 @@ import yunohost.domain

 from moulinette import m18n
 from yunohost.app import app_ssowatconf
-from yunohost.service import _run_service_command
+from yunohost.service import _run_service_command, service_regen_conf


 logger = getActionLogger('yunohost.certmanager')
@ -529,6 +528,9 @@ def _fetch_and_enable_new_certificate(domain, staging=False):
    _set_permissions(WEBROOT_FOLDER, "root", "www-data", 0650)
    _set_permissions(TMP_FOLDER, "root", "root", 0640)

+    # Regen conf for dnsmasq if needed
+    _regen_dnsmasq_if_needed()
+
    # Prepare certificate signing request
    logger.info(
        "Prepare key and certificate signing request (CSR) for %s...", domain)
@ -819,13 +821,6 @@ def _check_domain_is_ready_for_ACME(domain):
        raise MoulinetteError(errno.EINVAL, m18n.n(
            'certmanager_domain_http_not_working', domain=domain))

-    # Check if domain is resolved locally (Might happen despite the previous
-    # checks because of dns propagation ?... Acme-tiny won't work in that case,
-    # because it explicitly requests() the domain.)
-    if not _domain_is_resolved_locally(public_ip, domain):
-        raise MoulinetteError(errno.EINVAL, m18n.n(
-            'certmanager_domain_not_resolved_locally', domain=domain))
-

 def _dns_ip_match_public_ip(public_ip, domain):
    try:
@ -854,15 +849,46 @@ def _domain_is_accessible_through_HTTP(ip, domain):
    return True


-def _domain_is_resolved_locally(public_ip, domain):
+# FIXME / TODO : ideally this should not be needed. There should be a proper
+# mechanism to regularly check the value of the public IP and trigger
+# corresponding hooks (e.g. dyndns update and dnsmasq regen-conf)
+def _regen_dnsmasq_if_needed():
+    """
+    Update the dnsmasq conf if some IPs are not up to date...
+    """
    try:
-        ip = socket.gethostbyname(domain)
-    except socket.error as e:
-        logger.debug("Couldn't get domain '%s' ip because: %s" % (domain, e))
-        return False
+        ipv4 = yunohost.domain.get_public_ip()
+    except:
+        ipv4 = None
+    try:
+        ipv6 = yunohost.domain.get_public_ip(6)
+    except:
+        ipv6 = None

-    logger.debug("Domain '%s' IP address is resolved to %s, expect it to be %s or in the 127.0.0.0/8 address block" % (domain, public_ip, ip))
-    return ip.startswith("127.") or ip == public_ip
+    do_regen = False
+
+    # For all domain files in DNSmasq conf...
+    domainsconf = glob.glob("/etc/dnsmasq.d/*.*")
+    for domainconf in domainsconf:
+
+        # Look for the IP, it's in the lines with this format :
+        # address=/the.domain.tld/11.22.33.44
+        for line in open(domainconf).readlines():
+            if not line.startswith("address"):
+                continue
+            ip = line.strip().split("/")[2]
+
+            # Compared found IP to current IPv4 / IPv6
+            #             IPv6                   IPv4
+            if (":" in ip and ip != ipv6) or (ip != ipv4):
+                do_regen = True
+                break
+
+        if do_regen:
+            break
+
+    if do_regen:
+        service_regen_conf(["dnsmasq"])


 def _name_self_CA():