From 6bfe1c80833423b0530f368fddcc05ccdf304629 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Tue, 8 Nov 2016 20:59:55 -0500 Subject: [PATCH] Check that the DNS A record matches the global IP now using dnspython and FDN's DNS --- locales/en.json | 6 ++---- src/yunohost/certificate.py | 31 +++++++++---------------------- 2 files changed, 11 insertions(+), 26 deletions(-) diff --git a/locales/en.json b/locales/en.json index 1a93b72ff..627c11b52 100644 --- a/locales/en.json +++ b/locales/en.json @@ -245,10 +245,8 @@ "certmanager_attempt_to_renew_nonLE_cert" : "The certificate of domain {domain:s} is not issued by Let's Encrypt. Cannot renew it automatically !", "certmanager_attempt_to_renew_valid_cert" : "The certificate of domain {domain:s} is not about to expire ! Use --force to bypass", "certmanager_domain_http_not_working": "It seems that the domain {domain:s} cannot be accessed through HTTP. Please check your DNS and nginx configuration is okay.", - "certmanager_error_contacting_dns_api" : "Error contacting the DNS API ({api:s}), reason: {reason:s}. Use --no-checks to disable checks.", - "certmanager_error_parsing_dns" : "Error parsing the return value from the DNS API : {value:s}. Please verify your DNS configuration for domain {domain:s}. Use --no-checks to disable checks.", - "certmanager_domain_dns_ip_differs_from_public_ip" : "The DNS 'A' record for domain {domain:s} is different from this server IP. Give some time for the DNS to refresh, or use --no-checks to disable checks.", - "certmanager_no_A_dns_record" : "No DNS record of type A found for {domain:s}. You need to configure the DNS for your domain before installing a certificate !", + "certmanager_error_no_A_record" : "No DNS 'A' record found for {domain:s}. You need to make your domain name point to your machine to be able to install a Let's Encrypt certificate ! (If you know what you are doing, use --no-checks to disable those checks.)", + "certmanager_domain_dns_ip_differs_from_public_ip" : "The DNS 'A' record for domain {domain:s} is different from this server IP. If you recently modified your A record, please wait for it to propagate (some DNS propagation checkers are available online). (If you know what you are doing, use --no-checks to disable those checks.)", "certmanager_cannot_read_cert": "Something wrong happened when trying to open current certificate for domain {domain:s} (file : {file:s}), reason: {reason:s}", "certmanager_cert_install_success" : "Successfully installed Let's Encrypt certificate for domain {domain:s} !", "certmanager_cert_renew_success" : "Successfully renewed Let's Encrypt certificate for domain {domain:s} !", diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index 19758c33d..02ea73af8 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -31,6 +31,8 @@ import grp import smtplib import requests +import dns.resolver + from OpenSSL import crypto from datetime import datetime from yunohost.vendor.acme_tiny.acme_tiny import get_crt as sign_certificate @@ -656,29 +658,14 @@ def _check_domain_is_correctly_configured(domain): def _dns_ip_match_public_ip(public_ip, domain): try: - result = requests.get("https://dns-api.org/A/" + domain) - except Exception as exception: - import traceback - traceback.print_exc(file=sys.stdout) - raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_error_contacting_dns_api', api="dns-api.org", reason=exception)) + resolver = dns.resolver.Resolver() + # These are FDN's DNS + resolver.nameservers = [ "80.67.169.12", "80.67.169.40" ] + answers = resolver.query(domain, "A") + except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN) : + raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_error_no_A_record', domain=domain)) - try: - dns_ip = result.json() - except Exception as exception: - raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_error_parsing_dns', domain=domain, value=result.text)) - - if len(dns_ip) == 0: - raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_error_parsing_dns', domain=domain, value=result.text)) - - dns_ip = dns_ip[0] - - if dns_ip.get("error") == "NXDOMAIN": - raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_no_A_dns_record', domain=domain)) - - if "value" not in dns_ip: - raise MoulinetteError(errno.EINVAL, m18n.n('certmanager_error_parsing_dns', domain=domain, value=result.text)) - - dns_ip = dns_ip["value"] + dns_ip = answers[0] return dns_ip == public_ip