From 2916824b4c925ee7b80aa18856f39093743c122c Mon Sep 17 00:00:00 2001 From: axolotle Date: Tue, 27 Aug 2024 16:39:05 +0200 Subject: [PATCH 1/2] certificate: check if domain dns records as a wildcard --- src/certificate.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/certificate.py b/src/certificate.py index 0fc840532..ce37f01d8 100644 --- a/src/certificate.py +++ b/src/certificate.py @@ -98,6 +98,15 @@ def certificate_status(domains, full=False): else: status["ACME_eligible"] = False + # Check if a wildcard is setup for the ipv4/ipv6 A/AAAA records + dns_extra = Diagnoser.get_cached_report( + "dnsrecords", item={"domain": domain, "category": "extra"} + ).get("data", {}) + dns_extra_A = { k: v for k, v in dns_extra.items() if k.startswith("A") } + status["ready_for_letsencrypt_cert"] = all( + [value == "OK" for value in dns_extra_A.values()] + ) + del status["domain"] certificates[domain] = status From edfebfbd2eb650e8f7db2ea4c7aaf15056fc646d Mon Sep 17 00:00:00 2001 From: axolotle Date: Tue, 27 Aug 2024 16:46:02 +0200 Subject: [PATCH 2/2] domain: add `install_letsencrypt_cert` option to domain_add --- share/actionsmap.yml | 5 ++++- src/domain.py | 27 ++++++++++++++++++++++++--- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/share/actionsmap.yml b/share/actionsmap.yml index 69049cb5f..252623a3a 100755 --- a/share/actionsmap.yml +++ b/share/actionsmap.yml @@ -495,7 +495,10 @@ domain: help: If adding a DynDNS domain, subscribe to the DynDNS service with a password, used to later delete the domain extra: pattern: *pattern_password - + --install-letsencrypt-cert: + help: If adding a subdomain of an already added domain, try to install a Let's Encrypt certificate + action: store_true + ### domain_remove() remove: action_help: Delete domains diff --git a/src/domain.py b/src/domain.py index d80f5468e..ccd04a14e 100644 --- a/src/domain.py +++ b/src/domain.py @@ -245,7 +245,11 @@ def _get_parent_domain_of(domain, return_self=False, topest=False): @is_unit_operation(exclude=["dyndns_recovery_password"]) def domain_add( - operation_logger, domain, dyndns_recovery_password=None, ignore_dyndns=False + operation_logger, + domain, + dyndns_recovery_password=None, + ignore_dyndns=False, + install_letsencrypt_cert=False, ): """ Create a custom domain @@ -255,12 +259,17 @@ def domain_add( dyndns -- Subscribe to DynDNS dyndns_recovery_password -- Password used to later unsubscribe from DynDNS ignore_dyndns -- If we want to just add the DynDNS domain to the list, without subscribing + install_letsencrypt_cert -- If adding a subdomain of an already added domain, try to install a Let's Encrypt certificate """ from yunohost.hook import hook_callback from yunohost.app import app_ssowatconf from yunohost.utils.ldap import _get_ldap_interface from yunohost.utils.password import assert_password_is_strong_enough - from yunohost.certificate import _certificate_install_selfsigned + from yunohost.certificate import ( + _certificate_install_selfsigned, + _certificate_install_letsencrypt, + certificate_status, + ) from yunohost.utils.dns import is_yunohost_dyndns_domain if dyndns_recovery_password: @@ -302,7 +311,19 @@ def domain_add( domain=domain, recovery_password=dyndns_recovery_password ) - _certificate_install_selfsigned([domain], True) + parent_domain = _get_parent_domain_of(domain) # FIXME: topest? + can_install_letsencrypt = ( + parent_domain + and certificate_status(parent_domain, full=True)["ready_for_letsencrypt_cert"] + ) + + # FIXME: warn and fallback to selfsigned if `install_letsencrypt_cert` and not `can_install_letsencrypt`? + + if install_letsencrypt_cert and can_install_letsencrypt: + # FIXME try and fallback to selfsigned? + _certificate_install_letsencrypt([domain]) + else: + _certificate_install_selfsigned([domain], True) try: attr_dict = {