From 3a7b93d8aac481f41f3dcea3b4e0b6409b0fc0c9 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 5 Apr 2020 18:12:24 +0200 Subject: [PATCH] Get rid of domain-specific acme-challenge snippet, use a single snippet including in every conf --- data/hooks/conf_regen/15-nginx | 15 ++++++ .../nginx/plain/acme-challenge.conf.inc | 5 ++ data/templates/nginx/server.tpl.conf | 2 + locales/en.json | 1 - src/yunohost/certificate.py | 47 ------------------- 5 files changed, 22 insertions(+), 48 deletions(-) create mode 100644 data/templates/nginx/plain/acme-challenge.conf.inc diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 11e5f596c..90d99ff5e 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -110,6 +110,21 @@ do_post_regen() { mkdir -p "/etc/nginx/conf.d/${domain}.d" done + # Get rid of legacy lets encrypt snippets + for domain in $domain_list; do + # If the legacy letsencrypt / acme-challenge domain-specific snippet is still there + if [ -e /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf ] + then + # And if we're effectively including the new domain-independant snippet now + if grep -q "include /etc/nginx/conf.d/acme-challenge.conf.inc;" /etc/nginx/conf.d/${domain}.conf + then + # Delete the old domain-specific snippet + rm /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf + fi + fi + done + + # Reload nginx configuration pgrep nginx && service nginx reload } diff --git a/data/templates/nginx/plain/acme-challenge.conf.inc b/data/templates/nginx/plain/acme-challenge.conf.inc new file mode 100644 index 000000000..aae3e0eb3 --- /dev/null +++ b/data/templates/nginx/plain/acme-challenge.conf.inc @@ -0,0 +1,5 @@ +location ^~ '/.well-known/acme-challenge/' +{ + default_type "text/plain"; + alias /tmp/acme-challenge-public/; +} diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 6316960c4..485079883 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -10,6 +10,8 @@ server { access_by_lua_file /usr/share/ssowat/access.lua; + include /etc/nginx/conf.d/acme-challenge.conf.inc; + include /etc/nginx/conf.d/{{ domain }}.d/*.conf; location /yunohost/admin { diff --git a/locales/en.json b/locales/en.json index 567b6a460..f6aa35f67 100644 --- a/locales/en.json +++ b/locales/en.json @@ -120,7 +120,6 @@ "certmanager_cert_renew_success": "Let's Encrypt certificate renewed for the domain '{domain:s}'", "certmanager_cert_signing_failed": "Could not sign the new certificate", "certmanager_certificate_fetching_or_enabling_failed": "Trying to use the new certificate for {domain:s} did not work…", - "certmanager_conflicting_nginx_file": "Could not prepare domain for ACME challenge: the NGINX configuration file {filepath:s} is conflicting and should be removed first", "certmanager_couldnt_fetch_intermediate_cert": "Timed out when trying to fetch intermediate certificate from Let's Encrypt. Certificate installation/renewal aborted—please try again later.", "certmanager_domain_cert_not_selfsigned": "The certificate for domain {domain:s} is not self-signed. Are you sure you want to replace it? (Use '--force' to do so.)", "certmanager_domain_dns_ip_differs_from_public_ip": "The DNS 'A' record for the domain '{domain:s}' is different from this server's IP. If you recently modified your A record, please wait for it to propagate (some DNS propagation checkers are available online). (If you know what you are doing, use '--no-checks' to turn off those checks.)", diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index 5fae59060..fd792ccae 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -285,7 +285,6 @@ def _certificate_install_letsencrypt(domain_list, force=False, no_checks=False, operation_logger.start() - _configure_for_acme_challenge(domain) _fetch_and_enable_new_certificate(domain, staging, no_checks=no_checks) _install_cron(no_checks=no_checks) @@ -468,52 +467,6 @@ Subject: %s smtp.quit() -def _configure_for_acme_challenge(domain): - - nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain - nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder - - nginx_configuration = ''' -location ^~ '/.well-known/acme-challenge/' -{ - default_type "text/plain"; - alias %s; -} - ''' % WEBROOT_FOLDER - - # Check there isn't a conflicting file for the acme-challenge well-known - # uri - for path in glob.glob('%s/*.conf' % nginx_conf_folder): - - if path == nginx_conf_file: - continue - - with open(path) as f: - contents = f.read() - - if '/.well-known/acme-challenge' in contents: - raise YunohostError('certmanager_conflicting_nginx_file', filepath=path) - - # Write the conf - if os.path.exists(nginx_conf_file): - logger.debug( - "Nginx configuration file for ACME challenge already exists for domain, skipping.") - return - - logger.debug( - "Adding Nginx configuration file for Acme challenge for domain %s.", domain) - - with open(nginx_conf_file, "w") as f: - f.write(nginx_configuration) - - # Assume nginx conf is okay, and reload it - # (FIXME : maybe add a check that it is, using nginx -t, haven't found - # any clean function already implemented in yunohost to do this though) - _run_service_command("reload", "nginx") - - app_ssowatconf() - - def _check_acme_challenge_configuration(domain): # Check nginx conf file exists nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain