Merge pull request #917 from YunoHost/fix-acme-challenge-snippet

Get rid of domain-specific acme-challenge snippet, use a single snippet included in every conf

data/hooks/conf_regen/15-nginx

@@ -111,6 +111,21 @@ do_post_regen() {
     mkdir -p "/etc/nginx/conf.d/${domain}.d"
   done
 
+  # Get rid of legacy lets encrypt snippets
+  for domain in $domain_list; do
+      # If the legacy letsencrypt / acme-challenge domain-specific snippet is still there
+      if [ -e /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf ]
+      then
+          # And if we're effectively including the new domain-independant snippet now
+          if grep -q "include /etc/nginx/conf.d/acme-challenge.conf.inc;" /etc/nginx/conf.d/${domain}.conf
+          then
+              # Delete the old domain-specific snippet
+              rm /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf
+          fi
+      fi
+  done
+
+
   # Reload nginx configuration
   pgrep nginx && service nginx reload
 }

data/templates/nginx/plain/acme-challenge.conf.inc

@@ -0,0 +1,5 @@
+location ^~ '/.well-known/acme-challenge/'
+{
+        default_type "text/plain";
+        alias /tmp/acme-challenge-public/;
+}

data/templates/nginx/server.tpl.conf

@@ -10,6 +10,8 @@ server {
 
     access_by_lua_file /usr/share/ssowat/access.lua;
 
+    include /etc/nginx/conf.d/acme-challenge.conf.inc;
+
     include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
 
     location /yunohost/admin {

locales/en.json

@@ -120,7 +120,6 @@
     "certmanager_cert_renew_success": "Let's Encrypt certificate renewed for the domain '{domain:s}'",
     "certmanager_cert_signing_failed": "Could not sign the new certificate",
     "certmanager_certificate_fetching_or_enabling_failed": "Trying to use the new certificate for {domain:s} did not work…",
-    "certmanager_conflicting_nginx_file": "Could not prepare domain for ACME challenge: the NGINX configuration file {filepath:s} is conflicting and should be removed first",
     "certmanager_couldnt_fetch_intermediate_cert": "Timed out when trying to fetch intermediate certificate from Let's Encrypt. Certificate installation/renewal aborted—please try again later.",
     "certmanager_domain_cert_not_selfsigned": "The certificate for domain {domain:s} is not self-signed. Are you sure you want to replace it? (Use '--force' to do so.)",
     "certmanager_domain_dns_ip_differs_from_public_ip": "The DNS 'A' record for the domain '{domain:s}' is different from this server's IP. If you recently modified your A record, please wait for it to propagate (some DNS propagation checkers are available online). (If you know what you are doing, use '--no-checks' to turn off those checks.)",

src/yunohost/certificate.py

@@ -285,7 +285,6 @@ def _certificate_install_letsencrypt(domain_list, force=False, no_checks=False,
 
             operation_logger.start()
 
-            _configure_for_acme_challenge(domain)
             _fetch_and_enable_new_certificate(domain, staging, no_checks=no_checks)
             _install_cron(no_checks=no_checks)
 
@@ -468,52 +467,6 @@ Subject: %s
     smtp.quit()
 
 
-def _configure_for_acme_challenge(domain):
-
-    nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain
-    nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder
-
-    nginx_configuration = '''
-location ^~ '/.well-known/acme-challenge/'
-{
-        default_type "text/plain";
-        alias %s;
-}
-    ''' % WEBROOT_FOLDER
-
-    # Check there isn't a conflicting file for the acme-challenge well-known
-    # uri
-    for path in glob.glob('%s/*.conf' % nginx_conf_folder):
-
-        if path == nginx_conf_file:
-            continue
-
-        with open(path) as f:
-            contents = f.read()
-
-        if '/.well-known/acme-challenge' in contents:
-            raise YunohostError('certmanager_conflicting_nginx_file', filepath=path)
-
-    # Write the conf
-    if os.path.exists(nginx_conf_file):
-        logger.debug(
-            "Nginx configuration file for ACME challenge already exists for domain, skipping.")
-        return
-
-    logger.debug(
-        "Adding Nginx configuration file for Acme challenge for domain %s.", domain)
-
-    with open(nginx_conf_file, "w") as f:
-        f.write(nginx_configuration)
-
-    # Assume nginx conf is okay, and reload it
-    # (FIXME : maybe add a check that it is, using nginx -t, haven't found
-    # any clean function already implemented in yunohost to do this though)
-    _run_service_command("reload", "nginx")
-
-    app_ssowatconf()
-
-
 def _check_acme_challenge_configuration(domain):
     # Check nginx conf file exists
     nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain