Merge pull request #917 from YunoHost/fix-acme-challenge-snippet

Get rid of domain-specific acme-challenge snippet, use a single snippet included in every conf
2024-09-03 20:06:10 +02:00 · 2020-04-09 21:07:50 +02:00 · 2020-04-09 21:07:50 +02:00 · 887304919e
commit 887304919e
parent a9af94b960 3a7b93d8aa
5 changed files with 22 additions and 48 deletions
--- a/data/hooks/conf_regen/15-nginx
+++ b/data/hooks/conf_regen/15-nginx
@ -111,6 +111,21 @@ do_post_regen() {
    mkdir -p "/etc/nginx/conf.d/${domain}.d"
  done

+  # Get rid of legacy lets encrypt snippets
+  for domain in $domain_list; do
+      # If the legacy letsencrypt / acme-challenge domain-specific snippet is still there
+      if [ -e /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf ]
+      then
+          # And if we're effectively including the new domain-independant snippet now
+          if grep -q "include /etc/nginx/conf.d/acme-challenge.conf.inc;" /etc/nginx/conf.d/${domain}.conf
+          then
+              # Delete the old domain-specific snippet
+              rm /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf
+          fi
+      fi
+  done
+
+
  # Reload nginx configuration
  pgrep nginx && service nginx reload
 }
--- a/data/templates/nginx/plain/acme-challenge.conf.inc
+++ b/data/templates/nginx/plain/acme-challenge.conf.inc
@ -0,0 +1,5 @@
+location ^~ '/.well-known/acme-challenge/'
+{
+        default_type "text/plain";
+        alias /tmp/acme-challenge-public/;
+}
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@ -10,6 +10,8 @@ server {

    access_by_lua_file /usr/share/ssowat/access.lua;

+    include /etc/nginx/conf.d/acme-challenge.conf.inc;
+
    include /etc/nginx/conf.d/{{ domain }}.d/*.conf;

    location /yunohost/admin {
--- a/locales/en.json
+++ b/locales/en.json
@ -120,7 +120,6 @@
    "certmanager_cert_renew_success": "Let's Encrypt certificate renewed for the domain '{domain:s}'",
    "certmanager_cert_signing_failed": "Could not sign the new certificate",
    "certmanager_certificate_fetching_or_enabling_failed": "Trying to use the new certificate for {domain:s} did not work…",
-    "certmanager_conflicting_nginx_file": "Could not prepare domain for ACME challenge: the NGINX configuration file {filepath:s} is conflicting and should be removed first",
    "certmanager_couldnt_fetch_intermediate_cert": "Timed out when trying to fetch intermediate certificate from Let's Encrypt. Certificate installation/renewal aborted—please try again later.",
    "certmanager_domain_cert_not_selfsigned": "The certificate for domain {domain:s} is not self-signed. Are you sure you want to replace it? (Use '--force' to do so.)",
    "certmanager_domain_dns_ip_differs_from_public_ip": "The DNS 'A' record for the domain '{domain:s}' is different from this server's IP. If you recently modified your A record, please wait for it to propagate (some DNS propagation checkers are available online). (If you know what you are doing, use '--no-checks' to turn off those checks.)",
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@ -285,7 +285,6 @@ def _certificate_install_letsencrypt(domain_list, force=False, no_checks=False,

            operation_logger.start()

-            _configure_for_acme_challenge(domain)
            _fetch_and_enable_new_certificate(domain, staging, no_checks=no_checks)
            _install_cron(no_checks=no_checks)

@ -468,52 +467,6 @@ Subject: %s
    smtp.quit()


-def _configure_for_acme_challenge(domain):
-
-    nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain
-    nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder
-
-    nginx_configuration = '''
-location ^~ '/.well-known/acme-challenge/'
-{
-        default_type "text/plain";
-        alias %s;
-}
-    ''' % WEBROOT_FOLDER
-
-    # Check there isn't a conflicting file for the acme-challenge well-known
-    # uri
-    for path in glob.glob('%s/*.conf' % nginx_conf_folder):
-
-        if path == nginx_conf_file:
-            continue
-
-        with open(path) as f:
-            contents = f.read()
-
-        if '/.well-known/acme-challenge' in contents:
-            raise YunohostError('certmanager_conflicting_nginx_file', filepath=path)
-
-    # Write the conf
-    if os.path.exists(nginx_conf_file):
-        logger.debug(
-            "Nginx configuration file for ACME challenge already exists for domain, skipping.")
-        return
-
-    logger.debug(
-        "Adding Nginx configuration file for Acme challenge for domain %s.", domain)
-
-    with open(nginx_conf_file, "w") as f:
-        f.write(nginx_configuration)
-
-    # Assume nginx conf is okay, and reload it
-    # (FIXME : maybe add a check that it is, using nginx -t, haven't found
-    # any clean function already implemented in yunohost to do this though)
-    _run_service_command("reload", "nginx")
-
-    app_ssowatconf()
-
-
 def _check_acme_challenge_configuration(domain):
    # Check nginx conf file exists
    nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain