Merge pull request #225 from YunoHost/fix-651-check-domain-resolved-locally

[fix] Adding check that domain is resolved locally for cert management
2024-09-03 20:06:10 +02:00 · 2017-01-08 05:32:45 +01:00 · 2017-01-08 05:32:45 +01:00 · a9675b01f7
commit a9675b01f7
parent d279f0c5ad d665984789
2 changed files with 20 additions and 0 deletions
--- a/locales/en.json
+++ b/locales/en.json
@ -253,6 +253,7 @@
    "certmanager_domain_http_not_working": "It seems that the domain {domain:s} cannot be accessed through HTTP. Please check your DNS and nginx configuration is okay",
    "certmanager_error_no_A_record": "No DNS 'A' record found for {domain:s}. You need to make your domain name point to your machine to be able to install a Let's Encrypt certificate! (If you know what you are doing, use --no-checks to disable those checks.)",
    "certmanager_domain_dns_ip_differs_from_public_ip": "The DNS 'A' record for domain {domain:s} is different from this server IP. If you recently modified your A record, please wait for it to propagate (some DNS propagation checkers are available online). (If you know what you are doing, use --no-checks to disable those checks.)",
+    "certmanager_domain_not_resolved_locally": "The domain {domain:s} cannot be resolved from inside your Yunohost server. This might happen if you recently modified your DNS record. If so, please wait a few hours for it to propagate. If the issue persists, consider adding {domain:s} to /etc/hosts. (If you know what you are doing, use --no-checks to disable those checks.)",
    "certmanager_cannot_read_cert": "Something wrong happened when trying to open current certificate for domain {domain:s} (file: {file:s}), reason: {reason:s}",
    "certmanager_cert_install_success_selfsigned": "Successfully installed a self-signed certificate for domain {domain:s}!",
    "certmanager_cert_install_success": "Successfully installed Let's Encrypt certificate for domain {domain:s}!",
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@ -31,6 +31,7 @@ import grp
 import smtplib
 import requests
 import subprocess
+import socket
 import dns.resolver
 import glob

@ -812,6 +813,13 @@ def _check_domain_is_ready_for_ACME(domain):
        raise MoulinetteError(errno.EINVAL, m18n.n(
            'certmanager_domain_http_not_working', domain=domain))

+    # Check if domain is resolved locally (Might happen despite the previous
+    # checks because of dns propagation ?... Acme-tiny won't work in that case,
+    # because it explicitly requests() the domain.)
+    if not _domain_is_resolved_locally(public_ip, domain):
+        raise MoulinetteError(errno.EINVAL, m18n.n(
+            'certmanager_domain_not_resolved_locally', domain=domain))
+

 def _dns_ip_match_public_ip(public_ip, domain):
    try:
@ -836,6 +844,17 @@ def _domain_is_accessible_through_HTTP(ip, domain):
    return True


+def _domain_is_resolved_locally(public_ip, domain):
+    try:
+        ip = socket.gethostbyname(domain)
+    except socket.error as e:
+        logger.debug("Couldn't get domain '%s' ip because: %s" % (domain, e))
+        return False
+
+    logger.debug("Domain '%s' ip is %s, except it to be 127.0.0.1 or %s" % (domain, public_ip))
+    return ip in ["127.0.0.1", public_ip]
+
+
 def _name_self_CA():
    ca_conf = os.path.join(SSL_DIR, "openssl.ca.cnf")