nginx: use /var/www/.well-known folder for ynh diagnosis and acme challenge, because /tmp/ could be manipulated by user to serve maliciously crafted files

conf/nginx/plain/acme-challenge.conf.inc

@@ -1,6 +1,6 @@
 location ^~ '/.well-known/acme-challenge/'
 {
         default_type "text/plain";
-        alias /tmp/acme-challenge-public/;
+        alias /var/www/.well-known/acme-challenge-public/;
         gzip off;
 }

conf/nginx/server.tpl.conf

@@ -13,7 +13,7 @@ server {
     include /etc/nginx/conf.d/acme-challenge.conf.inc;
 
     location ^~ '/.well-known/ynh-diagnosis/' {
-        alias /tmp/.well-known/ynh-diagnosis/;
+        alias /var/www/.well-known/ynh-diagnosis/;
     }
 
     {% if mail_enabled == "True" %}

src/certificate.py

@@ -41,8 +41,8 @@ from yunohost.log import OperationLogger
 logger = getActionLogger("yunohost.certmanager")
 
 CERT_FOLDER = "/etc/yunohost/certs/"
-TMP_FOLDER = "/tmp/acme-challenge-private/"
+TMP_FOLDER = "/var/www/.well-known/acme-challenge-private/"
-WEBROOT_FOLDER = "/tmp/acme-challenge-public/"
+WEBROOT_FOLDER = "/var/www/.well-known/acme-challenge-public/"
 
 SELF_CA_FILE = "/etc/ssl/certs/ca-yunohost_crt.pem"
 ACCOUNT_KEY_FILE = "/etc/yunohost/letsencrypt_account.pem"

src/diagnosers/21-web.py

@@ -60,9 +60,9 @@ class MyDiagnoser(Diagnoser):
                 domains_to_check.append(domain)
 
         self.nonce = "".join(random.choice("0123456789abcedf") for i in range(16))
-        rm("/tmp/.well-known/ynh-diagnosis/", recursive=True, force=True)
+        rm("/var/www/.well-known/ynh-diagnosis/", recursive=True, force=True)
-        mkdir("/tmp/.well-known/ynh-diagnosis/", parents=True)
+        mkdir("/var/www/.well-known/ynh-diagnosis/", parents=True)
-        os.system("touch /tmp/.well-known/ynh-diagnosis/%s" % self.nonce)
+        os.system("touch /var/www/.well-known/ynh-diagnosis/%s" % self.nonce)
 
         if not domains_to_check:
             return