Added options to set the listen address for standalone mode (#4694)

Fixes #255.
certbot · Jun 1, 2017 · 6f98987 · 6f98987
1 parent c9ff9e3
commit 6f98987
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 6 deletions.
diff --git a/certbot/cli.py b/certbot/cli.py
@@ -990,10 +990,18 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False):  # pylint: dis
         ["testing", "standalone", "apache", "nginx"], "--tls-sni-01-port", type=int,
         default=flag_default("tls_sni_01_port"),
         help=config_help("tls_sni_01_port"))
+    helpful.add(
+        ["testing", "standalone"], "--tls-sni-01-address",
+        default=flag_default("tls_sni_01_address"),
+        help=config_help("tls_sni_01_address"))
     helpful.add(
         ["testing", "standalone", "manual"], "--http-01-port", type=int,
         dest="http01_port",
         default=flag_default("http01_port"), help=config_help("http01_port"))
+    helpful.add(
+        ["testing", "standalone"], "--http-01-address",
+        dest="http01_address",
+        default=flag_default("http01_address"), help=config_help("http01_address"))
     helpful.add(
         "testing", "--break-my-certs", action="store_true",
         help="Be willing to replace or renew valid certificates with invalid "

diff --git a/certbot/constants.py b/certbot/constants.py
@@ -28,7 +28,9 @@
     logs_dir="/var/log/letsencrypt",
     no_verify_ssl=False,
     http01_port=challenges.HTTP01Response.PORT,
+    http01_address="",
     tls_sni_01_port=challenges.TLSSNI01Response.PORT,
+    tls_sni_01_address="",
 
     auth_cert_path="./cert.pem",
     auth_chain_path="./chain.pem",

diff --git a/certbot/interfaces.py b/certbot/interfaces.py
@@ -229,12 +229,17 @@ class IConfig(zope.interface.Interface):
         "Port used during tls-sni-01 challenge. "
         "This only affects the port Certbot listens on. "
         "A conforming ACME server will still attempt to connect on port 443.")
+    tls_sni_01_address = zope.interface.Attribute(
+        "The address the server listens to during tls-sni-01 challenge.")
 
     http01_port = zope.interface.Attribute(
         "Port used in the http-01 challenge. "
         "This only affects the port Certbot listens on. "
         "A conforming ACME server will still attempt to connect on port 80.")
 
+    http01_address = zope.interface.Attribute(
+        "The address the server listens to during http-01 challenge.")
+
     pref_challs = zope.interface.Attribute(
         "Sorted user specified preferred challenges"
         "type strings with the most preferred challenge listed first")
@@ -251,7 +256,6 @@ class IConfig(zope.interface.Interface):
         "user; only needed if your config is somewhere unsafe like /tmp/."
         "This is a boolean")
 
-
 class IInstaller(IPlugin):
     """Generic Certbot Installer Interface.
 

diff --git a/certbot/plugins/standalone.py b/certbot/plugins/standalone.py
@@ -40,7 +40,7 @@ def __init__(self, certs, http_01_resources):
         self.certs = certs
         self.http_01_resources = http_01_resources
 
-    def run(self, port, challenge_type):
+    def run(self, port, challenge_type, listenaddr=""):
         """Run ACME server on specified ``port``.
 
         This method is idempotent, i.e. all calls with the same pair of
@@ -49,6 +49,7 @@ def run(self, port, challenge_type):
         :param int port: Port to run the server on.
         :param challenge_type: Subclass of `acme.challenges.Challenge`,
             either `acme.challenge.HTTP01` or `acme.challenges.TLSSNI01`.
+        :param str listenaddr: (optional) The address to listen on. Defaults to all addrs.
 
         :returns: Server instance.
         :rtype: ACMEServerMixin
@@ -58,7 +59,7 @@ def run(self, port, challenge_type):
         if port in self._instances:
             return self._instances[port].server
 
-        address = ("", port)
+        address = (listenaddr, port)
         try:
             if challenge_type is challenges.TLSSNI01:
                 server = acme_standalone.TLSSNI01Server(address, self.certs)
@@ -242,7 +243,9 @@ def _perform_single(self, achall):
         return response
 
     def _perform_http_01(self, achall):
-        server = self.servers.run(self.config.http01_port, challenges.HTTP01)
+        port = self.config.http01_port
+        addr = self.config.http01_address
+        server = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
         response, validation = achall.response_and_validation()
         resource = acme_standalone.HTTP01RequestHandler.HTTP01Resource(
             chall=achall.chall, response=response, validation=validation)
@@ -251,7 +254,8 @@ def _perform_http_01(self, achall):
 
     def _perform_tls_sni_01(self, achall):
         port = self.config.tls_sni_01_port
-        server = self.servers.run(port, challenges.TLSSNI01)
+        addr = self.config.tls_sni_01_address
+        server = self.servers.run(port, challenges.TLSSNI01, listenaddr=addr)
         response, (cert, _) = achall.response_and_validation(cert_key=self.key)
         self.certs[response.z_domain] = (self.key, cert)
         return server, response

diff --git a/certbot/renewal.py b/certbot/renewal.py
@@ -30,7 +30,8 @@
 STR_CONFIG_ITEMS = ["config_dir", "logs_dir", "work_dir", "user_agent",
                     "server", "account", "authenticator", "installer",
                     "standalone_supported_challenges", "renew_hook",
-                    "pre_hook", "post_hook"]
+                    "pre_hook", "post_hook", "tls_sni_01_address",
+                    "http01_address"]
 INT_CONFIG_ITEMS = ["rsa_key_size", "tls_sni_01_port", "http01_port"]
 BOOL_CONFIG_ITEMS = ["must_staple", "allow_subset_of_names"]