Apache plugin wildcard support for ACMEv2 #5608
Conversation
joohoi
changed the title
| @@ -1377,7 +1478,18 @@ def enhance(self, domain, enhancement, options=None): | |||
| raise errors.PluginError( | |||
| "Unsupported enhancement: {0}".format(enhancement)) | |||
| try: | |||
| func(self.choose_vhost(domain), options) | |||
| if self.wildcard_domain(domain): | |||
There was a problem hiding this comment.
can we refactor this so there's less inside the try block?
| for vhost in deploy_vhosts: | ||
| self._deploy_cert(vhost, cert_path, key_path, | ||
| chain_path, fullchain_path) | ||
| if domain not in self.wildcard_vhosts.keys(): |
There was a problem hiding this comment.
don't think you need .keys() here
There was a problem hiding this comment.
also, why not do this inside choose_vhosts_wildcard?
| return fnmatch.fnmatch(name, domain) | ||
|
|
||
|
|
||
| def choose_vhosts_wildcard(self, domain, create_ssl=True): |
There was a problem hiding this comment.
this can probably be internal
| filtered_vhosts[name] = vhost | ||
| elif name not in filtered_vhosts.keys(): | ||
| # Add if not in list previously | ||
| filtered_vhosts[name] = vhost |
There was a problem hiding this comment.
what happens if there aren't any? do we want to create a new one?
There was a problem hiding this comment.
Yeah, we do create one when appending the vhosts to the final list in the method.
| vhost = self.choose_vhost(domain) | ||
| self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path) | ||
|
|
||
| def vhosts_for_wildcard(self, domain): |
| func(self.choose_vhost(domain), options) | ||
| if self.wildcard_domain(domain): | ||
| # Handle virtualhosts configured for a wildcard domain | ||
| if domain in self.wildcard_vhosts.keys(): |
There was a problem hiding this comment.
can this if (if domain in self.wildcard_vhosts:) go inside choose_vhosts_wildcard?
There was a problem hiding this comment.
oh yeah, if both this and the other thing go into the function, that cleans everything else up a bunch!
these are my thoughts as I do the nginx one, it may be clearer to look at the PR I put up for that (#5619)
|
What happens if apache is authenticator and it's given a wildcard domain? |
| @@ -152,6 +153,9 @@ def __init__(self, *args, **kwargs): | |||
| self.assoc = dict() | |||
| # Outstanding challenges | |||
| self._chall_out = set() | |||
| # List of vhosts configured per wildcard domain on this run. | |||
| # used by deploy_cert() and enhance() | |||
| self.wildcard_vhosts = dict() | |||
We had a short discussion about this yesterday, but Certbot should raise an exception when Apache plugin is connecting to ACME server that doesn't allow wildcard challenges over HTTP or TLS-SNI challenges. All the review comments should now be addressed, and this is ready for the next round. |
There was a problem hiding this comment.
This is great @joohoi.
Other than the minor inline comments, when testing this I created a bunch of vhosts but forgot to enable them and when I ran Certbot, it obtained the cert but Apache deploy_cert and enhance just quietly did nothing (because there were no matching vhosts). Took me a few to figure out what was going on.
Any reason not to do what we currently do for single vhosts? If there's no matching vhosts (either because one doesn't exist or the user doesn't select one), we error out telling them to create a vhost. This seems preferable to me.
certbot/tests/display/ops_test.py
Outdated
| @@ -300,7 +300,7 @@ def test_get_valid_domains(self): | |||
| from certbot.display.ops import get_valid_domains | |||
| all_valid = ["example.com", "second.example.com", | |||
| "also.example.com", "under_score.example.com", | |||
| "justtld", "*.wildcard.com"] | |||
| "justtld"] | |||
There was a problem hiding this comment.
Whoops. I think this was caused by me also making changes to this file in another PR, but we shouldn't remove the wildcard from the list of valid domains here.
There was a problem hiding this comment.
You are right. This was removed at the early phase of the development, and is now brought back.
| for vhost in vhosts: | ||
| self._deploy_cert(vhost, cert_path, key_path, chain_path, fullchain_path) | ||
|
|
||
| def choose_vhosts(self, domain, cached=False, create_if_no_ssl=True): |
There was a problem hiding this comment.
I don't care too much, but do we need the cached parameter? Do we ever expect there to be a case where both of the following are true:
- We have cached vhosts for a domain.
- We don't want to use them.
If this doesn't seem likely, maybe we can simplify things slightly and remove this parameter.
There was a problem hiding this comment.
This is correct, we shouldn't hit such scenario. This parameter is now removed.
| if not vhost.ssl and create_ssl: | ||
| return_vhosts.append(self.make_vhost_ssl(vhost)) | ||
| else: | ||
| return_vhosts.append(vhost) |
There was a problem hiding this comment.
Assuming the only use case for calling this function with create_ssl=False is for enhance, I get not wanting create an SSL copy in this case, but I'm not sure we should ever be returning HTTP vhosts from this function. Which of our enhancements make sense when you don't have an SSL vhost for a domain?
Instead, maybe if create_ssl is False, we should remove HTTP vhosts from dialog_input before asking for user input.
There was a problem hiding this comment.
This is a more sophisticated way to handle it, I changed the behavior accordingly. This also helps to reduce the static from the dialog in the first place.
| not in scope: domain = *.wild.card, name = 1.2.wild.card | ||
| """ | ||
| if len(name.split(".")) == len(domain.split(".")): | ||
| return fnmatch.fnmatch(name, domain) |
There was a problem hiding this comment.
This works for wildcards in ServerAlias directives too right? Very nice.
There was a problem hiding this comment.
Yeah, vhost.get_names() (which is basically what's fed to this method) returns all the names associated to the VirtualHost, both ServerNames and ServerAlias. Furthermore, I don't think wildcard names are allowed in the ServerName in the first place.
| if not vhosts: | ||
| return list() | ||
| tags_list = [vhost.display_repr() for vhost in vhosts] | ||
| while True: |
There was a problem hiding this comment.
The same can be said about the old select_vhosts function down below, but why do we need this loop? To me, it looks like it will only ever execute once.
There was a problem hiding this comment.
I presumed there being an undefined reason behind this, as select_vhost() function has the same behavior. It's been around since original implementation by James, introduced in 99fcb4f and now looking at the original commit, it looks like it was in place for a help selection that has since been removed. I cleaned this up from the select_vhost() too.
certbot-apache/certbot_apache/obj.py
Outdated
| "File: {filename}\n" | ||
| "Addresses: {addrs}\n" | ||
| "Names: {names}\n" | ||
| "HTTPS: {https}\n\n".format( |
There was a problem hiding this comment.
nit: The trailing empty line on the last entry looks a little awkward to me:
-------------------------------------------------------------------------------
1: File: /etc/apache2/sites-enabled/bmatch.conf
Addresses: *:80
Names: geqgeqoc.example.org
HTTPS: No
2: File: /etc/apache2/sites-enabled/amatch.conf
Addresses: *:80
Names: a.example.org
HTTPS: No
3: File: /etc/apache2/sites-enabled/wildcard.conf
Addresses: *:80
Names: abc.def.example.org, *.example.org
HTTPS: No
-------------------------------------------------------------------------------
Unless you prefer it that way, can we remove it?
The way I'd personally do this is not to include the 2nd newline in this function and have the function calling display_repr iterate over each representation adding a newline to the beginning/end of each one except for the first/last one.
There was a problem hiding this comment.
It looks a lot cleaner without the extra newline, I agree. Even though handling that requires a few more lines in the code. This is now implemented.
|
Looks good except I don't think my comment at #5608 (review) got addressed. To expand a little more on why I think it's important, Certbot will currently exit with a zero status and no warnings if there's no matching vhosts so it's not clear it didn't do what the user asked. While we may want to change the behavior around deploy/enhance if we fail for a domain in the future (what's being proposed is we continue execution so we work for subsequent domains), I don't think we should make any of those changes here as it requires some UI changes to make sure the domains we failed on is 100% clear and not hidden in the scrollback in the user's terminal. Currently if we fail on one, we exit with an error and rollback changes to all which is while arguably less useful, I think make things pretty clear to the user: your request to deploy/enhance the cert failed. |
Functional example for wildcard certificate support in Apache plugin.
In
deploy_cert()andenhance(), the user will be presented with a dialog to choose from the VirtualHosts that can be covered by the wildcard domain name. The (multiple) selection result will then be handled in a similar way that we previously handled a single VirtualHost that was returned by the_find_best_vhost().Additionally the selected VirtualHosts are added to a dictionary that maps selections to a wildcard domain to be reused in the later
enhance()call and not forcing the user to select the same VirtualHosts again.The code here should be almost completely compatible with Nginx plugin as well, so when we get this merged, we can bring the changes over to Nginx plugin also.