compare IPv6 addresses correctly with normalization (#1052)

This commit is contained in:
Jonathan Chun 2017-01-15 10:41:12 -05:00 committed by Joshua Tauberer
parent 41601a592f
commit 584cfe42c4
2 changed files with 13 additions and 7 deletions

View file

@ -4,7 +4,6 @@
import os, os.path, re, shutil import os, os.path, re, shutil
from utils import shell, safe_domain_name, sort_domains from utils import shell, safe_domain_name, sort_domains
import idna import idna
# SELECTING SSL CERTIFICATES FOR USE IN WEB # SELECTING SSL CERTIFICATES FOR USE IN WEB
@ -214,6 +213,7 @@ def get_certificates_to_provision(env, show_extended_problems=True, force_domain
# Filter out domains that we can't provision a certificate for. # Filter out domains that we can't provision a certificate for.
def can_provision_for_domain(domain): def can_provision_for_domain(domain):
from status_checks import normalize_ip
# Let's Encrypt doesn't yet support IDNA domains. # Let's Encrypt doesn't yet support IDNA domains.
# We store domains in IDNA (ASCII). To see if this domain is IDNA, # We store domains in IDNA (ASCII). To see if this domain is IDNA,
# we'll see if its IDNA-decoded form is different. # we'll see if its IDNA-decoded form is different.
@ -252,7 +252,7 @@ def get_certificates_to_provision(env, show_extended_problems=True, force_domain
return s return s
# END HOTFIX # END HOTFIX
if len(response) != 1 or rdata__str__(response[0]) != value: if len(response) != 1 or normalize_ip(rdata__str__(response[0])) != normalize_ip(value):
problems[domain] = "Domain control validation cannot be performed for this domain because DNS points the domain to another machine (%s %s)." % (rtype, ", ".join(rdata__str__(r) for r in response)) problems[domain] = "Domain control validation cannot be performed for this domain because DNS points the domain to another machine (%s %s)." % (rtype, ", ".join(rdata__str__(r) for r in response))
return False return False

16
management/status_checks.py Executable file → Normal file
View file

@ -393,7 +393,7 @@ def check_primary_hostname_dns(domain, env, output, dns_domains, dns_zonefiles):
# Check that PRIMARY_HOSTNAME resolves to PUBLIC_IP[V6] in public DNS. # Check that PRIMARY_HOSTNAME resolves to PUBLIC_IP[V6] in public DNS.
ipv6 = query_dns(domain, "AAAA") if env.get("PUBLIC_IPV6") else None ipv6 = query_dns(domain, "AAAA") if env.get("PUBLIC_IPV6") else None
if ip == env['PUBLIC_IP'] and ipv6 in (None, env['PUBLIC_IPV6']): if ip == env['PUBLIC_IP'] and normalize_ip(ipv6) in (None, normalize_ip(env['PUBLIC_IPV6'])):
output.print_ok("Domain resolves to box's IP address. [%s%s]" % (env['PRIMARY_HOSTNAME'], my_ips)) output.print_ok("Domain resolves to box's IP address. [%s%s]" % (env['PRIMARY_HOSTNAME'], my_ips))
else: else:
output.print_error("""This domain must resolve to your box's IP address (%s) in public DNS but it currently resolves output.print_error("""This domain must resolve to your box's IP address (%s) in public DNS but it currently resolves
@ -700,10 +700,11 @@ def query_dns(qname, rtype, nxdomain='[Not Set]', at=None):
# BEGIN HOTFIX # BEGIN HOTFIX
response_new = [] response_new = []
for r in response: for r in response:
if isinstance(r.to_text(), bytes): s = r.to_text()
response_new.append(r.to_text().decode('utf-8')) if isinstance(s, bytes):
else: s = s.decode('utf-8')
response_new.append(r) response_new.append(s)
response = response_new response = response_new
# END HOTFIX # END HOTFIX
@ -890,6 +891,11 @@ def run_and_output_changes(env, pool):
with open(cache_fn, "w") as f: with open(cache_fn, "w") as f:
json.dump(cur.buf, f, indent=True) json.dump(cur.buf, f, indent=True)
def normalize_ip(ip):
# Use ipaddress module to normalize the IPv6 notation and ensure we are matching IPv6 addresses written in different representations according to rfc5952.
import ipaddress
return str(ipaddress.ip_address(ip))
class FileOutput: class FileOutput:
def __init__(self, buf, width): def __init__(self, buf, width):
self.buf = buf self.buf = buf