diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 97a32113..dd2176ca 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -66,6 +66,9 @@ http { listen [::]:80{% if PROXY_PROTOCOL_80 %} proxy_protocol{% endif %}; {% endif %} {% if TLS_FLAVOR in ['letsencrypt', 'mail-letsencrypt'] %} + location ^~ /.well-known/acme-challenge/testing { + return 204; + } location ^~ /.well-known/acme-challenge/ { proxy_pass http://127.0.0.1:8008; } @@ -159,6 +162,9 @@ http { } {% if TLS_FLAVOR in ['letsencrypt', 'mail-letsencrypt'] %} + location ^~ /.well-known/acme-challenge/testing { + return 204; + } location ^~ /.well-known/acme-challenge/ { proxy_pass http://127.0.0.1:8008; } diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py index a8abbee7..8428cd66 100755 --- a/core/nginx/letsencrypt.py +++ b/core/nginx/letsencrypt.py @@ -6,8 +6,6 @@ import requests import sys import subprocess import time -from threading import Thread -from http.server import HTTPServer, SimpleHTTPRequestHandler log.basicConfig(stream=sys.stderr, level="WARNING") hostnames = ','.join(set(host.strip() for host in os.environ['HOSTNAMES'].split(','))) @@ -45,33 +43,20 @@ command2 = [ # Wait for nginx to start time.sleep(5) -class MyRequestHandler(SimpleHTTPRequestHandler): - def do_GET(self): - if self.path == '/.well-known/acme-challenge/testing': - self.send_response(204) - else: - self.send_response(404) - self.send_header('Content-Type', 'text/plain') - self.end_headers() - -def serve_one_request(): - with HTTPServer(("127.0.0.1", 8008), MyRequestHandler) as server: - server.handle_request() - # Run certbot every day while True: while True: hostname = os.environ['HOSTNAMES'].split(',')[0] target = f'http://{hostname}/.well-known/acme-challenge/testing' - thread = Thread(target=serve_one_request) - thread.start() - r = requests.get(target) - if r.status_code != 204: - log.critical(f"Can't reach {target}!, please ensure it's fixed or change the TLS_FLAVOR.") - time.sleep(5) - else: - break - thread.join() + try: + r = requests.get(target) + if r.status_code != 204: + log.critical(f"Can't reach {target}!, please ensure it's fixed or change the TLS_FLAVOR.") + time.sleep(5) + else: + break + except Exception as e: + log.error(f"Exception while fetching {target}!", exc_info = e) subprocess.call(command) subprocess.call(command2) diff --git a/towncrier/newsfragments/3402.bugfix b/towncrier/newsfragments/3402.bugfix new file mode 100644 index 00000000..21ddd2ee --- /dev/null +++ b/towncrier/newsfragments/3402.bugfix @@ -0,0 +1 @@ +Fix a potential problem with SO_REUSEADDR that may prevent admin from starting up