From 3dfe23836ce5616664b2d208dd6f3dd724a5e11e Mon Sep 17 00:00:00 2001 From: Paul Mansfield Date: Mon, 29 Nov 2021 13:48:39 +0000 Subject: [PATCH 01/19] Add two new headers to proxy.conf Fixes #1609. Adding both X-Forwarded-Host and X-Forwarded-Port, this is vital for some services behind a proxy (used to allow creation of absolute links in html). I've had to include at least the Host version in the past for jenkins and nexus. Been running locally for 24 hours, does not appear to break any of my 15+ services currently running behind NPM would allow people to host those services without the need for advanced configuration --- docker/rootfs/etc/nginx/conf.d/include/proxy.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/rootfs/etc/nginx/conf.d/include/proxy.conf b/docker/rootfs/etc/nginx/conf.d/include/proxy.conf index fcaaf0038..e2cb451ef 100644 --- a/docker/rootfs/etc/nginx/conf.d/include/proxy.conf +++ b/docker/rootfs/etc/nginx/conf.d/include/proxy.conf @@ -2,6 +2,8 @@ add_header X-Served-By $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Port $port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_pass $forward_scheme://$server:$port$request_uri; From bb422d4454c6890cf3e43f13e0796c60e8d4742e Mon Sep 17 00:00:00 2001 From: Tobias Kneidl Date: Wed, 22 Dec 2021 00:24:05 +0100 Subject: [PATCH 02/19] Update default.conf --- backend/templates/default.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/templates/default.conf b/backend/templates/default.conf index 5196f2854..ec68530ca 100644 --- a/backend/templates/default.conf +++ b/backend/templates/default.conf @@ -7,9 +7,9 @@ server { listen 80 default; {% if ipv6 -%} - listen [::]:80; + listen [::]:80 default; {% else -%} - #listen [::]:80; + #listen [::]:80 default; {% endif %} server_name default-host.localhost; access_log /data/logs/default-host_access.log combined; From ac23c666599e24a6376a2117f14436f2fb86396d Mon Sep 17 00:00:00 2001 From: chaptergy Date: Thu, 23 Dec 2021 12:23:30 +0100 Subject: [PATCH 03/19] Fixes custom certificate upload modal --- frontend/js/app/nginx/certificates/form.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/frontend/js/app/nginx/certificates/form.js b/frontend/js/app/nginx/certificates/form.js index 56b31cf2a..a56c3f8e0 100644 --- a/frontend/js/app/nginx/certificates/form.js +++ b/frontend/js/app/nginx/certificates/form.js @@ -278,9 +278,11 @@ module.exports = Mn.View.extend({ this.ui.credentials_file_content.hide(); this.ui.loader_content.hide(); this.ui.le_error_info.hide(); - const domainNames = this.ui.domain_names[0].value.split(','); - if (!domainNames || domainNames.length === 0 || (domainNames.length === 1 && domainNames[0] === "")) { - this.ui.test_domains_button.prop('disabled', true); + if (this.ui.domain_names[0]) { + const domainNames = this.ui.domain_names[0].value.split(','); + if (!domainNames || domainNames.length === 0 || (domainNames.length === 1 && domainNames[0] === "")) { + this.ui.test_domains_button.prop('disabled', true); + } } }, From 5aae8cd0e3ab034309506c382270feadf8b21348 Mon Sep 17 00:00:00 2001 From: Jocelyn Le Sage Date: Sun, 26 Dec 2021 20:56:42 -0500 Subject: [PATCH 04/19] Fixed the access log path to match the HTTP one. This also fixes its handling by logrotate. --- docker/rootfs/etc/nginx/conf.d/default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rootfs/etc/nginx/conf.d/default.conf b/docker/rootfs/etc/nginx/conf.d/default.conf index 81d6ae488..37d316db5 100644 --- a/docker/rootfs/etc/nginx/conf.d/default.conf +++ b/docker/rootfs/etc/nginx/conf.d/default.conf @@ -30,7 +30,7 @@ server { set $port "443"; server_name localhost; - access_log /data/logs/fallback-access.log standard; + access_log /data/logs/fallback_access.log standard; error_log /dev/null crit; ssl_certificate /data/nginx/dummycert.pem; ssl_certificate_key /data/nginx/dummykey.pem; From 849bdcda7b8d5996c8751f158c3c2c38845e4428 Mon Sep 17 00:00:00 2001 From: Jocelyn Le Sage Date: Sun, 26 Dec 2021 21:49:55 -0500 Subject: [PATCH 05/19] Fixed generation of resolvers.conf. This fixes scenarios where `resolv.conf` generated by dhcpcd has a nameserver with `%interface` appended to its IPv6 address. For example, a line like this must be properly handled: nameserver fe80::7747:4aff:fe9a:8cb1%br0 --- docker/rootfs/etc/services.d/nginx/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rootfs/etc/services.d/nginx/run b/docker/rootfs/etc/services.d/nginx/run index fe6ea44b3..508b7d733 100755 --- a/docker/rootfs/etc/services.d/nginx/run +++ b/docker/rootfs/etc/services.d/nginx/run @@ -24,7 +24,7 @@ chown root /tmp/nginx # Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]` # thanks @tfmm -echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf);" > /etc/nginx/conf.d/include/resolvers.conf +echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf);" > /etc/nginx/conf.d/include/resolvers.conf # Generate dummy self-signed certificate. if [ ! -f /data/nginx/dummycert.pem ] || [ ! -f /data/nginx/dummykey.pem ] From b78c7e1c53dc30bc9963b836dd0b8bc2f5676618 Mon Sep 17 00:00:00 2001 From: chaptergy Date: Sat, 20 Nov 2021 14:03:51 +0100 Subject: [PATCH 06/19] Fixes dnspod credentials template --- global/certbot-dns-plugins.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index 398291352..c8be6c6ff 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -186,8 +186,8 @@ dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`, package_name: 'certbot-dns-dnspod', version_requirement: '~=0.1.0', dependencies: '', - credentials: `dns_dnspod_email = "DNSPOD-API-REQUIRES-A-VALID-EMAIL" -dns_dnspod_api_token = "DNSPOD-API-TOKEN"`, + credentials: `dns_dnspod_api_id = 12345 +dns_dnspod_api_token = 1234567890abcdef1234567890abcdef`, full_plugin_name: 'dns-dnspod', }, //####################################################// From 2ac1026e4b2d4edf1f39dee3fb3bfed8585bfed1 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Wed, 22 Dec 2021 11:05:57 +1000 Subject: [PATCH 07/19] Hack for python binary in newer node images --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 3161a254f..a0f21e109 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -68,7 +68,7 @@ pipeline { -v "$(pwd)/global:/app/global" \\ -w /app \\ node:latest \\ - sh -c "yarn install && yarn eslint . && rm -rf node_modules" + sh -c "ln -s /usr/bin/python3 /usr/bin/python && yarn install && yarn eslint . && rm -rf node_modules" ''' echo 'Docker Build ...' From 5d106c40640224a176712cbba882146dbdc4680b Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Wed, 22 Dec 2021 11:51:32 +1000 Subject: [PATCH 08/19] Bump version --- .version | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.version b/.version index d9d360128..b7b616779 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -2.9.12 +2.9.13 diff --git a/README.md b/README.md index f8c07241d..7d03016a4 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@



- + From ab80fe13e9968f6adbdc1783f71d08098a9f926d Mon Sep 17 00:00:00 2001 From: chaptergy Date: Thu, 23 Dec 2021 12:23:30 +0100 Subject: [PATCH 09/19] Fixes custom certificate upload modal --- frontend/js/app/nginx/certificates/form.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/frontend/js/app/nginx/certificates/form.js b/frontend/js/app/nginx/certificates/form.js index 56b31cf2a..a56c3f8e0 100644 --- a/frontend/js/app/nginx/certificates/form.js +++ b/frontend/js/app/nginx/certificates/form.js @@ -278,9 +278,11 @@ module.exports = Mn.View.extend({ this.ui.credentials_file_content.hide(); this.ui.loader_content.hide(); this.ui.le_error_info.hide(); - const domainNames = this.ui.domain_names[0].value.split(','); - if (!domainNames || domainNames.length === 0 || (domainNames.length === 1 && domainNames[0] === "")) { - this.ui.test_domains_button.prop('disabled', true); + if (this.ui.domain_names[0]) { + const domainNames = this.ui.domain_names[0].value.split(','); + if (!domainNames || domainNames.length === 0 || (domainNames.length === 1 && domainNames[0] === "")) { + this.ui.test_domains_button.prop('disabled', true); + } } }, From 7800938fd2ffa9e7faa1c4d286d0f7fb0d3516ba Mon Sep 17 00:00:00 2001 From: Tobias Kneidl Date: Wed, 22 Dec 2021 00:24:05 +0100 Subject: [PATCH 10/19] Update default.conf --- backend/templates/default.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/templates/default.conf b/backend/templates/default.conf index 5196f2854..ec68530ca 100644 --- a/backend/templates/default.conf +++ b/backend/templates/default.conf @@ -7,9 +7,9 @@ server { listen 80 default; {% if ipv6 -%} - listen [::]:80; + listen [::]:80 default; {% else -%} - #listen [::]:80; + #listen [::]:80 default; {% endif %} server_name default-host.localhost; access_log /data/logs/default-host_access.log combined; From 747de511d463e8dab13e2637597bcaf083a9f1ca Mon Sep 17 00:00:00 2001 From: chaptergy Date: Wed, 29 Dec 2021 09:54:59 +0100 Subject: [PATCH 11/19] Sets certbot official dns plugin version requirement to match certbot version --- global/certbot-dns-plugins.js | 126 +++++++++++++++++----------------- 1 file changed, 63 insertions(+), 63 deletions(-) diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index 398291352..1a32cbe4b 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -67,11 +67,11 @@ dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf274462 }, //####################################################// cloudflare: { - display_name: 'Cloudflare', - package_name: 'certbot-dns-cloudflare', - // version_requirement: '', // Official plugin, no version requirement - dependencies: 'cloudflare', - credentials: `# Cloudflare API token + display_name: 'Cloudflare', + package_name: 'certbot-dns-cloudflare', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: 'cloudflare', + credentials: `# Cloudflare API token dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567`, full_plugin_name: 'dns-cloudflare', }, @@ -93,11 +93,11 @@ dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567`, }, //####################################################// cloudxns: { - display_name: 'CloudXNS', - package_name: 'certbot-dns-cloudxns', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: `dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef + display_name: 'CloudXNS', + package_name: 'certbot-dns-cloudxns', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: `dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef dns_cloudxns_secret_key = 1122334455667788`, full_plugin_name: 'dns-cloudxns', }, @@ -143,12 +143,12 @@ dns_desec_endpoint = https://desec.io/api/v1/`, }, //####################################################// digitalocean: { - display_name: 'DigitalOcean', - package_name: 'certbot-dns-digitalocean', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: 'dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff', - full_plugin_name: 'dns-digitalocean', + display_name: 'DigitalOcean', + package_name: 'certbot-dns-digitalocean', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: 'dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff', + full_plugin_name: 'dns-digitalocean', }, //####################################################// directadmin: { @@ -163,20 +163,20 @@ directadmin_password = aSuperStrongPassword`, }, //####################################################// dnsimple: { - display_name: 'DNSimple', - package_name: 'certbot-dns-dnsimple', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: 'dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw', - full_plugin_name: 'dns-dnsimple', + display_name: 'DNSimple', + package_name: 'certbot-dns-dnsimple', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: 'dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw', + full_plugin_name: 'dns-dnsimple', }, //####################################################// dnsmadeeasy: { - display_name: 'DNS Made Easy', - package_name: 'certbot-dns-dnsmadeeasy', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: `dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a + display_name: 'DNS Made Easy', + package_name: 'certbot-dns-dnsmadeeasy', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: `dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`, full_plugin_name: 'dns-dnsmadeeasy', }, @@ -235,11 +235,11 @@ dns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123`, }, //####################################################// google: { - display_name: 'Google', - package_name: 'certbot-dns-google', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: `{ + display_name: 'Google', + package_name: 'certbot-dns-google', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: `{ "type": "service_account", ... }`, @@ -319,11 +319,11 @@ dns_joker_domain = `, }, //####################################################// linode: { - display_name: 'Linode', - package_name: 'certbot-dns-linode', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: `dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64 + display_name: 'Linode', + package_name: 'certbot-dns-linode', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: `dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64 dns_linode_version = [|3|4]`, full_plugin_name: 'dns-linode', }, @@ -339,11 +339,11 @@ dns_loopia_password = abcdef0123456789abcdef01234567abcdef0123`, }, //####################################################// luadns: { - display_name: 'LuaDNS', - package_name: 'certbot-dns-luadns', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: `dns_luadns_email = user@example.com + display_name: 'LuaDNS', + package_name: 'certbot-dns-luadns', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: `dns_luadns_email = user@example.com dns_luadns_token = 0123456789abcdef0123456789abcdef`, full_plugin_name: 'dns-luadns', }, @@ -369,12 +369,12 @@ dns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123`, }, //####################################################// nsone: { - display_name: 'NS1', - package_name: 'certbot-dns-nsone', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: 'dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw', - full_plugin_name: 'dns-nsone', + display_name: 'NS1', + package_name: 'certbot-dns-nsone', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: 'dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw', + full_plugin_name: 'dns-nsone', }, //####################################################// oci: { @@ -392,11 +392,11 @@ key_file = ~/.oci/oci_api_key.pem`, }, //####################################################// ovh: { - display_name: 'OVH', - package_name: 'certbot-dns-ovh', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: `dns_ovh_endpoint = ovh-eu + display_name: 'OVH', + package_name: 'certbot-dns-ovh', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: `dns_ovh_endpoint = ovh-eu dns_ovh_application_key = MDAwMDAwMDAwMDAw dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw`, @@ -434,11 +434,11 @@ certbot_regru:dns_password=password`, }, //####################################################// rfc2136: { - display_name: 'RFC 2136', - package_name: 'certbot-dns-rfc2136', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: `# Target DNS server + display_name: 'RFC 2136', + package_name: 'certbot-dns-rfc2136', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: `# Target DNS server dns_rfc2136_server = 192.0.2.1 # Target DNS port dns_rfc2136_port = 53 @@ -452,11 +452,11 @@ dns_rfc2136_algorithm = HMAC-SHA512`, }, //####################################################// route53: { - display_name: 'Route 53 (Amazon)', - package_name: 'certbot-dns-route53', - // version_requirement: '', // Official plugin, no version requirement - dependencies: '', - credentials: `[default] + display_name: 'Route 53 (Amazon)', + package_name: 'certbot-dns-route53', + version_requirement: '==$(certbot --version | grep -Eo \'[0-9](\\.[0-9]+)+\')', // official plugin, use certbot version + dependencies: '', + credentials: `[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`, full_plugin_name: 'dns-route53', From 5a8028a72d55324e7fc2b6eb9a9c72cb51fb3813 Mon Sep 17 00:00:00 2001 From: chaptergy Date: Wed, 29 Dec 2021 11:35:59 +0100 Subject: [PATCH 12/19] Adds FAQ entry for acl plus login --- docs/faq/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/faq/README.md b/docs/faq/README.md index 1703e7055..cf739ead1 100644 --- a/docs/faq/README.md +++ b/docs/faq/README.md @@ -21,3 +21,6 @@ Your best bet is to ask the [Reddit community for support](https://www.reddit.co Gitter is best left for anyone contributing to the project to ask for help about internals, code reviews etc. +## When adding username and password access control to a proxy host, I can no longer login into the app. + +Having an Access Control List (ACL) with username and password requires the browser to always send this username and password in the `Authorization` header on each request. If your proxied app also requires authentication (like Nginx Proxy Manager itself), most likely the app will also use the `Authorization` header to transmit this information, as this is the standardized header meant for this kind of information. However having multiples of the same headers is not allowed in the [internet standard](https://www.rfc-editor.org/rfc/rfc7230#section-3.2.2) and almost all apps do not support multiple values in the `Authorization` header. Hence one of the two logins will be broken. This can only be fixed by either removing one of the logins or by changing the app to use other non-standard headers for authorization. \ No newline at end of file From 9dd56441833c9de6e419cf74fff77820ae0f5f03 Mon Sep 17 00:00:00 2001 From: chaptergy Date: Wed, 29 Dec 2021 16:30:49 +0100 Subject: [PATCH 13/19] Correctly escape backslashes in dns plugin credentials --- backend/internal/certificate.js | 6 ++++-- backend/setup.js | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js index 55f55d080..ece3a3c8b 100644 --- a/backend/internal/certificate.js +++ b/backend/internal/certificate.js @@ -870,8 +870,10 @@ const internalCertificate = { logger.info(`Requesting Let'sEncrypt certificates via ${dns_plugin.display_name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`); const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate.id; - const credentialsCmd = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + certificate.meta.dns_provider_credentials.replace('\'', '\\\'') + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\''; - const prepareCmd = 'pip install ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies; + // Escape single quotes and backslashes + const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\'); + const credentialsCmd = 'mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentialsLocation + '\' && chmod 600 \'' + credentialsLocation + '\''; + const prepareCmd = 'pip install ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies; // Whether the plugin has a ---credentials argument const hasConfigArg = certificate.meta.dns_provider !== 'route53'; diff --git a/backend/setup.js b/backend/setup.js index 41436c8f4..47fd1e7b0 100644 --- a/backend/setup.js +++ b/backend/setup.js @@ -181,7 +181,9 @@ const setupCertbotPlugins = () => { // Make sure credentials file exists const credentials_loc = '/etc/letsencrypt/credentials/credentials-' + certificate.id; - const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + certificate.meta.dns_provider_credentials.replace('\'', '\\\'') + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }'; + // Escape single quotes and backslashes + const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\'); + const credentials_cmd = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }'; promises.push(utils.exec(credentials_cmd)); } }); From 7e67f337667027f88e0c3c4cf7703fbe2acfb338 Mon Sep 17 00:00:00 2001 From: Larify Date: Thu, 30 Dec 2021 11:50:21 +0800 Subject: [PATCH 14/19] fetch cloudflare ipv4/ipv6 fail #1405 --- backend/internal/ip_ranges.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/backend/internal/ip_ranges.js b/backend/internal/ip_ranges.js index edf5c3a01..40e63ea40 100644 --- a/backend/internal/ip_ranges.js +++ b/backend/internal/ip_ranges.js @@ -9,6 +9,9 @@ const CLOUDFRONT_URL = 'https://ip-ranges.amazonaws.com/ip-ranges.json'; const CLOUDFARE_V4_URL = 'https://www.cloudflare.com/ips-v4'; const CLOUDFARE_V6_URL = 'https://www.cloudflare.com/ips-v6'; +const regIpV4 = /^(\d+\.?){4}\/\d+/; +const regIpV6 = /^(([\da-fA-F]+)?:)+\/\d+/; + const internalIpRanges = { interval_timeout: 1000 * 60 * 60 * 6, // 6 hours @@ -74,14 +77,14 @@ const internalIpRanges = { return internalIpRanges.fetchUrl(CLOUDFARE_V4_URL); }) .then((cloudfare_data) => { - let items = cloudfare_data.split('\n'); + let items = cloudfare_data.split('\n').filter((line) => regIpV4.test(line)); ip_ranges = [... ip_ranges, ... items]; }) .then(() => { return internalIpRanges.fetchUrl(CLOUDFARE_V6_URL); }) .then((cloudfare_data) => { - let items = cloudfare_data.split('\n'); + let items = cloudfare_data.split('\n').filter((line) => regIpV6.test(line)); ip_ranges = [... ip_ranges, ... items]; }) .then(() => { From c803ec7e26101804ecd4d23a0a318c0648fd6ad7 Mon Sep 17 00:00:00 2001 From: chaptergy Date: Thu, 30 Dec 2021 13:21:21 +0100 Subject: [PATCH 15/19] Adds delay after reloading nginx before requesting ssl certificate using http challenge --- backend/internal/certificate.js | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js index 55f55d080..0c24c5ce5 100644 --- a/backend/internal/certificate.js +++ b/backend/internal/certificate.js @@ -171,6 +171,7 @@ const internalCertificate = { // 3. Generate the LE config return internalNginx.generateLetsEncryptRequestConfig(certificate) .then(internalNginx.reload) + .then(async() => await new Promise((r) => setTimeout(r, 5000))) .then(() => { // 4. Request cert return internalCertificate.requestLetsEncryptSsl(certificate); From 4e17fb476ba5676a9ffeb236115c998899c1702d Mon Sep 17 00:00:00 2001 From: chaptergy Date: Sat, 1 Jan 2022 17:57:17 +0100 Subject: [PATCH 16/19] Adds tencent cloud as dns challenge provider --- global/certbot-dns-plugins.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index 398291352..eb9562bb9 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -472,6 +472,16 @@ dns_transip_key_file = /etc/letsencrypt/transip-rsa.key`, full_plugin_name: 'dns-transip', }, //####################################################// + tencentcloud: { + display_name: 'Tencent Cloud', + package_name: 'certbot-dns-tencentcloud', + version_requirement: '~=2.0.0', + dependencies: '', + credentials: `dns_tencentcloud_secret_id = TENCENT_CLOUD_SECRET_ID +dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY`, + full_plugin_name: 'dns-tencentcloud', + }, + //####################################################// vultr: { display_name: 'Vultr', package_name: 'certbot-dns-vultr', From e81cc45405f88131b49d6b88c567c7785e2c8fb4 Mon Sep 17 00:00:00 2001 From: chaptergy Date: Sun, 2 Jan 2022 11:49:18 +0100 Subject: [PATCH 17/19] Updates dnspod challenge credentials --- global/certbot-dns-plugins.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index c8be6c6ff..cd7f0387f 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -186,8 +186,8 @@ dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55`, package_name: 'certbot-dns-dnspod', version_requirement: '~=0.1.0', dependencies: '', - credentials: `dns_dnspod_api_id = 12345 -dns_dnspod_api_token = 1234567890abcdef1234567890abcdef`, + credentials: `dns_dnspod_email = "email@example.com" +dns_dnspod_api_token = "id,key"`, full_plugin_name: 'dns-dnspod', }, //####################################################// From 1ec95096d5b8953818c720582ab2e589575cc718 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Sun, 2 Jan 2022 21:24:16 +1000 Subject: [PATCH 18/19] Ensure backend build is pulling node:latest first --- Jenkinsfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Jenkinsfile b/Jenkinsfile index a0f21e109..860c88d0e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -62,6 +62,7 @@ pipeline { stage('Backend') { steps { echo 'Checking Syntax ...' + sh 'docker pull node:latest' // See: https://github.com/yarnpkg/yarn/issues/3254 sh '''docker run --rm \\ -v "$(pwd)/backend:/app" \\ From 973a10a9d1d97b96d094a57cbba13c213d0975c2 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Sun, 2 Jan 2022 21:33:16 +1000 Subject: [PATCH 19/19] Bump version --- .version | 2 +- README.md | 34 +++++++++++++++++++++++++++------- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/.version b/.version index b7b616779..2e12e4762 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -2.9.13 +2.9.14 diff --git a/README.md b/README.md index 7d03016a4..64c7c7ab6 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@



- + @@ -110,9 +110,9 @@ Special thanks to the following contributors: + + + + +
- - -
Sebastian Valle + + +
chaptergy 		@@ -242,9 +242,9 @@ Special thanks to the following contributors:
- - -
chaptergy + + +
Sebastian Valle 		@@ -491,6 +491,26 @@ Special thanks to the following contributors:
bergi9 		+ + +
luoweihua7 + + 		+ + +
Tobias Kneidl + +
+ + +
Pius Walter + +