From 59c982b46d0e15b24045de5fb6a1b3977ba03cee Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Tue, 17 Jan 2017 14:54:31 +0100
Subject: [PATCH] evoacme : fix nginx challenge, check domain in make-csr

---
 evoacme/README.md               | 23 ++++++++++++-----------
 evoacme/files/make-csr.sh       | 24 ++++++++++++++++++++----
 evoacme/templates/nginx.conf.j2 |  1 +
 3 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/evoacme/README.md b/evoacme/README.md
index 871b6e70..ac712ece 100644
--- a/evoacme/README.md
+++ b/evoacme/README.md
@@ -1,4 +1,4 @@
-# Evoacme 1.3
+# Evoacme 1.4
 
 EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates.
 
@@ -8,43 +8,44 @@ It is a project hosted at [Evolix's forge](https://forge.evolix.org/projects/ans
 
 1 - Create a playbook with evoacme role
 
-```
+~~~
 ---
   - hosts: hostname
     become: yes
     roles:
       - role: evoacme
-```
+~~~
 
 2 - Install evoacme prerequisite with ansible
 
-```
+~~~
 ansible-playbook playbook.yml -Kl hostname
-```
+~~~
 
 3 - Include letsencrypt.conf in your webserver
 
 For Apache, you just need to ensure that you don't overwrite "/.well-known/acme-challenge" Alias with a Redirect or Rewrite directive.
 
 For Nginx, you must include letsencrypt.conf in all wanted vhost :
-```
+
+~~~
 include /etc/nginx/letsencrypt.conf;
 nginx -t
 service nginx reload
-```
+~~~
 
 4 - Create a CSR for a vhost with make-csr
 
-```
+~~~
 # vhostname is vhostfile without .conf ext
 make-csr vhostname
-```
+~~~
 
 8 - Generate the certificate with evoacme
 
-```
+~~~
 evoacme vhostname
-```
+~~~
 
 # License
 
diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh
index 6174bd44..b15bb307 100755
--- a/evoacme/files/make-csr.sh
+++ b/evoacme/files/make-csr.sh
@@ -34,14 +34,30 @@ if [ -f /etc/apache2/sites-enabled/${vhost}.conf ]; then
 	domains=`grep -oE "^( )*[^#]+" /etc/apache2/sites-enabled/${vhost}.conf|grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
 fi
 
-echo "Domain(s) for $vhost :"
+valid_domains=''
+srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
+
+echo "Valid Domain(s) for $vhost :"
 for domain in $domains
 do
-	# TODO : vérifier si domaine pointe sur localhost
-	echo "- $domain"
-	nb=$(( nb  + 1 ))
+	real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+")
+	for ip in "$srv_ip"; do
+		if [ "$ip" == "$real_ip" ]; then
+                        valid_domains="$valid_domains $domain"
+	                nb=$(( nb  + 1 ))
+			echo "- $domain"
+		fi
+	done
 done
 
+if [ $nb -eq 0 ]; then
+        nb=`echo $domains|wc -l`
+	echo "No valid domains : $domains" >&2
+	exit 1
+else
+        domains=$valid_domains
+fi
+
 mkdir -p /etc/ssl/requests -m 755
 chown root: /etc/ssl/requests
 
diff --git a/evoacme/templates/nginx.conf.j2 b/evoacme/templates/nginx.conf.j2
index c3a13a3b..116941de 100644
--- a/evoacme/templates/nginx.conf.j2
+++ b/evoacme/templates/nginx.conf.j2
@@ -1,4 +1,5 @@
 location /.well-known/acme-challenge {
     alias {{ evoacme_acme_dir }}/.well-known/acme-challenge;
     try_files $uri =404;
+    allow all;
 }