set proper permissions on ACME well-known dir/files

arkOScloud · Oct 14, 2016 · f1695e7 · f1695e7
1 parent 19bd7a3
commit f1695e7
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/arkos/certificates.py b/arkos/certificates.py
@@ -21,7 +21,7 @@
 
 from arkos import config, signals, storage, websites, applications, logger
 from arkos.messages import Notification, NotificationThread
-from arkos.system import groups
+from arkos.system import users, groups
 from arkos.utilities import errors, shell
 
 
@@ -538,12 +538,15 @@ def _request_acme_certificate(domain, webroot, nthread):
             continue
         except leclient.NeedToTakeAction as e:
             if not has_written_files:
+                uid = users.get_system("http").uid
                 if not os.path.exists(webroot):
                     os.makedirs(webroot)
+                os.chown(webroot, uid)
                 for x in e.actions:
                     fn = os.path.join(webroot, x.file_name)
                     with open(fn, 'w') as f:
                         f.write(x.contents)
+                    os.chown(fn, uid)
                 has_written_files = True
                 continue
             else:
@@ -555,7 +558,7 @@ def _request_acme_certificate(domain, webroot, nthread):
         except leclient.WaitABit as e:
             while e.until_when > datetime.datetime.now():
                 until = e.until_when - datetime.datetime.now()
-                until_secs = int(round(until.total_seconds()))
+                until_secs = int(round(until.total_seconds())) + 1
                 if until_secs > 300:
                     raise errors.InvalidConfigError(
                         "Requesting a certificate failed - LE rate limiting "

diff --git a/arkos/websites.py b/arkos/websites.py
@@ -342,6 +342,7 @@ def ssl_enable(self):
     def add_acme_challenge(self):
         challenge_path = os.path.join(self.path, ".well-known/acme-challenge/")
         confpath = os.path.join("/etc/nginx/sites-available/", self.id)
+        uid = users.get_system("http").uid
         block = nginx.loadf(confpath)
         server = block.server
         locations = server.filter("Location", "/.well-known/acme-challenge/")
@@ -356,6 +357,9 @@ def add_acme_challenge(self):
         nginx.dumpf(block, confpath)
         if not os.path.exists(challenge_path):
             os.makedirs(challenge_path)
+        os.chown(self.path, uid)
+        os.chown(os.path.join(self.path, ".well_known"), uid)
+        os.chown(challenge_path, uid)
         nginx_reload()
         return challenge_path
 
@@ -1048,11 +1052,15 @@ def create_acme_dummy(domain):
     )
     origin = os.path.join("/etc/nginx/sites-available", "acme-"+domain)
     target = os.path.join("/etc/nginx/sites-enabled", "acme-"+domain)
+    uid = users.get_system("http").uid
     nginx.dumpf(conf, origin)
     if not os.path.exists(target):
         os.symlink(origin, target)
     if not os.path.exists(challenge_dir):
         os.makedirs(challenge_dir)
+    os.chown(site_dir, uid)
+    os.chown(os.path.join(site_dir, ".well_known"), uid)
+    os.chown(challenge_dir, uid)
     tracked_services.register(
         "acme", domain, domain + "(ACME Validation)", "globe", [('tcp', 80)],
         2