Requested changes

2026-05-28 04:34:11 -04:00 · 2017-10-31 16:28:52 +02:00 · 2017-10-31 16:28:52 +02:00 · 8b59032614
commit 8b59032614
parent c0a7600deb
3 changed files with 24 additions and 5 deletions
--- a/certbot-nginx/certbot_nginx/configurator.py
+++ b/certbot-nginx/certbot_nginx/configurator.py
@ -513,6 +513,8 @@ class NginxConfigurator(common.Installer):

        """
        ipv6info = self.ipv6_info(self.config.tls_sni_01_port)
+        ipv6_block = ['']
+        ipv4_block = ['']

        # If the vhost was implicitly listening on the default Nginx port,
        # have it continue to do so.
@ -520,22 +522,28 @@ class NginxConfigurator(common.Installer):
            listen_block = [['\n    ', 'listen', ' ', self.DEFAULT_LISTEN_PORT]]
            self.parser.add_server_directives(vhost, listen_block, replace=False)

-        ipv6_block = ['']
        if vhost.ipv6_enabled():
            ipv6_block = ['\n    ',
-                            'listen',
-                            ' ',
-                            '[::]:{0} ssl'.format(self.config.tls_sni_01_port)]
+                          'listen',
+                          ' ',
+                          '[::]:{0} ssl'.format(self.config.tls_sni_01_port)]
            if not ipv6info[1]:
                # ipv6only=on is absent in global config
                ipv6_block.append(' ')
                ipv6_block.append('ipv6only=on')

+        if vhost.ipv4_enabled():
+            ipv4_block = ['\n    ',
+                          'listen',
+                          ' ',
+                          '{0} ssl'.format(self.config.tls_sni_01_port)]
+
+
        snakeoil_cert, snakeoil_key = self._get_snakeoil_paths()

        ssl_block = ([
            ipv6_block,
-            ['\n    ', 'listen', ' ', '{0} ssl'.format(self.config.tls_sni_01_port)],
+            ipv4_block,
            ['\n    ', 'ssl_certificate', ' ', snakeoil_cert],
            ['\n    ', 'ssl_certificate_key', ' ', snakeoil_key],
            ['\n    ', 'include', ' ', self.mod_ssl_conf],
--- a/certbot-nginx/certbot_nginx/obj.py
+++ b/certbot-nginx/certbot_nginx/obj.py
@ -217,6 +217,13 @@ class VirtualHost(object):  # pylint: disable=too-few-public-methods
            if a.ipv6:
                return True

+    def ipv4_enabled(self):
+        """Return true if one or more of the listen directives in vhost are IPv4
+        only"""
+        for a in self.addrs:
+            if not a.ipv6:
+                return True
+
 def _find_directive(directives, directive_name):
    """Find a directive of type directive_name in directives
    """
--- a/certbot-nginx/certbot_nginx/tls_sni_01.py
+++ b/certbot-nginx/certbot_nginx/tls_sni_01.py
@ -69,6 +69,10 @@ class NginxTlsSni01(common.TLSSNI01):
                        ipv6_addr = ipv6_addr + " ipv6only=on"
                    addresses.append([obj.Addr.fromstring(default_addr),
                                      obj.Addr.fromstring(ipv6_addr)])
+                    logger.info(("Using default addresses %s and %s for " +
+                                 "TLSSNI01 authentication."),
+                                default_addr,
+                                ipv6_addr)
                else:
                    addresses.append([obj.Addr.fromstring(default_addr)])
                    logger.info("Using default address %s for TLSSNI01 authentication.",