Don't allow user supplied mod_ssl conf destination (fixes #451).

letsencrypt_apache/configurator.py

@@ -87,8 +87,6 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
     def add_parser_arguments(cls, add):
         add("server-root", default=constants.CLI_DEFAULTS["server_root"],
             help="Apache server root directory.")
-        add("mod-ssl-conf", default=constants.CLI_DEFAULTS["mod_ssl_conf"],
-            help="Contains standard Apache SSL directives.")
         add("ctl", default=constants.CLI_DEFAULTS["ctl"],
             help="Path to the 'apache2ctl' binary, used for 'configtest' and "
                  "retrieving Apache2 version number.")
@@ -126,10 +124,14 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
         self.vhosts = None
         self._enhance_func = {"redirect": self._enable_redirect}
 
+    @property
+    def mod_ssl_conf(self):
+        return os.path.join(self.config.config_dir, constants.MOD_SSL_CONF_DEST)
+
     def prepare(self):
         """Prepare the authenticator/installer."""
         self.parser = parser.ApacheParser(
-            self.aug, self.conf('server-root'), self.conf('mod-ssl-conf'))
+            self.aug, self.conf('server-root'), self.mod_ssl_conf)
         # Check for errors in parsing files with Augeas
         self.check_parsing_errors("httpd.aug")
 
@@ -147,7 +149,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
         #     on initialization
         self._prepare_server_https()
 
-        temp_install(self.conf('mod-ssl-conf'))
+        temp_install(self.mod_ssl_conf)
 
     def deploy_cert(self, domain, cert_path, key_path, chain_path=None):
         """Deploys certificate to specified virtual host.
@@ -1171,4 +1173,4 @@ def temp_install(options_ssl):
 
     # Check to make sure options-ssl.conf is installed
     if not os.path.isfile(options_ssl):
-        shutil.copyfile(constants.MOD_SSL_CONF, options_ssl)
+        shutil.copyfile(constants.MOD_SSL_CONF_SRC, options_ssl)

letsencrypt_apache/constants.py

@@ -4,7 +4,6 @@ import pkg_resources
 
 CLI_DEFAULTS = dict(
     server_root="/etc/apache2",
-    mod_ssl_conf="/etc/letsencrypt/options-ssl.conf",
     ctl="apache2ctl",
     enmod="a2enmod",
     init_script="/etc/init.d/apache2",
@@ -12,8 +11,10 @@ CLI_DEFAULTS = dict(
 )
 """CLI defaults."""
 
+MOD_SSL_CONF_DEST = "options-ssl-apache.conf"
+"""Name of the mod_ssl config file as saved in `IConfig.config_dir`."""
 
-MOD_SSL_CONF = pkg_resources.resource_filename(
+MOD_SSL_CONF_SRC = pkg_resources.resource_filename(
     "letsencrypt_apache", "options-ssl.conf")
 """Path to the Apache mod_ssl config file found in the Let's Encrypt
 distribution."""

letsencrypt_apache/tests/util.py

@@ -74,7 +74,6 @@ def get_apache_configurator(
         config = configurator.ApacheConfigurator(
             config=mock.MagicMock(
                 apache_server_root=config_path,
-                apache_mod_ssl_conf=ssl_options,
                 apache_le_vhost_ext=constants.CLI_DEFAULTS["le_vhost_ext"],
                 config_dir=config_dir,
                 work_dir=work_dir),

letsencrypt_nginx/configurator.py

@@ -56,8 +56,6 @@ class NginxConfigurator(common.Plugin):
     def add_parser_arguments(cls, add):
         add("server-root", default=constants.CLI_DEFAULTS["server_root"],
             help="Nginx server root directory.")
-        add("mod-ssl-conf", default=constants.CLI_DEFAULTS["mod_ssl_conf"],
-            help="Contains standard nginx SSL directives.")
         add("ctl", default=constants.CLI_DEFAULTS["ctl"], help="Path to the "
             "'nginx' binary, used for 'configtest' and retrieving nginx "
             "version number.")
@@ -91,18 +89,21 @@ class NginxConfigurator(common.Plugin):
         self.reverter = reverter.Reverter(self.config)
         self.reverter.recovery_routine()
 
+    @property
+    def mod_ssl_conf(self):
+        return os.path.join(self.config.config_dir, constants.MOD_SSL_CONF_DEST)
+
     # This is called in determine_authenticator and determine_installer
     def prepare(self):
         """Prepare the authenticator/installer."""
         self.parser = parser.NginxParser(
-            self.conf('server-root'),
-            self.conf('mod-ssl-conf'))
+            self.conf('server-root'), self.mod_ssl_conf)
 
         # Set Version
         if self.version is None:
             self.version = self.get_version()
 
-        temp_install(self.conf('mod-ssl-conf'))
+        temp_install(self.mod_ssl_conf)
 
     # Entry point in main.py for installing cert
     def deploy_cert(self, domain, cert_path, key_path, chain_path=None):
@@ -592,4 +593,4 @@ def temp_install(options_ssl):
 
     # Check to make sure options-ssl.conf is installed
     if not os.path.isfile(options_ssl):
-        shutil.copyfile(constants.MOD_SSL_CONF, options_ssl)
+        shutil.copyfile(constants.MOD_SSL_CONF_SRC, options_ssl)

letsencrypt_nginx/constants.py

@@ -4,13 +4,15 @@ import pkg_resources
 
 CLI_DEFAULTS = dict(
     server_root="/etc/nginx",
-    mod_ssl_conf="/etc/letsencrypt/options-ssl-nginx.conf",
     ctl="nginx",
 )
 """CLI defaults."""
 
 
-MOD_SSL_CONF = pkg_resources.resource_filename(
+MOD_SSL_CONF_DEST = "options-ssl-nginx.conf"
+"""Name of the mod_ssl config file as saved in `IConfig.config_dir`."""
+
+MOD_SSL_CONF_SRC = pkg_resources.resource_filename(
     "letsencrypt_nginx", "options-ssl.conf")
-"""Path to the Nginx mod_ssl config file found in the Let's Encrypt
+"""Path to the nginx mod_ssl config file found in the Let's Encrypt
 distribution."""

letsencrypt_nginx/tests/util.py

@@ -44,9 +44,8 @@ def get_nginx_configurator(
     backups = os.path.join(work_dir, "backups")
 
     config = configurator.NginxConfigurator(
-        config=mock.MagicMock(
-            nginx_server_root=config_path, nginx_mod_ssl_conf=ssl_options,
-            config_dir=config_dir, work_dir=work_dir),
+        config=mock.MagicMock(nginx_server_root=config_path,
+                              config_dir=config_dir, work_dir=work_dir),
         name="nginx",
         version=version)
     config.prepare()