Don't auto request certificate for localhost and IP-like domains

author Evgeny Khramtsov <ekhramtsov@process-one.net>

Fri, 20 Sep 2019 10:03:25 +0000 (13:03 +0300)

committer Evgeny Khramtsov <ekhramtsov@process-one.net>

Fri, 20 Sep 2019 10:03:25 +0000 (13:03 +0300)
author Evgeny Khramtsov <ekhramtsov@process-one.net>
Fri, 20 Sep 2019 10:03:25 +0000 (13:03 +0300)
committer Evgeny Khramtsov <ekhramtsov@process-one.net>
Fri, 20 Sep 2019 10:03:25 +0000 (13:03 +0300)
diff --git a/src/ejabberd_acme.erl b/src/ejabberd_acme.erl

index bedf7b792af1e11d936eb929efb0ffbe1188b330..b9e7ce10e32d6ace7ded2dc0959610e1b9f10b9d 100644 (file)
--- a/src/ejabberd_acme.erl
+++ b/src/ejabberd_acme.erl
@@ -565,7 +565,8 @@ request_on_start() ->
                 _ ->
                     case lists:filter(
                            fun(Host) ->
-                                  not have_cert_for_domain(Host)
+                                  not (have_cert_for_domain(Host)
+                                       orelse is_ip_or_localhost(Host))
                            end, all_domains()) of
                         [] -> false;
                         Hosts ->
@@ -591,6 +592,15 @@ well_known() ->
  have_cert_for_domain(Host) ->
      ejabberd_pkix:get_certfile_no_default(Host) /= error.
  
+-spec is_ip_or_localhost(binary()) -> boolean().
+is_ip_or_localhost(Host) ->
+    Parts = binary:split(Host, <<".">>),
+    TLD = binary_to_list(lists:last(Parts)),
+    case inet:parse_address(TLD) of
+       {ok, _} -> true;
+       _ -> TLD == "localhost"
+    end.
+
  -spec have_acme_listener() -> boolean().
  have_acme_listener() ->
      lists:any(
author	Evgeny Khramtsov <ekhramtsov@process-one.net>
	Fri, 20 Sep 2019 10:03:25 +0000 (13:03 +0300)
committer	Evgeny Khramtsov <ekhramtsov@process-one.net>
	Fri, 20 Sep 2019 10:03:25 +0000 (13:03 +0300)