don't try to get certs for IDNA domains and report all reasons for not fetching a certificate

fixes #646

management/ssl_certificates.py

@@ -5,6 +5,8 @@ import os, os.path, re, shutil
 
 from utils import shell, safe_domain_name, sort_domains
 
+import idna
+
 # SELECTING SSL CERTIFICATES FOR USE IN WEB
 
 def get_ssl_certificates(env):
@@ -155,7 +157,7 @@ def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False
 # PROVISIONING CERTIFICATES FROM LETSENCRYPT
 
 def get_certificates_to_provision(env):
-	# Get a list of domain names that we should now provision certificates
+	# Get a set of domain names that we should now provision certificates
 	# for. Provision if a domain name has no valid certificate or if any
 	# certificate is expiring in 14 days. If provisioning anything, also
 	# provision certificates expiring within 30 days. The period between
@@ -171,11 +173,13 @@ def get_certificates_to_provision(env):
 	certs = get_ssl_certificates(env)
 	domains = set()
 	domains_if_any = set()
+	problems = { }
 	for domain in get_web_domains(env):
 		try:
 			cert = get_domain_ssl_files(domain, certs, env, allow_missing_cert=True)
-		except FileNotFoundError:
+		except FileNotFoundError as e:
 			# system certificate is not present
+			problems[domain] = "Error: " + str(e)
 			continue
 		if cert is None:
 			# No valid certificate available.
@@ -192,37 +196,49 @@ def get_certificates_to_provision(env):
 			elif cert.not_valid_after-now < datetime.timedelta(days=30):
 				domains_if_any.add(domain)
 
-	# Filter out domains that don't have correct DNS, because then the CA
+			# It's valid.
-	# won't be able to do DNS validation.
+			problems[domain] = "The certificate is valid for at least another 30 days --- no need to replace."
-	def is_domain_dns_correct(domain):
+
-		# Must make qname absolute to prevent a fall-back lookup with a
+	# Filter out domains that we can't provision a certificate for.
-		# search domain appended.
+	def can_provision_for_domain(domain):
-		import dns.resolver
+		# Let's Encrypt doesn't yet support IDNA domains.
-		try:
+		# We store domains in IDNA (ASCII). To see if this domain is IDNA,
-			response = dns.resolver.query(domain + ".", "A")
+		# we'll see if its IDNA-decoded form is different.
-		except:
+		if idna.decode(domain.encode("ascii")) != domain:
+			problems[domain] = "Let's Encrypt does not yet support provisioning certificates for internationalized domains."
 			return False
-		return len(response) == 1 and str(response[0]) == env["PUBLIC_IP"]
+
-	domains = set(d for d in domains if is_domain_dns_correct(d))
+		# Does the domain resolve to this machine in public DNS? If not,
-	domains_if_any = set(d for d in domains_if_any if is_domain_dns_correct(d))
+		# we can't do domain control validation. For IPv6 is configured,
+		# make sure both IPv4 and IPv6 are correct because we don't know
+		# how Let's Encrypt will connect.
+		import dns.resolver
+		for rtype, value in [("A", env["PUBLIC_IP"]), ("AAAA", env.get("PUBLIC_IPV6"))]:
+			if not value: continue # IPv6 is not configured
+			try:
+				# Must make the qname absolute to prevent a fall-back lookup with a
+				# search domain appended, by adding a period to the end.
+				response = dns.resolver.query(domain + ".", rtype)
+			except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer) as e:
+				problems[domain] = "DNS isn't configured properly for this domain: DNS resolution failed (%s: %s)." % (rtype, str(e) or repr(e)) # NoAnswer's str is empty
+				return False
+			except Exception as e:
+				problems[domain] = "DNS isn't configured properly for this domain: DNS lookup had an error: %s." % str(e)
+				return False
+			if len(response) != 1 or str(response[0]) != value:
+				problems[domain] = "Domain control validation cannot be performed for this domain because DNS points the domain to another machine (%s %s)." % (rtype, ", ".join(str(r) for r in response))
+				return False
+
+		return True
+
+	domains = set(filter(can_provision_for_domain, domains))
 
 	# If there are any domains we definitely will provision for, add in
 	# additional domains to do at this time.
 	if len(domains) > 0:
-		domains |= domains_if_any
+		domains |= set(filter(can_provision_for_domain, domains_if_any))
 
-	# Sort, just to keep related domain names together in the next step.
+	return (domains, problems)
-	domains = sort_domains(domains, env)
-
-	# Break into groups of up to 100 certificates at a time, which is Let's Encrypt's
-	# limit for a single certificate.
-	cert_domains = []
-	while len(domains) > 0:
-		cert_domains.append( domains[0:100] )
-		domains = domains[100:]
-
-	# Return a list of lists of domain names.
-	return cert_domains
 
 def provision_certificates(env, agree_to_tos_url=None, logger=None):
 	import requests.exceptions
@@ -230,14 +246,25 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None):
 
 	from free_tls_certificates import client
 
-	# What domains to provision certificates for? This is a list of
+	# What domains should we provision certificates for? And what
-	# lists of domains.
+	# errors prevent provisioning for other domains.
-	certs = get_certificates_to_provision(env)
+	domains, problems = get_certificates_to_provision(env)
-	if len(certs) == 0:
+
+	# Exit fast if there is nothing to do.
+	if len(domains) == 0:
 		return {
 			"requests": [],
+			"problems": problems,
 		}
 
+	# Break into groups of up to 100 certificates at a time, which is Let's Encrypt's
+	# limit for a single certificate. We'll sort to put related domains together.
+	domains = sort_domains(domains, env)
+	certs = []
+	while len(domains) > 0:
+		certs.append( domains[0:100] )
+		domains = domains[100:]
+
 	# Prepare to provision.
 
 	# Where should we put our Let's Encrypt account info and state cache.
@@ -352,7 +379,8 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None):
 
 	# Return what happened with each certificate request.
 	return {
-		"requests": ret
+		"requests": ret,
+		"problems": problems,
 	}
 
 def provision_certificates_cmdline():
@@ -377,7 +405,14 @@ def provision_certificates_cmdline():
 		if not status["requests"]:
 			# No domains need certificates.
 			if "--headless" not in sys.argv or "-v" in sys.argv:
-				print("No domains hosted on this box need a certificate at this time.")
+				if len(status["problems"]) == 0:
+					print("No domains hosted on this box need a new TLS certificate at this time.")
+				elif len(status["problems"]) > 0:
+					print("No TLS certificates could be provisoned at this time:")
+					print()
+					for domain in sort_domains(status["problems"], env):
+						print("%s: %s" % (domain, status["problems"][domain]))
+
 			sys.exit(0)
 
 		# What happened?
@@ -459,6 +494,12 @@ Do you agree to the agreement? Type Y or N and press <ENTER>: """
 		# we're done for now.
 		break
 
+	# And finally show the domains with problems.
+	if len(status["problems"]) > 0:
+		print("TLS certificates could not be provisoned for:")
+		for domain in sort_domains(status["problems"], env):
+			print("%s: %s" % (domain, status["problems"][domain]))
+
 # INSTALLING A NEW CERTIFICATE FROM THE CONTROL PANEL
 
 def create_csr(domain, ssl_key, country_code, env):