M/e|$dZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlm Z dd lm Z dd lm Z dd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZej@e!Z"ereejFe ejHfZ%GddZ&GddejNejPZ(dejRddfdZ*y)zStandalone Authenticator.N)Any)Callable) DefaultDict)Dict)Iterable)List)Mapping)Set)Tuple)Type) TYPE_CHECKING)crypto) challenges) standalone) achallenges)errors) interfaces)util)commonc eZdZdZdeeeejejffde e jjddfdZ d dedeej$d ede j(fd Zdeddfd Zdeee j(ffd Zy) ServerManageraStandalone servers manager. Manager for `ACMEServer` and `ACMETLSServer` instances. `certs` and `http_01_resources` correspond to `acme.crypto_util.SSLSocket.certs` and `acme.crypto_util.SSLSocket.http_01_resources` respectively. All created servers share the same certificates and resources, so if you're running both TLS and non-TLS instances, HTTP01 handlers will serve the same URLs! certshttp_01_resourcesreturnNc.i|_||_||_yN) _instancesrr)selfrrs F/usr/lib/python3/dist-packages/certbot/_internal/plugins/standalone.py__init__zServerManager.__init__2sRT !2portchallenge_type listenaddrc|tjk(sJ||jvr|j|S||f} tj||j }|j|jdd}||j|<|S#t j$r}tj||d}~wwxYw)aRun ACME server on specified ``port``. This method is idempotent, i.e. all calls with the same pair of ``(port, challenge_type)`` will reuse the same server. :param int port: Port to run the server on. :param challenge_type: Subclass of `acme.challenges.Challenge`, currently only `acme.challenge.HTTP01`. :param str listenaddr: (optional) The address to listen on. Defaults to all addrs. :returns: DualNetworkedServers instance. :rtype: ACMEServerMixin Nr) rHTTP01racme_standaloneHTTP01DualNetworkedServersrsocketerrorrStandaloneBindError serve_forever getsocknames)rr"r#r$addressserversr+ real_ports rrunzServerManager.run9s !2!2222 4?? "??4( (t$ :%@@//1G ((*1-a0 %, "|| :,,UD9 9 :s BB="B88B=c|j|}|jD]}tjdg|dd|j |j|=y)zWStop ACME server running on the specified ``port``. :param int port: zStopping server at %s:%d...N)rr.loggerdebugshutdown_and_server_close)rr"instancesocknames rstopzServerManager.stop\sa ??4( --/ (H LL6 ("2A, ( ( **, OOD !r!c6|jjS)zReturn all running instances. Once the server is stopped using `stop`, it will not be returned. :returns: Mapping from ``port`` to ``servers``. :rtype: tuple )rcopyrs rrunningzServerManager.runningis##%%r!))__name__ __module__ __qualname____doc__r bytesr rPKeyX509r r(HTTP01RequestHandlerHTTP01Resourcer intr r Challengestrr)r2r:rr>r!rrr%s 3geU6;; 3K-L&LM3$'(L(L([([$\33!!!T*2F2F-G!!%4%O%O!F " " " &c?#M#MMN &r!rceZdZdZdZdededdffd Zeded ddfd Z de fd Z dd Z d e de eej fdZde ej&deej*fdZdej&dej*fdZdej&dej*fdZdej&deej6ej*ffdZde ej&ddfdZdeej&de fdZxZS) AuthenticatoraStandalone Authenticator. This authenticator creates its own ephemeral TCP listener on the necessary port in order to respond to incoming http-01 challenges from the certificate authority. Therefore, it does not rely on any existing server program. zRuns an HTTP server locally which serves the necessary validation files under the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP server already running. HTTP challenge only (wildcards not supported).argskwargsrNct||i|tjt|_i|_t |_t|j |j|_ yr) superr collections defaultdictsetservedrrrr0)rrOrP __class__s rr zAuthenticator.__init__sU $)&)"-"9"9#"> GI [^[`$TZZ1G1GH r!add).NcyrrL)clsrXs radd_parser_argumentsz"Authenticator.add_parser_argumentss r!cy)NzThis authenticator creates its own ephemeral TCP listener on the necessary port in order to respond to incoming http-01 challenges from the certificate authority. Therefore, it does not rely on any existing server program.rLr=s r more_infozAuthenticator.more_infosBr!cyrrLr=s rpreparezAuthenticator.prepares r!domainc$tjgSr)rr')rr`s rget_chall_prefzAuthenticator.get_chall_prefs!!""r!achallscJ|Dcgc]}|j|c}Scc}wr)_try_perform_single)rrcachalls rperformzAuthenticator.performs!?FGV((0GGGs rfc |j|S#tj$r}t|Yd}~nd}~wwxYw>r)_perform_singlerr,_handle_perform_error)rrfr+s rrez!Authenticator._try_perform_singlesA -++F33-- -%e,, -s< 7<cj|j|\}}|j|j||Sr)_perform_http_01rVrX)rrfr0responses rrizAuthenticator._perform_singles3 11&9 G  (r!cn|jj}|jj}|jj |t j |}|j\}}tjj|j||}|jj|||fS)N)r$)challrm validation)config http01_porthttp01_addressr0r2rr'response_and_validationr(rGrHrorrX)rrfr"addrr0rmrpresources rrlzAuthenticator._perform_http_01s{{&&{{)),,""4):):t"L%==?*"77FF,,jGJ ""8,  r!c8|jjD]"\}}|D]}||vs|j|$|jj jD]0\}}|j|r|jj |2yr)rVitemsremover0r>r:)rrcunused_serversserver_achallsrfr"r0s rcleanupzAuthenticator.cleanups.2kk.?.?.A 2 *NN! 2^+"))&1 2 2"\\11399; (MD';;w' !!$' (r!failed_achallsc|jj|jj}}|r|d|nd|}d|dS)N:zport zThe Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on zt. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.)rqrrrs)rr}r"ru neat_addrs r auth_hintzAuthenticator.auth_hintsW[[,,dkk.H.Hd(,tfAdV$E$. LLU;W@@ Ar!)rN) r@rArBrC descriptionrr classmethodrr[rKr]r_rr rrJrbrAnnotatedChallengerChallengeResponsergrerir r(r)rlr|r __classcell__)rWs@rrNrNvsp;K Ic IS IT I x ': t  C3C  #S#Xd:;O;O6P-Q#Hx (F(FGH*667H-$/$B$B-GQGcGc- + > >CMC_C_ !{'E'E !#O$N$N$.$@$@%AB !(x (F(FG(D(A[-K-K(LAQTAr!rNr+rc|jjtjk(r.tjdj |j |jjtjk(rLdj |j }tj|ddd}|stj|y|)NzCould not bind TCP port {0} because you don't have the appropriate permissions (for example, you aren't running this program as root).zCould not bind TCP port {0} because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.RetryCancelF)default) socket_errorerrnoEACCESr PluginErrorformatr" EADDRINUSE display_utilyesno)r+msg should_retrys rrjrjs 5<</   VEJJ' ) )  5#3#33 %fUZZ0 $))#w%P $$S) ) r!)+rCrSrloggingr*typingrrrrrrr r r r r OpenSSLracmerrr(certbotrrrcertbot.displayrrcertbot.pluginsr getLoggerr@r5BaseDualNetworkedServersr ServedTyperPluginrNr,rjrLr!rrs   .0"   8 $00 K * *+ ,J N&N&bZAFMM:#;#;ZAz!;!;r!