Don't auto request certificate for localhost and IP-like domains

author: Evgeny Khramtsov <ekhramtsov@process-one.net> 2019-09-20 13:03:25 +0300
committer: Evgeny Khramtsov <ekhramtsov@process-one.net> 2019-09-20 13:03:25 +0300
commit: 4cdb4c2090ce2547a2e7920ae2d049644507936a (patch)
tree: eb3a54d88d4b353693236b56998d1d4624d5283f /src/ejabberd_acme.erl
parent: Add listener for ACME challenge in example config (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/src/ejabberd_acme.erl b/src/ejabberd_acme.erl
index bedf7b792..b9e7ce10e 100644
--- a/src/ejabberd_acme.erl
+++ b/src/ejabberd_acme.erl
@@ -565,7 +565,8 @@ request_on_start() ->
 		_ ->
 		    case lists:filter(
 			   fun(Host) ->
-				   not have_cert_for_domain(Host)
+				   not (have_cert_for_domain(Host)
+					orelse is_ip_or_localhost(Host))
 			   end, all_domains()) of
 			[] -> false;
 			Hosts ->
@@ -591,6 +592,15 @@ well_known() ->
 have_cert_for_domain(Host) ->
     ejabberd_pkix:get_certfile_no_default(Host) /= error.
 
+-spec is_ip_or_localhost(binary()) -> boolean().
+is_ip_or_localhost(Host) ->
+    Parts = binary:split(Host, <<".">>),
+    TLD = binary_to_list(lists:last(Parts)),
+    case inet:parse_address(TLD) of
+	{ok, _} -> true;
+	_ -> TLD == "localhost"
+    end.
+
 -spec have_acme_listener() -> boolean().
 have_acme_listener() ->
     lists:any(
author	Evgeny Khramtsov <ekhramtsov@process-one.net>	2019-09-20 13:03:25 +0300
committer	Evgeny Khramtsov <ekhramtsov@process-one.net>	2019-09-20 13:03:25 +0300
commit	4cdb4c2090ce2547a2e7920ae2d049644507936a (patch)
tree	eb3a54d88d4b353693236b56998d1d4624d5283f /src/ejabberd_acme.erl
parent	Add listener for ACME challenge in example config (diff)