bind-acme: guard against letsencrypt clients without internal LAN

The acme_zone reactor's first ACL branch iterates nodes that have letsencrypt/domains and reads their network/internal/ipv4. Until now that crashed for any node with letsencrypt but no internal LAN — the node had to either fake a network/internal/ipv4 or skip TLS. Add a `metadata.get(..., None)` guard to filter such nodes out of this branch. The wireguard branch below already covers them (any node with the wireguard bundle gets its wireguard/my_ip into the ACL), so ACME DNS-01 reachability still works for cross-Internet nodes that join the fleet via wireguard. Surfaced by ovh.left4me: dedicated server with no Hetzner/internal network, reachable from the bind-acme node only via wireguard.
2026-05-10 18:23:21 +02:00 · 2026-05-10 18:23:21 +02:00 · 3bffd7b8f5
commit 3bffd7b8f5
parent 43f0c57438
1 changed files with 1 additions and 0 deletions
--- a/bundles/bind-acme/metadata.py
+++ b/bundles/bind-acme/metadata.py
@ -33,6 +33,7 @@ def acme_zone(metadata):
            str(ip_interface(other_node.metadata.get('network/internal/ipv4')).ip)
                for other_node in repo.nodes
                if other_node.metadata.get('letsencrypt/domains', {})
+                and other_node.metadata.get('network/internal/ipv4', None)
        },
        *{
            str(ip_interface(other_node.metadata.get('wireguard/my_ip')).ip)