From 46b714cd42d0a9ba33bdac0bd91d888dc99dda6f Mon Sep 17 00:00:00 2001
From: koyae <koyae@users.noreply.github.com>
Date: Fri, 13 Mar 2020 14:11:57 -0600
Subject: [PATCH] added listen-port option for temp python server

Since port 80 is a privileged port, regular applications cannot bind to
it (that is, listen to / read traffic from it) by default under Linux.
Rather than granting special rights to allow this, some servers simply
route traffic on to other ports (such as 8080) after initially being
received on port 80.

This change allows the listening port used in the non-file-based mode to
be configured as needed.
---
 README.md   |  2 ++
 sign_csr.py | 19 ++++++++++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index de0a111..186e5d0 100644
--- a/README.md
+++ b/README.md
@@ -139,6 +139,8 @@ optional arguments:
   -e EMAIL, --email EMAIL
                         contact email, default is webmaster@<shortest_domain>
   -f, --file-based      if set, a file-based response is used
+  -n PORT_NUMBER, --port-number PORT_NUMBER
+                        port-number to listen for challenges on
 user@hostname:~$
 ```
 
diff --git a/sign_csr.py b/sign_csr.py
index f200df9..9086ce6 100644
--- a/sign_csr.py
+++ b/sign_csr.py
@@ -7,7 +7,7 @@
     from urllib2 import urlopen # Python 2
 
 
-def sign_csr(pubkey, csr, email=None, file_based=False):
+def sign_csr(pubkey, csr, email=None, file_based=False, port_number=80):
     """Use the ACME protocol to get an ssl certificate signed by a
     certificate authority.
 
@@ -19,6 +19,13 @@ def sign_csr(pubkey, csr, email=None, file_based=False):
                             hosting should be file-based rather
                             than providing a simple python HTTP
                             server.
+    :param int port_number: The port-number to which traffic recieved
+                            on default port 80 is subsequently routed
+                            for processing e.g. 8080. Not relevant if
+                            file-based approach is being used.
+                            (defaults to 80, indicating no extra
+                            routing to other ports occurs after
+                            packets are received on port 80)
 
     :returns: Signed Certificate (PEM format)
     :rtype: string
@@ -322,10 +329,10 @@ def _b64(b):
 sudo python -c "import BaseHTTPServer; \\
     h = BaseHTTPServer.BaseHTTPRequestHandler; \\
     h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write('{2}'); \\
-    s = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), h); \\
+    s = BaseHTTPServer.HTTPServer(('0.0.0.0', {3}), h); \\
     s.serve_forever()"
 
-""".format(n + 4, i['domain'], responses[n]['data']))
+""".format(n + 4, i['domain'], responses[n]['data'], port_number))
 
             stdout = sys.stdout
             sys.stdout = sys.stderr
@@ -443,10 +450,12 @@ def _b64(b):
 """)
     parser.add_argument("-p", "--public-key", required=True, help="path to your account public key")
     parser.add_argument("-e", "--email", default=None, help="contact email, default is webmaster@<shortest_domain>")
-    parser.add_argument("-f", "--file-based", action='store_true', help="if set, a file-based response is used")
+    group = parser.add_mutually_exclusive_group()
+    group.add_argument("-f", "--file-based", action='store_true', help="if set, a file-based response is used")
+    group.add_argument("-n", "--port-number", default=80, type=int, help="port-number to listen for challenges on")
     parser.add_argument("csr_path", help="path to your certificate signing request")
 
     args = parser.parse_args()
-    signed_crt = sign_csr(args.public_key, args.csr_path, email=args.email, file_based=args.file_based)
+    signed_crt = sign_csr(args.public_key, args.csr_path, email=args.email, file_based=args.file_based, port_number=args.port_number)
     sys.stdout.write(signed_crt)