acertmgr/acertmgr.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Automated Certificate Manager using ACME
# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.
# Copyright (c) Rudolf Mayerhofer, 2019.
# available under the ISC license, see LICENSE

import io
import grp
import importlib
import os
import pwd
import shutil
import stat
import subprocess
import tempfile

import configuration
import tools


# @brief check whether existing target file is still valid or source crt has been updated
# @param target string containing the path to the target file
# @param file string containing the path to the certificate file
# @return True if target file is at least as new as the certificate, False otherwise
def target_is_current(target, file):
    if not os.path.isfile(target):
        return False
    target_date = os.path.getmtime(target)
    crt_date = os.path.getmtime(file)
    return target_date >= crt_date


# @brief create a authority for the given configuration
# @param settings the authority configuration options
def create_authority(settings):
    if "api" in settings:
        api = settings["api"]
    else:
        api = "v1"

    acc_file = settings['account_key']
    if not os.path.isfile(acc_file):
        print("Account key not found at '{0}'. Creating RSA key.".format(acc_file))
        tools.new_rsa_key(acc_file)
    acc_key = tools.read_key(acc_file)

    authority_module = importlib.import_module("authority.{0}".format(api))
    authority_class = getattr(authority_module, "ACMEAuthority")
    return authority_class(settings.get('authority'), acc_key)


# @brief create a challenge handler for the given configuration
# @param settings the domain's configuration options
def create_challenge_handler(settings):
    if "mode" in settings:
        mode = settings["mode"]
    else:
        mode = "standalone"

    handler_module = importlib.import_module("modes.{0}".format(mode))
    handler_class = getattr(handler_module, "ChallengeHandler")
    return handler_class(settings)


# @brief fetch new certificate from letsencrypt
# @param settings the domain's configuration options
def cert_get(settings):
    print("Getting certificate for '%s'." % settings['domains'])

    key_file = settings['key_file']
    key_length = settings['key_length']
    if not os.path.isfile(key_file):
        print("SSL key not found at '{0}'. Creating {1} bit RSA key.".format(key_file, key_length))
        tools.new_rsa_key(key_file, key_length)

    acme = create_authority(settings)

    filename = settings['id']
    _, csr_file = tempfile.mkstemp(".csr", "%s." % filename)
    _, crt_file = tempfile.mkstemp(".crt", "%s." % filename)

    # find challenge handlers for this certificate
    challenge_handlers = dict()
    for domain in config['domainlist']:
        # Create the challenge handler
        challenge_handlers[domain] = create_challenge_handler(settings['handlers'][domain])

    try:
        key = tools.read_key(key_file)
        cr = tools.new_cert_request(config['domainlist'], key)
        print("Reading account key...")
        acme.register_account()
        crt = acme.get_crt_from_csr(cr, config['domainlist'], challenge_handlers)
        with io.open(crt_file, "w") as crt_fd:
            crt_fd.write(tools.convert_cert_to_pem(crt))

        #  if resulting certificate is valid: store in final location
        if tools.is_cert_valid(crt_file, 60):
            crt_final = settings['cert_file']
            shutil.copy2(crt_file, crt_final)
            os.chmod(crt_final, stat.S_IREAD)
            # download current ca file for the new certificate if no static ca is configured
            if "static_ca" in settings and not config['static_ca']:
                tools.download_issuer_ca(crt_final, settings['ca_file'])

    finally:
        os.remove(csr_file)
        os.remove(crt_file)


# @brief put new certificate in place
# @param settings the domain's configuration options
# @return the action to be executed after the certificate update
def cert_put(settings):
    # TODO error handling
    ca_file = settings['ca_file']
    crt_user = settings['user']
    crt_group = settings['group']
    crt_perm = settings['perm']
    crt_path = settings['path']
    crt_format = settings['format'].split(",")
    crt_format = [str.strip(x) for x in crt_format]
    crt_action = settings['action']

    key_file = settings['key_file']
    crt_final = settings['cert_file']

    with io.open(crt_path, "w+") as crt_fd:
        for fmt in crt_format:
            if fmt == "crt":
                src_fd = io.open(crt_final, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            if fmt == "key":
                src_fd = io.open(key_file, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            if fmt == "ca":
                if not os.path.isfile(ca_file):
                    raise FileNotFoundError("The CA certificate file (%s) is missing!" % ca_file)
                src_fd = io.open(ca_file, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            else:
                # TODO error handling
                pass

    # set owner and permissions
    uid = pwd.getpwnam(crt_user).pw_uid
    gid = grp.getgrnam(crt_group).gr_gid
    try:
        os.chown(crt_path, uid, gid)
    except OSError:
        print('Warning: Could not set certificate file ownership!')
    try:
        os.chmod(crt_path, int(crt_perm, 8))
    except OSError:
        print('Warning: Could not set certificate file permissions!')

    return crt_action


if __name__ == "__main__":
    # load config
    configs = configuration.load()

    # post-update actions (run only once)
    actions = set()

    # check certificate validity and obtain/renew certificates if needed
    for config in configs:
        cert_file = config['cert_file']
        ttl_days = int(config.get('ttl_days', configuration.ACME_DEFAULT_TTL))
        if not tools.is_cert_valid(cert_file, ttl_days):
            cert_get(config)
            for cfg in config['actions']:
                if not target_is_current(cfg['path'], cert_file):
                    actions.add(cert_put(cfg))

    # run post-update actions
    for action in actions:
        if action is not None:
            subprocess.call(action.split())
Use whichever python is available The code is not specific to python2, so any python should do 2016-02-13 00:56:47 +01:00			`#!/usr/bin/env python`
Initial commit 2016-01-10 15:00:43 +01:00			`# -- coding: utf-8 --`

			`# Automated Certificate Manager using ACME`
Change copyright information 2016-04-04 01:17:58 +02:00			`# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`# Copyright (c) Rudolf Mayerhofer, 2019.`
Change copyright information 2016-04-04 01:17:58 +02:00			`# available under the ISC license, see LICENSE`
Initial commit 2016-01-10 15:00:43 +01:00
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`import io`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`import grp`
modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00			`import importlib`
Initial commit 2016-01-10 15:00:43 +01:00			`import os`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`import pwd`
Implement check&copy in cert_get 2016-01-12 17:43:41 +01:00			`import shutil`
Adjust permissions of certificates For the internal store of certificates in the configuration directory, a permission of user read only is absolutely sufficient Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de> 2016-04-10 02:45:29 +02:00			`import stat`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`import subprocess`
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`import tempfile`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`import configuration`
modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00			`import tools`
Initial commit 2016-01-10 15:00:43 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00
replace target files based on timestamp instead of relying on the cached certificate file being updated. This allows multiple configuration files for the same domain. To avoid replacing existing entries, the format is changed from a dictionary to a list, and setting domains in acme.conf is no longer supported. 2016-02-28 14:44:10 +01:00			`# @brief check whether existing target file is still valid or source crt has been updated`
			`# @param target string containing the path to the target file`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`# @param file string containing the path to the certificate file`
replace target files based on timestamp instead of relying on the cached certificate file being updated. This allows multiple configuration files for the same domain. To avoid replacing existing entries, the format is changed from a dictionary to a list, and setting domains in acme.conf is no longer supported. 2016-02-28 14:44:10 +01:00			`# @return True if target file is at least as new as the certificate, False otherwise`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`def target_is_current(target, file):`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`if not os.path.isfile(target):`
			`return False`
			`target_date = os.path.getmtime(target)`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`crt_date = os.path.getmtime(file)`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`return target_date >= crt_date`
Initial commit 2016-01-10 15:00:43 +01:00

authority: Refactor into classes to allow implementation of other api 2019-01-14 19:36:01 +01:00			`# @brief create a authority for the given configuration`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`# @param settings the authority configuration options`
			`def create_authority(settings):`
			`if "api" in settings:`
			`api = settings["api"]`
authority: Refactor into classes to allow implementation of other api 2019-01-14 19:36:01 +01:00			`else:`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`api = "v1"`
authority: Refactor into classes to allow implementation of other api 2019-01-14 19:36:01 +01:00
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`acc_file = settings['account_key']`
authority: Refactor into classes to allow implementation of other api 2019-01-14 19:36:01 +01:00			`if not os.path.isfile(acc_file):`
			`print("Account key not found at '{0}'. Creating RSA key.".format(acc_file))`
			`tools.new_rsa_key(acc_file)`
			`acc_key = tools.read_key(acc_file)`

configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`authority_module = importlib.import_module("authority.{0}".format(api))`
authority: Refactor into classes to allow implementation of other api 2019-01-14 19:36:01 +01:00			`authority_class = getattr(authority_module, "ACMEAuthority")`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`return authority_class(settings.get('authority'), acc_key)`
authority: Refactor into classes to allow implementation of other api 2019-01-14 19:36:01 +01:00

modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00			`# @brief create a challenge handler for the given configuration`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`# @param settings the domain's configuration options`
			`def create_challenge_handler(settings):`
			`if "mode" in settings:`
			`mode = settings["mode"]`
modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00			`else:`
			`mode = "standalone"`

			`handler_module = importlib.import_module("modes.{0}".format(mode))`
			`handler_class = getattr(handler_module, "ChallengeHandler")`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`return handler_class(settings)`
modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00

Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief fetch new certificate from letsencrypt`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`# @param settings the domain's configuration options`
			`def cert_get(settings):`
			`print("Getting certificate for '%s'." % settings['domains'])`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`key_file = settings['key_file']`
			`key_length = settings['key_length']`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`if not os.path.isfile(key_file):`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`print("SSL key not found at '{0}'. Creating {1} bit RSA key.".format(key_file, key_length))`
			`tools.new_rsa_key(key_file, key_length)`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`acme = create_authority(settings)`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`filename = settings['id']`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`_, csr_file = tempfile.mkstemp(".csr", "%s." % filename)`
			`_, crt_file = tempfile.mkstemp(".crt", "%s." % filename)`

modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00			`# find challenge handlers for this certificate`
			`challenge_handlers = dict()`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`for domain in config['domainlist']:`
modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00			`# Create the challenge handler`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`challenge_handlers[domain] = create_challenge_handler(settings['handlers'][domain])`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
			`try:`
			`key = tools.read_key(key_file)`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`cr = tools.new_cert_request(config['domainlist'], key)`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`print("Reading account key...")`
authority: Refactor into classes to allow implementation of other api 2019-01-14 19:36:01 +01:00			`acme.register_account()`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`crt = acme.get_crt_from_csr(cr, config['domainlist'], challenge_handlers)`
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`with io.open(crt_file, "w") as crt_fd:`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_fd.write(tools.convert_cert_to_pem(crt))`

			`# if resulting certificate is valid: store in final location`
			`if tools.is_cert_valid(crt_file, 60):`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`crt_final = settings['cert_file']`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`shutil.copy2(crt_file, crt_final)`
			`os.chmod(crt_final, stat.S_IREAD)`
Automatically download CA from AIA-data in certificate (fixes github.com/moepman/acertmgr/issues/12) 2019-01-21 15:35:17 +01:00			`# download current ca file for the new certificate if no static ca is configured`
			`if "static_ca" in settings and not config['static_ca']:`
			`tools.download_issuer_ca(crt_final, settings['ca_file'])`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
			`finally:`
			`os.remove(csr_file)`
			`os.remove(crt_file)`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`# @brief put new certificate in place`
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00			`# @param settings the domain's configuration options`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`# @return the action to be executed after the certificate update`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`def cert_put(settings):`
			`# TODO error handling`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`ca_file = settings['ca_file']`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_user = settings['user']`
			`crt_group = settings['group']`
			`crt_perm = settings['perm']`
			`crt_path = settings['path']`
			`crt_format = settings['format'].split(",")`
			`crt_format = [str.strip(x) for x in crt_format]`
			`crt_action = settings['action']`

configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`key_file = settings['key_file']`
			`crt_final = settings['cert_file']`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`with io.open(crt_path, "w+") as crt_fd:`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`for fmt in crt_format:`
			`if fmt == "crt":`
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`src_fd = io.open(crt_final, "r")`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`if fmt == "key":`
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`src_fd = io.open(key_file, "r")`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`if fmt == "ca":`
			`if not os.path.isfile(ca_file):`
			`raise FileNotFoundError("The CA certificate file (%s) is missing!" % ca_file)`
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`src_fd = io.open(ca_file, "r")`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`else:`
			`# TODO error handling`
			`pass`

			`# set owner and permissions`
			`uid = pwd.getpwnam(crt_user).pw_uid`
			`gid = grp.getgrnam(crt_group).gr_gid`
			`try:`
			`os.chown(crt_path, uid, gid)`
			`except OSError:`
			`print('Warning: Could not set certificate file ownership!')`
			`try:`
			`os.chmod(crt_path, int(crt_perm, 8))`
			`except OSError:`
			`print('Warning: Could not set certificate file permissions!')`

			`return crt_action`
Initial commit 2016-01-10 15:00:43 +01:00

			`if __name__ == "__main__":`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`# load config`
			`configs = configuration.load()`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
			`# post-update actions (run only once)`
			`actions = set()`

			`# check certificate validity and obtain/renew certificates if needed`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`for config in configs:`
			`cert_file = config['cert_file']`
			`ttl_days = int(config.get('ttl_days', configuration.ACME_DEFAULT_TTL))`
			`if not tools.is_cert_valid(cert_file, ttl_days):`
			`cert_get(config)`
			`for cfg in config['actions']:`
			`if not target_is_current(cfg['path'], cert_file):`
			`actions.add(cert_put(cfg))`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
			`# run post-update actions`
			`for action in actions:`
			`if action is not None:`
			`subprocess.call(action.split())`