2016-02-13 00:56:47 +01:00
|
|
|
#!/usr/bin/env python
|
2016-01-10 15:00:43 +01:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
# Automated Certificate Manager using ACME
|
2016-04-04 01:17:58 +02:00
|
|
|
# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.
|
2019-01-08 08:12:20 +01:00
|
|
|
# Copyright (c) Rudolf Mayerhofer, 2019.
|
2016-04-04 01:17:58 +02:00
|
|
|
# available under the ISC license, see LICENSE
|
2016-01-10 15:00:43 +01:00
|
|
|
|
2016-01-21 16:43:49 +01:00
|
|
|
import grp
|
2019-01-08 08:19:50 +01:00
|
|
|
import importlib
|
2019-02-18 20:45:28 +01:00
|
|
|
import io
|
2016-01-10 15:00:43 +01:00
|
|
|
import os
|
2016-01-21 16:43:49 +01:00
|
|
|
import pwd
|
2016-04-10 02:45:29 +02:00
|
|
|
import stat
|
2019-01-08 08:12:20 +01:00
|
|
|
import subprocess
|
|
|
|
|
2019-02-20 11:49:30 +01:00
|
|
|
from acertmgr import configuration, tools
|
2016-01-10 15:00:43 +01:00
|
|
|
|
2016-01-12 17:41:48 +01:00
|
|
|
|
2019-01-14 19:36:01 +01:00
|
|
|
# @brief create a authority for the given configuration
|
2019-01-22 09:05:41 +01:00
|
|
|
# @param settings the authority configuration options
|
|
|
|
def create_authority(settings):
|
|
|
|
acc_file = settings['account_key']
|
2019-03-24 17:15:30 +01:00
|
|
|
if os.path.isfile(acc_file):
|
|
|
|
print("Reading account key from {}".format(acc_file))
|
|
|
|
acc_key = tools.read_pem_file(acc_file, key=True)
|
|
|
|
else:
|
|
|
|
print("Account key not found at '{0}'. Creating key.".format(acc_file))
|
|
|
|
acc_key = tools.new_account_key(acc_file)
|
2019-01-14 19:36:01 +01:00
|
|
|
|
2019-02-20 11:57:15 +01:00
|
|
|
authority_module = importlib.import_module("acertmgr.authority.{0}".format(settings["api"]))
|
2019-01-14 19:36:01 +01:00
|
|
|
authority_class = getattr(authority_module, "ACMEAuthority")
|
2019-02-23 17:52:07 +01:00
|
|
|
return authority_class(settings, acc_key)
|
2019-01-14 19:36:01 +01:00
|
|
|
|
|
|
|
|
2019-01-08 08:19:50 +01:00
|
|
|
# @brief create a challenge handler for the given configuration
|
2019-01-22 09:05:41 +01:00
|
|
|
# @param settings the domain's configuration options
|
|
|
|
def create_challenge_handler(settings):
|
|
|
|
if "mode" in settings:
|
|
|
|
mode = settings["mode"]
|
2019-01-08 08:19:50 +01:00
|
|
|
else:
|
|
|
|
mode = "standalone"
|
|
|
|
|
2019-02-20 11:49:30 +01:00
|
|
|
handler_module = importlib.import_module("acertmgr.modes.{0}".format(mode))
|
2019-01-08 08:19:50 +01:00
|
|
|
handler_class = getattr(handler_module, "ChallengeHandler")
|
2019-01-22 09:05:41 +01:00
|
|
|
return handler_class(settings)
|
2019-01-08 08:19:50 +01:00
|
|
|
|
|
|
|
|
2016-01-10 15:43:11 +01:00
|
|
|
# @brief fetch new certificate from letsencrypt
|
2019-01-22 09:05:41 +01:00
|
|
|
# @param settings the domain's configuration options
|
|
|
|
def cert_get(settings):
|
|
|
|
print("Getting certificate for '%s'." % settings['domains'])
|
2019-01-08 08:12:20 +01:00
|
|
|
|
2019-01-22 09:05:41 +01:00
|
|
|
acme = create_authority(settings)
|
2019-03-24 17:15:30 +01:00
|
|
|
acme.register_account()
|
2019-01-08 08:12:20 +01:00
|
|
|
|
2019-03-24 17:15:30 +01:00
|
|
|
# create challenge handlers for this certificate
|
2019-01-08 08:19:50 +01:00
|
|
|
challenge_handlers = dict()
|
2019-02-18 20:43:13 +01:00
|
|
|
for domain in settings['domainlist']:
|
2019-01-08 08:19:50 +01:00
|
|
|
# Create the challenge handler
|
2019-01-22 09:05:41 +01:00
|
|
|
challenge_handlers[domain] = create_challenge_handler(settings['handlers'][domain])
|
2019-01-08 08:12:20 +01:00
|
|
|
|
2019-03-24 17:15:30 +01:00
|
|
|
# create ssl key
|
|
|
|
key_file = settings['key_file']
|
|
|
|
key_length = settings['key_length']
|
|
|
|
if os.path.isfile(key_file):
|
|
|
|
key = tools.read_pem_file(key_file, key=True)
|
|
|
|
else:
|
|
|
|
print("SSL key not found at '{0}'. Creating {1} bit key.".format(key_file, key_length))
|
|
|
|
key = tools.new_ssl_key(key_file, key_length)
|
|
|
|
|
|
|
|
# create ssl csr
|
|
|
|
cr = tools.new_cert_request(settings['domainlist'], key)
|
|
|
|
|
|
|
|
# request cert with csr
|
|
|
|
crt, ca = acme.get_crt_from_csr(cr, settings['domainlist'], challenge_handlers)
|
|
|
|
|
|
|
|
# if resulting certificate is valid: store in final location
|
|
|
|
if tools.is_cert_valid(crt, settings['ttl_days']):
|
|
|
|
tools.write_pem_file(crt, settings['cert_file'], stat.S_IREAD)
|
|
|
|
if "static_ca" in settings and not settings['static_ca'] and ca is not None:
|
|
|
|
tools.write_pem_file(ca, settings['ca_file'])
|
2016-01-10 18:07:00 +01:00
|
|
|
|
2016-01-10 17:29:26 +01:00
|
|
|
|
2016-01-12 17:41:48 +01:00
|
|
|
# @brief put new certificate in place
|
2016-01-10 17:29:26 +01:00
|
|
|
# @param settings the domain's configuration options
|
2016-02-21 11:18:32 +01:00
|
|
|
# @return the action to be executed after the certificate update
|
2019-01-08 08:12:20 +01:00
|
|
|
def cert_put(settings):
|
|
|
|
# TODO error handling
|
2019-01-22 09:05:41 +01:00
|
|
|
ca_file = settings['ca_file']
|
2019-01-08 08:12:20 +01:00
|
|
|
crt_user = settings['user']
|
|
|
|
crt_group = settings['group']
|
|
|
|
crt_perm = settings['perm']
|
|
|
|
crt_path = settings['path']
|
|
|
|
crt_format = settings['format'].split(",")
|
|
|
|
crt_format = [str.strip(x) for x in crt_format]
|
|
|
|
crt_action = settings['action']
|
|
|
|
|
2019-01-22 09:05:41 +01:00
|
|
|
key_file = settings['key_file']
|
|
|
|
crt_final = settings['cert_file']
|
2019-01-08 08:12:20 +01:00
|
|
|
|
2019-01-21 16:18:47 +01:00
|
|
|
with io.open(crt_path, "w+") as crt_fd:
|
2019-01-08 08:12:20 +01:00
|
|
|
for fmt in crt_format:
|
|
|
|
if fmt == "crt":
|
2019-01-21 16:18:47 +01:00
|
|
|
src_fd = io.open(crt_final, "r")
|
2019-01-08 08:12:20 +01:00
|
|
|
crt_fd.write(src_fd.read())
|
|
|
|
src_fd.close()
|
|
|
|
if fmt == "key":
|
2019-01-21 16:18:47 +01:00
|
|
|
src_fd = io.open(key_file, "r")
|
2019-01-08 08:12:20 +01:00
|
|
|
crt_fd.write(src_fd.read())
|
|
|
|
src_fd.close()
|
|
|
|
if fmt == "ca":
|
|
|
|
if not os.path.isfile(ca_file):
|
|
|
|
raise FileNotFoundError("The CA certificate file (%s) is missing!" % ca_file)
|
2019-01-21 16:18:47 +01:00
|
|
|
src_fd = io.open(ca_file, "r")
|
2019-01-08 08:12:20 +01:00
|
|
|
crt_fd.write(src_fd.read())
|
|
|
|
src_fd.close()
|
|
|
|
else:
|
|
|
|
# TODO error handling
|
|
|
|
pass
|
|
|
|
|
|
|
|
# set owner and permissions
|
|
|
|
uid = pwd.getpwnam(crt_user).pw_uid
|
|
|
|
gid = grp.getgrnam(crt_group).gr_gid
|
|
|
|
try:
|
|
|
|
os.chown(crt_path, uid, gid)
|
|
|
|
except OSError:
|
|
|
|
print('Warning: Could not set certificate file ownership!')
|
|
|
|
try:
|
|
|
|
os.chmod(crt_path, int(crt_perm, 8))
|
|
|
|
except OSError:
|
|
|
|
print('Warning: Could not set certificate file permissions!')
|
|
|
|
|
|
|
|
return crt_action
|
2016-01-10 15:00:43 +01:00
|
|
|
|
|
|
|
|
2019-02-20 11:49:30 +01:00
|
|
|
def main():
|
2019-01-22 09:05:41 +01:00
|
|
|
# load config
|
|
|
|
configs = configuration.load()
|
2019-01-08 08:12:20 +01:00
|
|
|
|
|
|
|
# post-update actions (run only once)
|
|
|
|
actions = set()
|
|
|
|
|
|
|
|
# check certificate validity and obtain/renew certificates if needed
|
2019-01-22 09:05:41 +01:00
|
|
|
for config in configs:
|
|
|
|
cert_file = config['cert_file']
|
2019-03-24 17:15:30 +01:00
|
|
|
if not os.path.isfile(cert_file) or not tools.is_cert_valid(cert_file, config['ttl_days']):
|
2019-01-22 09:05:41 +01:00
|
|
|
cert_get(config)
|
2019-03-24 17:12:36 +01:00
|
|
|
for cfg in config['actions']:
|
|
|
|
if not tools.target_is_current(cfg['path'], cert_file):
|
|
|
|
print("Updating '{}' due to newer certificate".format(cfg['path']))
|
|
|
|
actions.add(cert_put(cfg))
|
2019-01-08 08:12:20 +01:00
|
|
|
|
|
|
|
# run post-update actions
|
|
|
|
for action in actions:
|
|
|
|
if action is not None:
|
2019-03-24 17:12:36 +01:00
|
|
|
print("Running '{}' to trigger update for changes".format(action))
|
2019-01-08 08:12:20 +01:00
|
|
|
subprocess.call(action.split())
|