acertmgr/acertmgr.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Automated Certificate Manager using ACME
# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.
# Copyright (c) Rudolf Mayerhofer, 2019.
# available under the ISC license, see LICENSE

import acme
import tools
import grp
import hashlib
import os
import pwd
import shutil
import stat
import subprocess
import tempfile

import yaml

import acertmgr_web

ACME_DIR = "/etc/acme"
ACME_CONF = os.path.join(ACME_DIR, "acme.conf")
ACME_CONFD = os.path.join(ACME_DIR, "domains.d")

ACME_DEFAULT_SERVER_KEY = os.path.join(ACME_DIR, "server.key")
ACME_DEFAULT_ACCOUNT_KEY = os.path.join(ACME_DIR, "account.key")


class FileNotFoundError(OSError):
    pass


# @brief check whether existing target file is still valid or source crt has been updated
# @param target string containing the path to the target file
# @param crt_file string containing the path to the certificate file
# @return True if target file is at least as new as the certificate, False otherwise
def target_is_current(target, crt_file):
    if not os.path.isfile(target):
        return False
    target_date = os.path.getmtime(target)
    crt_date = os.path.getmtime(crt_file)
    return target_date >= crt_date


# @brief fetch new certificate from letsencrypt
# @param domain string containing the domain name
# @param settings the domain's configuration options
def cert_get(domains, settings):
    print("Getting certificate for %s." % domains)

    key_file = settings['server_key']
    if not os.path.isfile(key_file):
        raise FileNotFoundError("The server key file (%s) is missing!" % key_file)

    acc_file = settings['account_key']
    if not os.path.isfile(acc_file):
        raise FileNotFoundError("The account key file (%s) is missing!" % acc_file)

    filename = hashlib.md5(domains).hexdigest()
    _, csr_file = tempfile.mkstemp(".csr", "%s." % filename)
    _, crt_file = tempfile.mkstemp(".crt", "%s." % filename)

    challenge_dir = settings.get("webdir", "/var/www/acme-challenge/")
    if not os.path.isdir(challenge_dir):
        raise FileNotFoundError("Challenge directory (%s) does not exist!" % challenge_dir)

    current_dir = '.'
    server = None
    if settings['mode'] == 'standalone':
        port = settings.get('port', 80)

        current_dir = os.getcwd()
        os.chdir(challenge_dir)
        server = acertmgr_web.ACMEHTTPServer(port)
        server.start()
    try:
        key = tools.read_key(key_file)
        cr = tools.new_cert_request(domains.split(), key)
        print("Reading account key...")
        acc_key = tools.read_key(acc_file)
        acme.register_account(acc_key, settings['authority'])
        crt = acme.get_crt_from_csr(acc_key, cr, domains.split(), challenge_dir, settings['authority'])
        with open(crt_file, "w") as crt_fd:
            crt_fd.write(tools.convert_cert_to_pem(crt))

        #  if resulting certificate is valid: store in final location
        if tools.is_cert_valid(crt_file, 60):
            crt_final = os.path.join(ACME_DIR, ("%s.crt" % domains.split(" ")[0]))
            shutil.copy2(crt_file, crt_final)
            os.chmod(crt_final, stat.S_IREAD)

    finally:
        if settings['mode'] == 'standalone':
            server.stop()
            os.chdir(current_dir)
        os.remove(csr_file)
        os.remove(crt_file)


# @brief put new certificate in place
# @param settings the domain's configuration options
# @return the action to be executed after the certificate update
def cert_put(settings):
    # TODO error handling
    ca_file = settings.get("cafile", "")
    crt_user = settings['user']
    crt_group = settings['group']
    crt_perm = settings['perm']
    crt_path = settings['path']
    crt_format = settings['format'].split(",")
    crt_format = [str.strip(x) for x in crt_format]
    crt_action = settings['action']

    key_file = settings['server_key']
    crt_final = os.path.join(ACME_DIR, (hashlib.md5(domains).hexdigest() + ".crt"))

    with open(crt_path, "w+") as crt_fd:
        for fmt in crt_format:
            if fmt == "crt":
                src_fd = open(crt_final, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            if fmt == "key":
                src_fd = open(key_file, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            if fmt == "ca":
                if not os.path.isfile(ca_file):
                    raise FileNotFoundError("The CA certificate file (%s) is missing!" % ca_file)
                src_fd = open(ca_file, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            else:
                # TODO error handling
                pass

    # set owner and permissions
    uid = pwd.getpwnam(crt_user).pw_uid
    gid = grp.getgrnam(crt_group).gr_gid
    try:
        os.chown(crt_path, uid, gid)
    except OSError:
        print('Warning: Could not set certificate file ownership!')
    try:
        os.chmod(crt_path, int(crt_perm, 8))
    except OSError:
        print('Warning: Could not set certificate file permissions!')

    return crt_action


# @brief augment configuration with defaults
# @param domainconfig the domain configuration
# @param defaults the default configuration
# @return the augmented configuration
def complete_config(domainconfig, globalconfig):
    defaults = globalconfig['defaults']
    domainconfig['server_key'] = globalconfig['server_key']
    for name, value in defaults.items():
        if name not in domainconfig:
            domainconfig[name] = value
    if 'action' not in domainconfig:
        domainconfig['action'] = None
    return domainconfig


if __name__ == "__main__":
    # load global configuration
    config = {}
    if os.path.isfile(ACME_CONF):
        with open(ACME_CONF) as config_fd:
            config = yaml.load(config_fd)
    if 'defaults' not in config:
        config['defaults'] = {}
    if 'server_key' not in config:
        config['server_key'] = ACME_DEFAULT_SERVER_KEY
    if 'account_key' not in config:
        config['account_key'] = ACME_DEFAULT_ACCOUNT_KEY

    config['domains'] = []
    # load domain configuration
    for config_file in os.listdir(ACME_CONFD):
        if config_file.endswith(".conf"):
            with open(os.path.join(ACME_CONFD, config_file)) as config_fd:
                for entry in yaml.load(config_fd).items():
                    config['domains'].append(entry)

    # post-update actions (run only once)
    actions = set()

    # check certificate validity and obtain/renew certificates if needed
    for domains, domaincfgs in config['domains']:
        # skip domains without any output files
        if domaincfgs is None:
            continue
        crt_file = os.path.join(ACME_DIR, (hashlib.md5(domains).hexdigest() + ".crt"))
        ttl_days = int(config.get('ttl_days', 15))
        if not tools.is_cert_valid(crt_file, ttl_days):
            cert_get(domains, config)
        for domaincfg in domaincfgs:
            cfg = complete_config(domaincfg, config)
            if not target_is_current(cfg['path'], crt_file):
                actions.add(cert_put(cfg))

    # run post-update actions
    for action in actions:
        if action is not None:
            subprocess.call(action.split())
Use whichever python is available The code is not specific to python2, so any python should do 2016-02-13 00:56:47 +01:00			`#!/usr/bin/env python`
Initial commit 2016-01-10 15:00:43 +01:00			`# -- coding: utf-8 --`

			`# Automated Certificate Manager using ACME`
Change copyright information 2016-04-04 01:17:58 +02:00			`# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`# Copyright (c) Rudolf Mayerhofer, 2019.`
Change copyright information 2016-04-04 01:17:58 +02:00			`# available under the ISC license, see LICENSE`
Initial commit 2016-01-10 15:00:43 +01:00
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`import acme`
			`import tools`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`import grp`
Change certificate cache filename to unique hash md5 is used because cryptographic strength is irrelevant. This simply allows storing multiple certificates that have the same domain name as the first domain in the certificate. 2017-08-08 19:03:59 +02:00			`import hashlib`
Initial commit 2016-01-10 15:00:43 +01:00			`import os`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`import pwd`
Implement check&copy in cert_get 2016-01-12 17:43:41 +01:00			`import shutil`
Adjust permissions of certificates For the internal store of certificates in the configuration directory, a permission of user read only is absolutely sufficient Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de> 2016-04-10 02:45:29 +02:00			`import stat`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`import subprocess`
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`import tempfile`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
Initial commit 2016-01-10 15:00:43 +01:00			`import yaml`

Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`import acertmgr_web`
Initial commit 2016-01-10 15:00:43 +01:00
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`ACME_DIR = "/etc/acme"`
			`ACME_CONF = os.path.join(ACME_DIR, "acme.conf")`
			`ACME_CONFD = os.path.join(ACME_DIR, "domains.d")`
Initial commit 2016-01-10 15:00:43 +01:00
Make key location dynamic Besides the fact that this removes redundant code, hard coded location of file is generally no good idea Also adapt README.md and provide a default location for key files. Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de> 2016-04-10 01:10:33 +02:00			`ACME_DEFAULT_SERVER_KEY = os.path.join(ACME_DIR, "server.key")`
			`ACME_DEFAULT_ACCOUNT_KEY = os.path.join(ACME_DIR, "account.key")`
Fixes exception types 2016-01-11 21:31:11 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`class FileNotFoundError(OSError):`
			`pass`
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00
Fixes exception types 2016-01-11 21:31:11 +01:00
replace target files based on timestamp instead of relying on the cached certificate file being updated. This allows multiple configuration files for the same domain. To avoid replacing existing entries, the format is changed from a dictionary to a list, and setting domains in acme.conf is no longer supported. 2016-02-28 14:44:10 +01:00			`# @brief check whether existing target file is still valid or source crt has been updated`
			`# @param target string containing the path to the target file`
			`# @param crt_file string containing the path to the certificate file`
			`# @return True if target file is at least as new as the certificate, False otherwise`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`def target_is_current(target, crt_file):`
			`if not os.path.isfile(target):`
			`return False`
			`target_date = os.path.getmtime(target)`
			`crt_date = os.path.getmtime(crt_file)`
			`return target_date >= crt_date`
Initial commit 2016-01-10 15:00:43 +01:00

Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief fetch new certificate from letsencrypt`
			`# @param domain string containing the domain name`
			`# @param settings the domain's configuration options`
correctly handle multiple domain names 2016-04-04 01:18:19 +02:00			`def cert_get(domains, settings):`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`print("Getting certificate for %s." % domains)`

			`key_file = settings['server_key']`
			`if not os.path.isfile(key_file):`
			`raise FileNotFoundError("The server key file (%s) is missing!" % key_file)`

			`acc_file = settings['account_key']`
			`if not os.path.isfile(acc_file):`
			`raise FileNotFoundError("The account key file (%s) is missing!" % acc_file)`

			`filename = hashlib.md5(domains).hexdigest()`
			`_, csr_file = tempfile.mkstemp(".csr", "%s." % filename)`
			`_, crt_file = tempfile.mkstemp(".crt", "%s." % filename)`

			`challenge_dir = settings.get("webdir", "/var/www/acme-challenge/")`
			`if not os.path.isdir(challenge_dir):`
			`raise FileNotFoundError("Challenge directory (%s) does not exist!" % challenge_dir)`

			`current_dir = '.'`
			`server = None`
			`if settings['mode'] == 'standalone':`
			`port = settings.get('port', 80)`

			`current_dir = os.getcwd()`
			`os.chdir(challenge_dir)`
			`server = acertmgr_web.ACMEHTTPServer(port)`
			`server.start()`
			`try:`
			`key = tools.read_key(key_file)`
			`cr = tools.new_cert_request(domains.split(), key)`
			`print("Reading account key...")`
			`acc_key = tools.read_key(acc_file)`
			`acme.register_account(acc_key, settings['authority'])`
			`crt = acme.get_crt_from_csr(acc_key, cr, domains.split(), challenge_dir, settings['authority'])`
			`with open(crt_file, "w") as crt_fd:`
			`crt_fd.write(tools.convert_cert_to_pem(crt))`

			`# if resulting certificate is valid: store in final location`
			`if tools.is_cert_valid(crt_file, 60):`
			`crt_final = os.path.join(ACME_DIR, ("%s.crt" % domains.split(" ")[0]))`
			`shutil.copy2(crt_file, crt_final)`
			`os.chmod(crt_final, stat.S_IREAD)`

			`finally:`
			`if settings['mode'] == 'standalone':`
			`server.stop()`
			`os.chdir(current_dir)`
			`os.remove(csr_file)`
			`os.remove(crt_file)`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`# @brief put new certificate in place`
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00			`# @param settings the domain's configuration options`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`# @return the action to be executed after the certificate update`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`def cert_put(settings):`
			`# TODO error handling`
			`ca_file = settings.get("cafile", "")`
			`crt_user = settings['user']`
			`crt_group = settings['group']`
			`crt_perm = settings['perm']`
			`crt_path = settings['path']`
			`crt_format = settings['format'].split(",")`
			`crt_format = [str.strip(x) for x in crt_format]`
			`crt_action = settings['action']`

			`key_file = settings['server_key']`
			`crt_final = os.path.join(ACME_DIR, (hashlib.md5(domains).hexdigest() + ".crt"))`

			`with open(crt_path, "w+") as crt_fd:`
			`for fmt in crt_format:`
			`if fmt == "crt":`
			`src_fd = open(crt_final, "r")`
			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`if fmt == "key":`
			`src_fd = open(key_file, "r")`
			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`if fmt == "ca":`
			`if not os.path.isfile(ca_file):`
			`raise FileNotFoundError("The CA certificate file (%s) is missing!" % ca_file)`
			`src_fd = open(ca_file, "r")`
			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`else:`
			`# TODO error handling`
			`pass`

			`# set owner and permissions`
			`uid = pwd.getpwnam(crt_user).pw_uid`
			`gid = grp.getgrnam(crt_group).gr_gid`
			`try:`
			`os.chown(crt_path, uid, gid)`
			`except OSError:`
			`print('Warning: Could not set certificate file ownership!')`
			`try:`
			`os.chmod(crt_path, int(crt_perm, 8))`
			`except OSError:`
			`print('Warning: Could not set certificate file permissions!')`

			`return crt_action`
Initial commit 2016-01-10 15:00:43 +01:00

Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief augment configuration with defaults`
			`# @param domainconfig the domain configuration`
			`# @param defaults the default configuration`
			`# @return the augmented configuration`
Make key location dynamic Besides the fact that this removes redundant code, hard coded location of file is generally no good idea Also adapt README.md and provide a default location for key files. Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de> 2016-04-10 01:10:33 +02:00			`def complete_config(domainconfig, globalconfig):`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`defaults = globalconfig['defaults']`
			`domainconfig['server_key'] = globalconfig['server_key']`
			`for name, value in defaults.items():`
			`if name not in domainconfig:`
			`domainconfig[name] = value`
			`if 'action' not in domainconfig:`
			`domainconfig['action'] = None`
			`return domainconfig`
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00

Initial commit 2016-01-10 15:00:43 +01:00			`if __name__ == "__main__":`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`# load global configuration`
			`config = {}`
			`if os.path.isfile(ACME_CONF):`
			`with open(ACME_CONF) as config_fd:`
			`config = yaml.load(config_fd)`
			`if 'defaults' not in config:`
			`config['defaults'] = {}`
			`if 'server_key' not in config:`
			`config['server_key'] = ACME_DEFAULT_SERVER_KEY`
			`if 'account_key' not in config:`
			`config['account_key'] = ACME_DEFAULT_ACCOUNT_KEY`

			`config['domains'] = []`
			`# load domain configuration`
			`for config_file in os.listdir(ACME_CONFD):`
			`if config_file.endswith(".conf"):`
			`with open(os.path.join(ACME_CONFD, config_file)) as config_fd:`
			`for entry in yaml.load(config_fd).items():`
			`config['domains'].append(entry)`

			`# post-update actions (run only once)`
			`actions = set()`

			`# check certificate validity and obtain/renew certificates if needed`
			`for domains, domaincfgs in config['domains']:`
			`# skip domains without any output files`
			`if domaincfgs is None:`
			`continue`
			`crt_file = os.path.join(ACME_DIR, (hashlib.md5(domains).hexdigest() + ".crt"))`
			`ttl_days = int(config.get('ttl_days', 15))`
			`if not tools.is_cert_valid(crt_file, ttl_days):`
			`cert_get(domains, config)`
			`for domaincfg in domaincfgs:`
			`cfg = complete_config(domaincfg, config)`
			`if not target_is_current(cfg['path'], crt_file):`
			`actions.add(cert_put(cfg))`

			`# run post-update actions`
			`for action in actions:`
			`if action is not None:`
			`subprocess.call(action.split())`