2019-01-22 09:05:41 +01:00
|
|
|
#!/usr/bin/env python
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
# config - acertmgr config parser
|
|
|
|
# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.
|
|
|
|
# Copyright (c) Rudolf Mayerhofer, 2019.
|
|
|
|
# available under the ISC license, see LICENSE
|
|
|
|
|
2019-02-20 11:57:15 +01:00
|
|
|
import argparse
|
2019-01-22 09:05:41 +01:00
|
|
|
import copy
|
2019-02-20 11:57:15 +01:00
|
|
|
import hashlib
|
2019-03-07 13:51:08 +01:00
|
|
|
import io
|
2019-03-21 13:03:09 +01:00
|
|
|
import json
|
2019-03-24 17:15:30 +01:00
|
|
|
import os
|
2019-03-27 16:34:29 +01:00
|
|
|
|
2019-05-13 21:16:52 +02:00
|
|
|
from acertmgr.tools import idna_convert
|
2019-01-22 09:05:41 +01:00
|
|
|
|
2019-02-20 11:57:15 +01:00
|
|
|
# Configuration defaults to use if not specified otherwise
|
|
|
|
DEFAULT_CONF_DIR = "/etc/acertmgr"
|
2019-10-25 18:11:11 +02:00
|
|
|
DEFAULT_CONF_FILENAME = "acertmgr.conf"
|
2019-03-18 13:13:22 +01:00
|
|
|
DEFAULT_TTL = 30 # days
|
2020-03-04 13:47:32 +01:00
|
|
|
DEFAULT_VALIDATE_OCSP = "sha1" # mandated by RFC5019
|
2019-03-19 02:13:29 +01:00
|
|
|
DEFAULT_API = "v2"
|
|
|
|
DEFAULT_AUTHORITY = "https://acme-v02.api.letsencrypt.org"
|
2019-01-22 09:05:41 +01:00
|
|
|
|
|
|
|
|
|
|
|
# @brief augment configuration with defaults
|
|
|
|
# @param domainconfig the domain configuration
|
|
|
|
# @param defaults the default configuration
|
|
|
|
# @return the augmented configuration
|
|
|
|
def complete_action_config(domainconfig, config):
|
|
|
|
defaults = config['defaults']
|
|
|
|
domainconfig['ca_file'] = config['ca_file']
|
|
|
|
domainconfig['cert_file'] = config['cert_file']
|
|
|
|
domainconfig['key_file'] = config['key_file']
|
|
|
|
for name, value in defaults.items():
|
|
|
|
if name not in domainconfig:
|
|
|
|
domainconfig[name] = value
|
|
|
|
if 'action' not in domainconfig:
|
|
|
|
domainconfig['action'] = None
|
|
|
|
return domainconfig
|
|
|
|
|
|
|
|
|
2019-03-07 13:51:08 +01:00
|
|
|
# @brief update config[name] with value from localconfig>globalconfig>default
|
|
|
|
def update_config_value(config, name, localconfig, globalconfig, default):
|
2019-03-28 12:31:31 +01:00
|
|
|
values = [x[name] for x in localconfig if name in x]
|
2019-03-07 13:51:08 +01:00
|
|
|
if len(values) > 0:
|
2019-03-28 12:31:31 +01:00
|
|
|
config[name] = values[0]
|
2019-03-07 13:51:08 +01:00
|
|
|
else:
|
|
|
|
config[name] = globalconfig.get(name, default)
|
|
|
|
|
|
|
|
|
2019-04-03 12:34:25 +02:00
|
|
|
# @brief parse authority from config
|
|
|
|
def parse_authority(localconfig, globalconfig, runtimeconfig):
|
|
|
|
authority = {}
|
|
|
|
# - API version
|
|
|
|
update_config_value(authority, 'api', localconfig, globalconfig, DEFAULT_API)
|
|
|
|
|
|
|
|
# - Certificate authority
|
|
|
|
update_config_value(authority, 'authority', localconfig, globalconfig, DEFAULT_AUTHORITY)
|
|
|
|
|
|
|
|
# - Certificate authority ToS agreement
|
|
|
|
update_config_value(authority, 'authority_tos_agreement', localconfig, globalconfig,
|
|
|
|
runtimeconfig['authority_tos_agreement'])
|
|
|
|
|
|
|
|
# - Certificate authority contact email addresses
|
|
|
|
update_config_value(authority, 'authority_contact_email', localconfig, globalconfig, None)
|
|
|
|
|
|
|
|
# - Account key path
|
|
|
|
update_config_value(authority, 'account_key', localconfig, globalconfig,
|
|
|
|
os.path.join(runtimeconfig['work_dir'], "account.key"))
|
2019-04-19 15:16:06 +02:00
|
|
|
|
|
|
|
# - Account key algorithm (if key has to be (re-)generated)
|
|
|
|
update_config_value(authority, 'account_key_algorithm', localconfig, globalconfig, None)
|
|
|
|
|
|
|
|
# - Account key length (if key has to be (re-)generated, converted to int)
|
|
|
|
update_config_value(authority, 'account_key_length', localconfig, globalconfig, None)
|
|
|
|
authority['account_key_length'] = int(authority['account_key_length']) if authority['account_key_length'] else None
|
|
|
|
|
2019-04-03 12:34:25 +02:00
|
|
|
return authority
|
|
|
|
|
|
|
|
|
2019-01-22 09:05:41 +01:00
|
|
|
# @brief load the configuration from a file
|
2019-03-27 15:17:17 +01:00
|
|
|
def parse_config_entry(entry, globalconfig, runtimeconfig):
|
2019-01-22 09:05:41 +01:00
|
|
|
config = dict()
|
|
|
|
|
|
|
|
# Basic domain information
|
2019-03-28 13:59:44 +01:00
|
|
|
domains, localconfig = entry
|
|
|
|
config['domainlist'] = domains.split(' ')
|
|
|
|
config['id'] = hashlib.md5(domains.encode('utf-8')).hexdigest()
|
2019-01-22 09:05:41 +01:00
|
|
|
|
2019-03-27 16:34:29 +01:00
|
|
|
# Convert unicode to IDNA domains
|
2021-06-21 22:18:31 +02:00
|
|
|
config['domainlist_idna_mapped'] = {}
|
|
|
|
for idx in range(0, len(config['domainlist'])):
|
|
|
|
if any(ord(c) >= 128 for c in config['domainlist'][idx]):
|
|
|
|
domain_human = config['domainlist'][idx]
|
|
|
|
domain_idna = idna_convert(domain_human)
|
|
|
|
if domain_idna != domain_human:
|
|
|
|
config['domainlist'][idx] = domain_idna # Update domain with idna counterpart
|
|
|
|
config['domainlist_idna_mapped'][domain_idna] = domain_human # Store original domain for reference
|
2019-03-21 13:03:09 +01:00
|
|
|
|
2019-02-20 11:57:15 +01:00
|
|
|
# Action config defaults
|
2019-01-22 09:05:41 +01:00
|
|
|
config['defaults'] = globalconfig.get('defaults', {})
|
|
|
|
|
2019-03-28 09:06:21 +01:00
|
|
|
# Authority related config options
|
2019-04-03 12:34:25 +02:00
|
|
|
config['authority'] = parse_authority(localconfig, globalconfig, runtimeconfig)
|
2019-01-22 09:05:41 +01:00
|
|
|
|
|
|
|
# Certificate directory
|
2019-03-27 15:17:17 +01:00
|
|
|
update_config_value(config, 'cert_dir', localconfig, globalconfig, runtimeconfig['work_dir'])
|
2019-02-20 11:57:15 +01:00
|
|
|
|
|
|
|
# TTL days
|
2019-03-24 17:50:31 +01:00
|
|
|
update_config_value(config, 'ttl_days', localconfig, globalconfig, DEFAULT_TTL)
|
2019-03-24 17:15:30 +01:00
|
|
|
config['ttl_days'] = int(config['ttl_days'])
|
2019-03-07 13:51:08 +01:00
|
|
|
|
2020-03-04 13:47:32 +01:00
|
|
|
# Validate OCSP on certificate verification
|
|
|
|
update_config_value(config, 'validate_ocsp', localconfig, globalconfig, DEFAULT_VALIDATE_OCSP)
|
|
|
|
|
2019-03-28 00:34:53 +01:00
|
|
|
# Revoke old certificate with reason superseded after renewal
|
|
|
|
update_config_value(config, 'cert_revoke_superseded', localconfig, globalconfig, "false")
|
|
|
|
|
2019-03-29 08:37:50 +01:00
|
|
|
# Whether to include request for OCSP must-staple in the certificate
|
|
|
|
update_config_value(config, 'cert_must_staple', localconfig, globalconfig, "false")
|
|
|
|
|
2019-03-24 17:22:04 +01:00
|
|
|
# Use a static cert request
|
2019-03-24 17:50:31 +01:00
|
|
|
update_config_value(config, 'csr_static', localconfig, globalconfig, "false")
|
2019-03-24 17:22:04 +01:00
|
|
|
|
2023-03-28 21:38:14 +02:00
|
|
|
# SSL key algorithm (if key has to be (re-)generated)
|
|
|
|
update_config_value(config, 'key_algorithm', localconfig, globalconfig, None)
|
|
|
|
# Update config id if we have a key algorithm set to allow for
|
|
|
|
# multiple certs with different algorithms for the same set of domains
|
|
|
|
if config.get('key_algorithm', None):
|
|
|
|
config['id'] += "_" + config['key_algorithm']
|
|
|
|
|
|
|
|
# SSL key length (if key has to be (re-)generated, converted to int)
|
|
|
|
update_config_value(config, 'key_length', localconfig, globalconfig, None)
|
|
|
|
config['key_length'] = int(config['key_length']) if config['key_length'] else None
|
|
|
|
|
2019-03-24 17:22:04 +01:00
|
|
|
# SSL cert request location
|
2019-03-24 17:50:31 +01:00
|
|
|
update_config_value(config, 'csr_file', localconfig, globalconfig,
|
2019-03-24 17:22:04 +01:00
|
|
|
os.path.join(config['cert_dir'], "{}.csr".format(config['id'])))
|
|
|
|
|
2019-03-07 13:51:08 +01:00
|
|
|
# SSL cert location (with compatibility to older versions)
|
2019-03-24 17:50:31 +01:00
|
|
|
update_config_value(config, 'cert_file', localconfig, globalconfig,
|
2019-05-13 21:16:52 +02:00
|
|
|
os.path.join(config['cert_dir'], "{}.crt".format(config['id'])))
|
2019-03-07 13:51:08 +01:00
|
|
|
|
|
|
|
# SSL key location (with compatibility to older versions)
|
2019-03-24 17:50:31 +01:00
|
|
|
update_config_value(config, 'key_file', localconfig, globalconfig,
|
2019-05-13 21:16:52 +02:00
|
|
|
os.path.join(config['cert_dir'], "{}.key".format(config['id'])))
|
2019-03-07 13:51:08 +01:00
|
|
|
|
2019-03-28 12:33:59 +01:00
|
|
|
# SSL CA location / use static
|
|
|
|
update_config_value(config, 'ca_file', localconfig, globalconfig,
|
2019-05-13 21:16:52 +02:00
|
|
|
os.path.join(config['cert_dir'], "{}.ca".format(config['id'])))
|
2019-03-28 12:33:59 +01:00
|
|
|
update_config_value(config, 'ca_static', localconfig, globalconfig, "false")
|
2019-01-22 09:05:41 +01:00
|
|
|
|
|
|
|
# Domain action configuration
|
|
|
|
config['actions'] = list()
|
2019-03-24 17:50:31 +01:00
|
|
|
for actioncfg in [x for x in localconfig if 'path' in x]:
|
2019-01-22 09:05:41 +01:00
|
|
|
config['actions'].append(complete_action_config(actioncfg, config))
|
|
|
|
|
|
|
|
# Domain challenge handler configuration
|
|
|
|
config['handlers'] = dict()
|
2019-03-24 17:50:31 +01:00
|
|
|
handlerconfigs = [x for x in localconfig if 'mode' in x]
|
2019-03-31 22:50:16 +02:00
|
|
|
_domaintranslation_dict = {x: y for x, y in config.get('domaintranslation', [])}
|
2019-01-22 09:05:41 +01:00
|
|
|
for domain in config['domainlist']:
|
|
|
|
# Use global config as base handler config
|
|
|
|
cfg = copy.deepcopy(globalconfig)
|
|
|
|
|
|
|
|
# Determine generic domain handler config values
|
|
|
|
genericfgs = [x for x in handlerconfigs if 'domain' not in x]
|
|
|
|
if len(genericfgs) > 0:
|
|
|
|
cfg.update(genericfgs[0])
|
|
|
|
|
2019-03-21 13:03:09 +01:00
|
|
|
# Update handler config with more specific values (use original names for translated unicode domains)
|
2021-06-21 22:18:31 +02:00
|
|
|
specificcfgs = [x for x in handlerconfigs if
|
|
|
|
'domain' in x and x['domain'] == config['domainlist_idna_mapped'].get(domain, domain)]
|
2019-01-22 09:05:41 +01:00
|
|
|
if len(specificcfgs) > 0:
|
|
|
|
cfg.update(specificcfgs[0])
|
|
|
|
|
|
|
|
config['handlers'][domain] = cfg
|
|
|
|
|
|
|
|
return config
|
|
|
|
|
|
|
|
|
|
|
|
# @brief load the configuration from a file
|
|
|
|
def load():
|
2019-03-27 15:17:17 +01:00
|
|
|
runtimeconfig = dict()
|
2019-02-20 11:57:15 +01:00
|
|
|
parser = argparse.ArgumentParser(description="acertmgr - Automated Certificate Manager using ACME/Let's Encrypt")
|
|
|
|
parser.add_argument("-c", "--config-file", nargs="?",
|
2019-10-25 18:11:11 +02:00
|
|
|
help="global configuration file (default='$config_dir/{}')".format(DEFAULT_CONF_FILENAME))
|
2019-02-20 11:57:15 +01:00
|
|
|
parser.add_argument("-d", "--config-dir", nargs="?",
|
|
|
|
help="domain configuration directory (default='{}')".format(DEFAULT_CONF_DIR))
|
|
|
|
parser.add_argument("-w", "--work-dir", nargs="?",
|
2019-10-25 18:11:11 +02:00
|
|
|
help="persistent work data directory (default='$config_dir')")
|
2019-03-20 10:34:59 +01:00
|
|
|
parser.add_argument("--authority-tos-agreement", "--tos-agreement", "--tos", nargs="?",
|
|
|
|
help="Agree to the authorities Terms of Service (value required depends on authority)")
|
2019-03-27 15:31:15 +01:00
|
|
|
parser.add_argument("--force-renew", "--renew-now", nargs="?",
|
|
|
|
help="Renew all domain configurations matching the given value immediately")
|
2019-03-27 21:00:21 +01:00
|
|
|
parser.add_argument("--revoke", nargs="?",
|
|
|
|
help="Revoke a certificate file issued with the currently configured account key.")
|
|
|
|
parser.add_argument("--revoke-reason", nargs="?", type=int,
|
|
|
|
help="Provide a revoke reason, see https://tools.ietf.org/html/rfc5280#section-5.3.1")
|
2019-02-20 11:57:15 +01:00
|
|
|
args = parser.parse_args()
|
|
|
|
|
|
|
|
# Determine domain configuration directory
|
|
|
|
if args.config_dir:
|
|
|
|
domain_config_dir = args.config_dir
|
|
|
|
else:
|
|
|
|
domain_config_dir = DEFAULT_CONF_DIR
|
|
|
|
|
2019-10-25 18:11:11 +02:00
|
|
|
# Determine global configuration file
|
|
|
|
if args.config_file:
|
|
|
|
global_config_file = args.config_file
|
|
|
|
else:
|
|
|
|
global_config_file = os.path.join(domain_config_dir, DEFAULT_CONF_FILENAME)
|
|
|
|
|
2019-03-27 15:17:17 +01:00
|
|
|
# Runtime configuration: Get from command-line options
|
|
|
|
# - work_dir
|
2019-02-20 11:57:15 +01:00
|
|
|
if args.work_dir:
|
2019-03-27 15:17:17 +01:00
|
|
|
runtimeconfig['work_dir'] = args.work_dir
|
2019-02-20 11:57:15 +01:00
|
|
|
else:
|
2019-03-27 15:17:17 +01:00
|
|
|
runtimeconfig['work_dir'] = domain_config_dir
|
|
|
|
# create work_dir if it does not exist yet
|
|
|
|
if not os.path.isdir(runtimeconfig['work_dir']):
|
|
|
|
os.mkdir(runtimeconfig['work_dir'], int("0700", 8))
|
2019-02-20 11:57:15 +01:00
|
|
|
|
2019-03-27 15:17:17 +01:00
|
|
|
# - authority_tos_agreement
|
2019-03-20 10:34:59 +01:00
|
|
|
if args.authority_tos_agreement:
|
2019-03-27 15:17:17 +01:00
|
|
|
runtimeconfig['authority_tos_agreement'] = args.authority_tos_agreement
|
2019-03-20 10:34:59 +01:00
|
|
|
else:
|
2019-03-27 15:17:17 +01:00
|
|
|
runtimeconfig['authority_tos_agreement'] = None
|
2019-03-20 10:34:59 +01:00
|
|
|
|
2019-03-27 15:31:15 +01:00
|
|
|
# - force-rewew
|
|
|
|
if args.force_renew:
|
|
|
|
domaintranslation = idna_convert(args.force_renew.split(' '))
|
|
|
|
if len(domaintranslation) > 0:
|
2019-03-31 22:50:16 +02:00
|
|
|
runtimeconfig['force_renew'] = [x for x, _ in domaintranslation]
|
2019-03-27 15:31:15 +01:00
|
|
|
else:
|
2019-03-28 13:59:44 +01:00
|
|
|
runtimeconfig['force_renew'] = args.force_renew.split(' ')
|
2019-03-27 15:31:15 +01:00
|
|
|
|
2019-03-27 21:00:21 +01:00
|
|
|
# - revoke
|
|
|
|
if args.revoke:
|
|
|
|
runtimeconfig['mode'] = 'revoke'
|
|
|
|
runtimeconfig['revoke'] = args.revoke
|
|
|
|
runtimeconfig['revoke_reason'] = args.revoke_reason
|
|
|
|
|
2019-03-27 15:17:17 +01:00
|
|
|
# Global configuration: Load from file
|
2019-02-20 11:57:15 +01:00
|
|
|
globalconfig = dict()
|
|
|
|
if os.path.isfile(global_config_file):
|
|
|
|
with io.open(global_config_file) as config_fd:
|
2019-01-22 09:05:41 +01:00
|
|
|
try:
|
|
|
|
globalconfig = json.load(config_fd)
|
|
|
|
except ValueError:
|
|
|
|
import yaml
|
|
|
|
config_fd.seek(0)
|
2019-02-22 10:31:28 +01:00
|
|
|
globalconfig = yaml.safe_load(config_fd)
|
2019-01-22 09:05:41 +01:00
|
|
|
|
2019-03-27 15:17:17 +01:00
|
|
|
# Domain configuration(s): Load from file(s)
|
|
|
|
domainconfigs = list()
|
2019-02-20 11:57:15 +01:00
|
|
|
if os.path.isdir(domain_config_dir):
|
|
|
|
for domain_config_file in os.listdir(domain_config_dir):
|
2019-03-19 02:07:17 +01:00
|
|
|
domain_config_file = os.path.join(domain_config_dir, domain_config_file)
|
2019-02-20 11:57:15 +01:00
|
|
|
# check file extension and skip if global config file
|
2019-03-19 02:07:17 +01:00
|
|
|
if domain_config_file.endswith(".conf") and \
|
|
|
|
os.path.abspath(domain_config_file) != os.path.abspath(global_config_file):
|
|
|
|
with io.open(domain_config_file) as config_fd:
|
2019-02-20 11:57:15 +01:00
|
|
|
try:
|
|
|
|
for entry in json.load(config_fd).items():
|
2019-03-27 15:17:17 +01:00
|
|
|
domainconfigs.append(parse_config_entry(entry, globalconfig, runtimeconfig))
|
2019-02-20 11:57:15 +01:00
|
|
|
except ValueError:
|
|
|
|
import yaml
|
|
|
|
config_fd.seek(0)
|
2019-02-22 10:31:28 +01:00
|
|
|
for entry in yaml.safe_load(config_fd).items():
|
2019-03-27 15:17:17 +01:00
|
|
|
domainconfigs.append(parse_config_entry(entry, globalconfig, runtimeconfig))
|
2019-01-22 09:05:41 +01:00
|
|
|
|
2019-04-03 12:34:25 +02:00
|
|
|
# Define a fallback authority from global configuration / defaults
|
|
|
|
runtimeconfig['fallback_authority'] = parse_authority([], globalconfig, runtimeconfig)
|
|
|
|
|
2019-03-27 15:17:17 +01:00
|
|
|
return runtimeconfig, domainconfigs
|