acertmgr/acertmgr.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Automated Certificate Manager using ACME
# Copyright (c) Markus Hauschild, 2016.


import acme_tiny
import datetime
import dateutil.parser
import dateutil.relativedelta
import os
import re
import subprocess
import yaml


ACME_DIR="/etc/acme/"
ACME_CONF=ACME_DIR + "acme.conf"
ACME_CONFD=ACME_DIR + "domains.d/"
LE_CA="https://acme-staging.api.letsencrypt.org"


class InvalidCertificateError(Exception):
	pass


# @brief check whether existing certificate is still valid or expiring soon
# @param crt_file string containing the path to the certificate file
# @param ttl_days the minimum amount of days for which the certificate must be valid
# @return True if certificate is still valid for at least ttl_days, False otherwise
def cert_isValid(crt_file, ttl_days):
	if not os.path.isfile(crt_file):
		return False
	else:
		# check validity using OpenSSL
		vc = subprocess.check_output(['openssl', 'x509', '-in', crt_file, '-noout', '-dates'])

		m = re.search("notBefore=(.+)", vc)
		if m:
			valid_from = dateutil.parser.parse(m.group(1), ignoretz=True)
		else:
			raise InvalidCertificateError("No notBefore date found")

		m = re.search("notAfter=(.+)", vc)
		if m:
			valid_to = dateutil.parser.parse(m.group(1), ignoretz=True)
		else:
			raise InvalidCertificateError("No notAfter date found")

		now = datetime.datetime.now()
		if valid_from > now:
			raise InvalidCertificateError("Certificate seems to be from the future")

		expiry_limit = now + dateutil.relativedelta.relativedelta(days=+ttl_days)
		if valid_to < expiry_limit:
			return False

		return True


# @brief fetch new certificate from letsencrypt
# @param domain string containing the domain name
# @param settings the domain's configuration options
def cert_get(domain, settings):
	print("Getting certificate for %s." % domain)

	key_file = ACME_DIR + "server.key"
	if not os.path.isfile(key_file):
		raise FileNotFoundError("The server key file (%s) is missing!" % key_file)

	acc_file = ACME_DIR + "account.key"
	if not os.path.isfile(acc_file):
		raise FileNotFoundError("The account key file (%s) is missing!" % acc_file)

	csr_file = "/tmp/%s.csr" % domain
	crt_file = "/tmp/%s.crt" % domain
	if os.path.lexists(csr_file) or os.path.lexists(crt_file):
		raise FileExistsError("A temporary file already exists!")

	challenge_dir = settings.get("webdir", "/var/www/acme-challenge/")
	if not os.path.isdir(challenge_dir):
		raise FileNotFoundError("Challenge directory (%s) does not exist!" % challenge_dir)

	try:
		cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-subj', '/CN=%s' % domain])

		# get certificate
		crt = acme_tiny.get_crt(acc_file, csr_file, challenge_dir, CA = LE_CA)
		with open(crt_file, "w") as crt_fd:
			crt_fd.write(crt)
	except Exception:
		os.remove(csr_file)
		raise

	# TODO check if resulting certificate is valid

	os.remove(csr_file)

	# TODO store resulting certificate at final location


# @brief put new certificate in plcae
# @param domain string containing the domain name
# @param settings the domain's configuration options
def cert_put(domain, settings):
	# TODO copy cert w/ correct permissions
	# TODO restart/reload service
	pass


# @brief augment configuration with defaults
# @param domainconfig the domain configuration
# @param defaults the default configuration
# @return the augmented configuration
def complete_config(domainconfig, defaults):
	for name, value in defaults.items():
		if name not in domainconfig:
			domainconfig[name] = value
	return domainconfig


if __name__ == "__main__":
	# load global configuration
	if os.path.isfile(ACME_CONF):
		with open(ACME_CONF) as config_fd:
			config = yaml.load(config_fd)
	if not config:
		config = {}
	if 'domains' not in config:
		config['domains'] = {}
	if 'defaults' not in config:
		config['defaults'] = {}

	# load domain configuration
	for config_file in os.listdir(ACME_CONFD):
		if config_file.endswith(".conf"):
			with open(ACME_CONFD + config_file) as config_fd:
				config['domains'].update(yaml.load(config_fd))
	#print(str(config))

	# check certificate validity and obtain/renew certificates if needed
	for domain, domaincfgs in config['domains'].items():
		# skip domains without any output files
		if domaincfgs is None:
			continue
		crt_file = ACME_DIR + "%s.crt" % domain
		ttl_days = int(config.get('ttl_days', 15))
		if not cert_isValid(crt_file, ttl_days):
			cert_get(domain, config)
			for domaincfg in domaincfgs:
				cfg = complete_config(domaincfg, config['defaults'])
				cert_put(domain, cfg)
Initial commit 2016-01-10 15:00:43 +01:00			`#!/usr/bin/env python`
			`# -- coding: utf-8 --`

			`# Automated Certificate Manager using ACME`
			`# Copyright (c) Markus Hauschild, 2016.`


Acutally invoke acme_tiny (using the staging API) 2016-01-11 20:51:23 +01:00			`import acme_tiny`
Initial commit 2016-01-10 15:00:43 +01:00			`import datetime`
			`import dateutil.parser`
			`import dateutil.relativedelta`
			`import os`
			`import re`
			`import subprocess`
			`import yaml`


			`ACME_DIR="/etc/acme/"`
			`ACME_CONF=ACME_DIR + "acme.conf"`
			`ACME_CONFD=ACME_DIR + "domains.d/"`
Acutally invoke acme_tiny (using the staging API) 2016-01-11 20:51:23 +01:00			`LE_CA="https://acme-staging.api.letsencrypt.org"`
Initial commit 2016-01-10 15:00:43 +01:00
Fixes exception types 2016-01-11 21:31:11 +01:00
			`class InvalidCertificateError(Exception):`
			`pass`


Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief check whether existing certificate is still valid or expiring soon`
Refactor cert_isValid, minor improvements 2016-01-10 16:40:22 +01:00			`# @param crt_file string containing the path to the certificate file`
			`# @param ttl_days the minimum amount of days for which the certificate must be valid`
			`# @return True if certificate is still valid for at least ttl_days, False otherwise`
			`def cert_isValid(crt_file, ttl_days):`
Initial commit 2016-01-10 15:00:43 +01:00			`if not os.path.isfile(crt_file):`
			`return False`
			`else:`
			`# check validity using OpenSSL`
			`vc = subprocess.check_output(['openssl', 'x509', '-in', crt_file, '-noout', '-dates'])`

			`m = re.search("notBefore=(.+)", vc)`
			`if m:`
			`valid_from = dateutil.parser.parse(m.group(1), ignoretz=True)`
			`else:`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise InvalidCertificateError("No notBefore date found")`
Initial commit 2016-01-10 15:00:43 +01:00
			`m = re.search("notAfter=(.+)", vc)`
			`if m:`
			`valid_to = dateutil.parser.parse(m.group(1), ignoretz=True)`
			`else:`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise InvalidCertificateError("No notAfter date found")`
Initial commit 2016-01-10 15:00:43 +01:00
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`now = datetime.datetime.now()`
			`if valid_from > now:`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise InvalidCertificateError("Certificate seems to be from the future")`
Initial commit 2016-01-10 15:00:43 +01:00
Refactor cert_isValid, minor improvements 2016-01-10 16:40:22 +01:00			`expiry_limit = now + dateutil.relativedelta.relativedelta(days=+ttl_days)`
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`if valid_to < expiry_limit:`
Initial commit 2016-01-10 15:00:43 +01:00			`return False`

			`return True`


Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief fetch new certificate from letsencrypt`
			`# @param domain string containing the domain name`
			`# @param settings the domain's configuration options`
Initial commit 2016-01-10 15:00:43 +01:00			`def cert_get(domain, settings):`
More checks (e.g. for acme_tiny) 2016-01-11 20:15:31 +01:00			`print("Getting certificate for %s." % domain)`

Initial commit 2016-01-10 15:00:43 +01:00			`key_file = ACME_DIR + "server.key"`
Improve checks for required files 2016-01-11 20:56:08 +01:00			`if not os.path.isfile(key_file):`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise FileNotFoundError("The server key file (%s) is missing!" % key_file)`
More checks (e.g. for acme_tiny) 2016-01-11 20:15:31 +01:00
			`acc_file = ACME_DIR + "account.key"`
Improve checks for required files 2016-01-11 20:56:08 +01:00			`if not os.path.isfile(acc_file):`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise FileNotFoundError("The account key file (%s) is missing!" % acc_file)`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00
Initial commit 2016-01-10 15:00:43 +01:00			`csr_file = "/tmp/%s.csr" % domain`
Acutally invoke acme_tiny (using the staging API) 2016-01-11 20:51:23 +01:00			`crt_file = "/tmp/%s.crt" % domain`
			`if os.path.lexists(csr_file) or os.path.lexists(crt_file):`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise FileExistsError("A temporary file already exists!")`
Initial commit 2016-01-10 15:00:43 +01:00
Use challenge dir from configuration 2016-01-12 17:33:20 +01:00			`challenge_dir = settings.get("webdir", "/var/www/acme-challenge/")`
			`if not os.path.isdir(challenge_dir):`
			`raise FileNotFoundError("Challenge directory (%s) does not exist!" % challenge_dir)`
Initial commit 2016-01-10 15:00:43 +01:00
Add checks for errors during certificate creation 2016-01-11 21:38:09 +01:00			`try:`
			`cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-subj', '/CN=%s' % domain])`

			`# get certificate`
Use challenge dir from configuration 2016-01-12 17:33:20 +01:00			`crt = acme_tiny.get_crt(acc_file, csr_file, challenge_dir, CA = LE_CA)`
Add checks for errors during certificate creation 2016-01-11 21:38:09 +01:00			`with open(crt_file, "w") as crt_fd:`
			`crt_fd.write(crt)`
			`except Exception:`
			`os.remove(csr_file)`
			`raise`
Acutally invoke acme_tiny (using the staging API) 2016-01-11 20:51:23 +01:00
Initial commit 2016-01-10 15:00:43 +01:00			`# TODO check if resulting certificate is valid`
Refactor cert_isValid, minor improvements 2016-01-10 16:40:22 +01:00
			`os.remove(csr_file)`

Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00			`# TODO store resulting certificate at final location`

Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00
			`# @brief put new certificate in plcae`
			`# @param domain string containing the domain name`
			`# @param settings the domain's configuration options`
			`def cert_put(domain, settings):`
Initial commit 2016-01-10 15:00:43 +01:00			`# TODO copy cert w/ correct permissions`
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00			`# TODO restart/reload service`
			`pass`
Initial commit 2016-01-10 15:00:43 +01:00

Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief augment configuration with defaults`
			`# @param domainconfig the domain configuration`
			`# @param defaults the default configuration`
			`# @return the augmented configuration`
			`def complete_config(domainconfig, defaults):`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00			`for name, value in defaults.items():`
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`if name not in domainconfig:`
			`domainconfig[name] = value`
			`return domainconfig`


Initial commit 2016-01-10 15:00:43 +01:00			`if __name__ == "__main__":`
Minor code and documentation improvements 2016-01-10 15:48:16 +01:00			`# load global configuration`
			`if os.path.isfile(ACME_CONF):`
			`with open(ACME_CONF) as config_fd:`
			`config = yaml.load(config_fd)`
			`if not config:`
			`config = {}`
			`if 'domains' not in config:`
			`config['domains'] = {}`
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`if 'defaults' not in config:`
			`config['defaults'] = {}`
Minor code and documentation improvements 2016-01-10 15:48:16 +01:00
			`# load domain configuration`
Initial commit 2016-01-10 15:00:43 +01:00			`for config_file in os.listdir(ACME_CONFD):`
			`if config_file.endswith(".conf"):`
			`with open(ACME_CONFD + config_file) as config_fd:`
			`config['domains'].update(yaml.load(config_fd))`
Handle empty domain config 2016-01-10 17:36:20 +01:00			`#print(str(config))`
Initial commit 2016-01-10 15:00:43 +01:00
Minor code and documentation improvements 2016-01-10 15:48:16 +01:00			`# check certificate validity and obtain/renew certificates if needed`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00			`for domain, domaincfgs in config['domains'].items():`
			`# skip domains without any output files`
			`if domaincfgs is None:`
			`continue`
Refactor cert_isValid, minor improvements 2016-01-10 16:40:22 +01:00			`crt_file = ACME_DIR + "%s.crt" % domain`
			`ttl_days = int(config.get('ttl_days', 15))`
			`if not cert_isValid(crt_file, ttl_days):`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00			`cert_get(domain, config)`
			`for domaincfg in domaincfgs:`
			`cfg = complete_config(domaincfg, config['defaults'])`
			`cert_put(domain, cfg)`