2016-01-10 15:00:43 +01:00
|
|
|
#!/usr/bin/env python
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
# Automated Certificate Manager using ACME
|
|
|
|
# Copyright (c) Markus Hauschild, 2016.
|
|
|
|
|
|
|
|
|
2016-01-11 20:51:23 +01:00
|
|
|
import acme_tiny
|
2016-01-10 15:00:43 +01:00
|
|
|
import datetime
|
|
|
|
import dateutil.parser
|
|
|
|
import dateutil.relativedelta
|
|
|
|
import os
|
|
|
|
import re
|
|
|
|
import subprocess
|
|
|
|
import yaml
|
|
|
|
|
|
|
|
|
|
|
|
ACME_DIR="/etc/acme/"
|
|
|
|
ACME_CONF=ACME_DIR + "acme.conf"
|
|
|
|
ACME_CONFD=ACME_DIR + "domains.d/"
|
2016-01-11 20:51:23 +01:00
|
|
|
CHALLENGE_DIR="/var/www/acme/"
|
|
|
|
LE_CA="https://acme-staging.api.letsencrypt.org"
|
2016-01-10 15:00:43 +01:00
|
|
|
|
2016-01-11 21:31:11 +01:00
|
|
|
|
|
|
|
class InvalidCertificateError(Exception):
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
2016-01-10 15:43:11 +01:00
|
|
|
# @brief check whether existing certificate is still valid or expiring soon
|
2016-01-10 16:40:22 +01:00
|
|
|
# @param crt_file string containing the path to the certificate file
|
|
|
|
# @param ttl_days the minimum amount of days for which the certificate must be valid
|
|
|
|
# @return True if certificate is still valid for at least ttl_days, False otherwise
|
|
|
|
def cert_isValid(crt_file, ttl_days):
|
2016-01-10 15:00:43 +01:00
|
|
|
if not os.path.isfile(crt_file):
|
|
|
|
return False
|
|
|
|
else:
|
|
|
|
# check validity using OpenSSL
|
|
|
|
vc = subprocess.check_output(['openssl', 'x509', '-in', crt_file, '-noout', '-dates'])
|
|
|
|
|
|
|
|
m = re.search("notBefore=(.+)", vc)
|
|
|
|
if m:
|
|
|
|
valid_from = dateutil.parser.parse(m.group(1), ignoretz=True)
|
|
|
|
else:
|
2016-01-11 21:31:11 +01:00
|
|
|
raise InvalidCertificateError("No notBefore date found")
|
2016-01-10 15:00:43 +01:00
|
|
|
|
|
|
|
m = re.search("notAfter=(.+)", vc)
|
|
|
|
if m:
|
|
|
|
valid_to = dateutil.parser.parse(m.group(1), ignoretz=True)
|
|
|
|
else:
|
2016-01-11 21:31:11 +01:00
|
|
|
raise InvalidCertificateError("No notAfter date found")
|
2016-01-10 15:00:43 +01:00
|
|
|
|
2016-01-10 15:43:11 +01:00
|
|
|
now = datetime.datetime.now()
|
|
|
|
if valid_from > now:
|
2016-01-11 21:31:11 +01:00
|
|
|
raise InvalidCertificateError("Certificate seems to be from the future")
|
2016-01-10 15:00:43 +01:00
|
|
|
|
2016-01-10 16:40:22 +01:00
|
|
|
expiry_limit = now + dateutil.relativedelta.relativedelta(days=+ttl_days)
|
2016-01-10 15:43:11 +01:00
|
|
|
if valid_to < expiry_limit:
|
2016-01-10 15:00:43 +01:00
|
|
|
return False
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
2016-01-10 15:43:11 +01:00
|
|
|
# @brief fetch new certificate from letsencrypt
|
|
|
|
# @param domain string containing the domain name
|
|
|
|
# @param settings the domain's configuration options
|
2016-01-10 15:00:43 +01:00
|
|
|
def cert_get(domain, settings):
|
2016-01-11 20:15:31 +01:00
|
|
|
print("Getting certificate for %s." % domain)
|
|
|
|
|
2016-01-10 15:00:43 +01:00
|
|
|
key_file = ACME_DIR + "server.key"
|
2016-01-11 20:56:08 +01:00
|
|
|
if not os.path.isfile(key_file):
|
2016-01-11 21:31:11 +01:00
|
|
|
raise FileNotFoundError("The server key file (%s) is missing!" % key_file)
|
2016-01-11 20:15:31 +01:00
|
|
|
|
|
|
|
acc_file = ACME_DIR + "account.key"
|
2016-01-11 20:56:08 +01:00
|
|
|
if not os.path.isfile(acc_file):
|
2016-01-11 21:31:11 +01:00
|
|
|
raise FileNotFoundError("The account key file (%s) is missing!" % acc_file)
|
2016-01-10 18:07:00 +01:00
|
|
|
|
2016-01-10 15:00:43 +01:00
|
|
|
csr_file = "/tmp/%s.csr" % domain
|
2016-01-11 20:51:23 +01:00
|
|
|
crt_file = "/tmp/%s.crt" % domain
|
|
|
|
if os.path.lexists(csr_file) or os.path.lexists(crt_file):
|
2016-01-11 21:31:11 +01:00
|
|
|
raise FileExistsError("A temporary file already exists!")
|
2016-01-10 15:00:43 +01:00
|
|
|
|
|
|
|
|
2016-01-11 20:15:31 +01:00
|
|
|
cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-subj', '/CN=%s' % domain])
|
2016-01-10 18:07:00 +01:00
|
|
|
|
2016-01-11 20:51:23 +01:00
|
|
|
# get certificate
|
|
|
|
crt = acme_tiny.get_crt(acc_file, csr_file, CHALLENGE_DIR, CA = LE_CA)
|
|
|
|
with open(crt_file, "w") as crt_fd:
|
|
|
|
crt_fd.write(crt)
|
|
|
|
|
2016-01-10 15:00:43 +01:00
|
|
|
# TODO check if resulting certificate is valid
|
2016-01-10 16:40:22 +01:00
|
|
|
|
|
|
|
os.remove(csr_file)
|
|
|
|
|
2016-01-10 18:07:00 +01:00
|
|
|
# TODO store resulting certificate at final location
|
|
|
|
|
2016-01-10 17:29:26 +01:00
|
|
|
|
|
|
|
# @brief put new certificate in plcae
|
|
|
|
# @param domain string containing the domain name
|
|
|
|
# @param settings the domain's configuration options
|
|
|
|
def cert_put(domain, settings):
|
2016-01-10 15:00:43 +01:00
|
|
|
# TODO copy cert w/ correct permissions
|
2016-01-10 17:29:26 +01:00
|
|
|
# TODO restart/reload service
|
|
|
|
pass
|
2016-01-10 15:00:43 +01:00
|
|
|
|
|
|
|
|
2016-01-10 15:43:11 +01:00
|
|
|
# @brief augment configuration with defaults
|
|
|
|
# @param domainconfig the domain configuration
|
|
|
|
# @param defaults the default configuration
|
|
|
|
# @return the augmented configuration
|
|
|
|
def complete_config(domainconfig, defaults):
|
2016-01-10 18:07:00 +01:00
|
|
|
for name, value in defaults.items():
|
2016-01-10 15:43:11 +01:00
|
|
|
if name not in domainconfig:
|
|
|
|
domainconfig[name] = value
|
|
|
|
return domainconfig
|
|
|
|
|
|
|
|
|
2016-01-10 15:00:43 +01:00
|
|
|
if __name__ == "__main__":
|
2016-01-10 15:48:16 +01:00
|
|
|
# load global configuration
|
|
|
|
if os.path.isfile(ACME_CONF):
|
|
|
|
with open(ACME_CONF) as config_fd:
|
|
|
|
config = yaml.load(config_fd)
|
|
|
|
if not config:
|
|
|
|
config = {}
|
|
|
|
if 'domains' not in config:
|
|
|
|
config['domains'] = {}
|
2016-01-10 15:43:11 +01:00
|
|
|
if 'defaults' not in config:
|
|
|
|
config['defaults'] = {}
|
2016-01-10 15:48:16 +01:00
|
|
|
|
|
|
|
# load domain configuration
|
2016-01-10 15:00:43 +01:00
|
|
|
for config_file in os.listdir(ACME_CONFD):
|
|
|
|
if config_file.endswith(".conf"):
|
|
|
|
with open(ACME_CONFD + config_file) as config_fd:
|
|
|
|
config['domains'].update(yaml.load(config_fd))
|
2016-01-10 17:36:20 +01:00
|
|
|
#print(str(config))
|
2016-01-10 15:00:43 +01:00
|
|
|
|
2016-01-10 15:48:16 +01:00
|
|
|
# check certificate validity and obtain/renew certificates if needed
|
2016-01-10 18:07:00 +01:00
|
|
|
for domain, domaincfgs in config['domains'].items():
|
|
|
|
# skip domains without any output files
|
|
|
|
if domaincfgs is None:
|
|
|
|
continue
|
2016-01-10 16:40:22 +01:00
|
|
|
crt_file = ACME_DIR + "%s.crt" % domain
|
|
|
|
ttl_days = int(config.get('ttl_days', 15))
|
|
|
|
if not cert_isValid(crt_file, ttl_days):
|
2016-01-10 18:07:00 +01:00
|
|
|
cert_get(domain, config)
|
|
|
|
for domaincfg in domaincfgs:
|
|
|
|
cfg = complete_config(domaincfg, config['defaults'])
|
|
|
|
cert_put(domain, cfg)
|