acertmgr/acertmgr.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Automated Certificate Manager using ACME
# Copyright (c) Markus Hauschild, 2016.


import acme_tiny
import datetime
import dateutil.parser
import dateutil.relativedelta
import grp
import os
import pwd
import re
import shutil
import subprocess
import tempfile
import threading
import yaml

try:
	from SimpleHTTPServer import SimpleHTTPRequestHandler
except ImportError:
	from http.server import SimpleHTTPRequestHandler

try:
	from SocketServer import TCPServer as HTTPServer
except ImportError:
	from http.server import HTTPServer

ACME_DIR="/etc/acme/"
ACME_CONF=ACME_DIR + "acme.conf"
ACME_CONFD=ACME_DIR + "domains.d/"


class FileNotFoundError(OSError):
	pass


class InvalidCertificateError(Exception):
	pass

# @brief custom request handler for ACME challenges
# @note current working directory is temporarily changed by the script before
#       the webserver starts, which allows using SimpleHTTPRequestHandler
class ACMERequestHandler(SimpleHTTPRequestHandler):
	# @brief remove directories from GET URL
	# @details the current working directory contains the challenge files,
	#          there is no need for creating subdirectories for the path
	#          that ACME expects.
	#          Additionally, this allows redirecting the ACME path to this
	#          webserver without having to know which subdirectory is
	#          redirected, which simplifies integration with existing
	#          webservers.
	def translate_path(self, path):
		spath = path.split('/')
		assert(spath[0] == '')
		spath = spath[1:]
		if spath[0] == '.well-known':
			spath = spath[1:]
		if spath[0] == 'acme-challenge':
			spath = spath[1:]
		assert(len(spath) == 1)
		spath.insert(0, '')
		path = '/'.join(spath)
		return SimpleHTTPRequestHandler.translate_path(self, path)

# @brief start the standalone webserver
# @param server the HTTPServer object
# @note this function is used to be passed to threading.Thread
def start_standalone(server):
	server.serve_forever()

# @brief check whether existing target file is still valid or source crt has been updated
# @param target string containing the path to the target file
# @param crt_file string containing the path to the certificate file
# @return True if target file is at least as new as the certificate, False otherwise
def target_isCurrent(target, crt_file):
	target_date = os.path.getmtime(target)
	crt_date = os.path.getmtime(crt_file)
	return target_date >= crt_date

# @brief check whether existing certificate is still valid or expiring soon
# @param crt_file string containing the path to the certificate file
# @param ttl_days the minimum amount of days for which the certificate must be valid
# @return True if certificate is still valid for at least ttl_days, False otherwise
def cert_isValid(crt_file, ttl_days):
	if not os.path.isfile(crt_file):
		return False
	else:
		# check validity using OpenSSL
		vc = subprocess.check_output(['openssl', 'x509', '-in', crt_file, '-noout', '-dates'])

		m = re.search(b"notBefore=(.+)", vc)
		if m:
			valid_from = dateutil.parser.parse(m.group(1), ignoretz=True)
		else:
			raise InvalidCertificateError("No notBefore date found")

		m = re.search(b"notAfter=(.+)", vc)
		if m:
			valid_to = dateutil.parser.parse(m.group(1), ignoretz=True)
		else:
			raise InvalidCertificateError("No notAfter date found")

		now = datetime.datetime.now()
		if valid_from > now:
			raise InvalidCertificateError("Certificate seems to be from the future")

		expiry_limit = now + dateutil.relativedelta.relativedelta(days=+ttl_days)
		if valid_to < expiry_limit:
			return False

		return True


# @brief fetch new certificate from letsencrypt
# @param domain string containing the domain name
# @param settings the domain's configuration options
def cert_get(domain, settings):
	print("Getting certificate for %s." % domain)

	key_file = ACME_DIR + "server.key"
	if not os.path.isfile(key_file):
		raise FileNotFoundError("The server key file (%s) is missing!" % key_file)

	acc_file = ACME_DIR + "account.key"
	if not os.path.isfile(acc_file):
		raise FileNotFoundError("The account key file (%s) is missing!" % acc_file)

	_, csr_file = tempfile.mkstemp(".csr", "%s." % domain)
	_, crt_file = tempfile.mkstemp(".crt", "%s." % domain)

	challenge_dir = settings.get("webdir", "/var/www/acme-challenge/")
	if not os.path.isdir(challenge_dir):
		raise FileNotFoundError("Challenge directory (%s) does not exist!" % challenge_dir)

	if settings['mode'] == 'standalone':
		port = settings.get('port', 80)

		current_dir = os.getcwd()
		os.chdir(challenge_dir)
		HTTPServer.allow_reuse_address = True
		server = HTTPServer(("", port), ACMERequestHandler)
		server_thread = threading.Thread(target=start_standalone, args=(server, ))
		server_thread.start()

	try:
		allnames = domain.split(' ')
		if len(allnames) == 1:
			cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-subj', '/CN=%s' % domain])
		else:
			cnt = 0
			altnames = []
			for alias in allnames[1:]
				cnt = cnt + 1
				altnames.append('DNS.%d=%s' % cnt, alias)
			subject = '/CN=%s subjectAltName=%s' % allnames[0], ','.join(altnames)
			cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-reqexts', 'SAN', '-subj', subject])

		# get certificate
		crt = acme_tiny.get_crt(acc_file, csr_file, challenge_dir)
		with open(crt_file, "w") as crt_fd:
			crt_fd.write(crt)

		#  if resulting certificate is valid: store in final location
		if cert_isValid(crt_file, 60):
			crt_final = ACME_DIR + "%s.crt" % domain
			shutil.copy2(crt_file, crt_final)

	finally:
		if settings['mode'] == 'standalone':
			os.chdir(current_dir)
			server.shutdown()
			server_thread.join()
		os.remove(csr_file)
		os.remove(crt_file)


# @brief put new certificate in place
# @param domain string containing the domain name
# @param settings the domain's configuration options
# @return the action to be executed after the certificate update
def cert_put(domain, settings):
	# TODO error handling
	ca_file = settings.get("cafile", "")
	crt_user = settings['user']
	crt_group = settings['group']
	crt_perm = settings['perm']
	crt_path = settings['path']
	crt_format = settings['format'].split(",")
	crt_action = settings['action']

	key_file = ACME_DIR + "server.key"
	crt_final = ACME_DIR + "%s.crt" % domain

	with open(crt_path, "w+") as crt_fd:
		for fmt in crt_format:
			if fmt == "crt":
				src_fd = open(crt_final, "r")
				crt_fd.write(src_fd.read())
				src_fd.close()
			if fmt == "key":
				src_fd = open(key_file, "r")
				crt_fd.write(src_fd.read())
				src_fd.close()
			if fmt == "ca":
				if not os.path.isfile(ca_file):
					raise FileNotFoundError("The server key file (%s) is missing!" % ca_file)
				src_fd = open(ca_file, "r")
				crt_fd.write(src_fd.read())
				src_fd.close()
			else:
				# TODO error handling
				pass

	# set owner and permissions
	uid = pwd.getpwnam(crt_user).pw_uid
	gid = grp.getgrnam(crt_group).gr_gid
	try:
		os.chown(crt_path, uid, gid)
	except OSError:
		print('Warning: Could not set certificate file ownership!')
	try:
		os.chmod(crt_path, int(crt_perm, 8))
	except OSError:
		print('Warning: Could not set certificate file permissions!')

	return crt_action


# @brief augment configuration with defaults
# @param domainconfig the domain configuration
# @param defaults the default configuration
# @return the augmented configuration
def complete_config(domainconfig, defaults):
	if defaults:
		for name, value in defaults.items():
			if name not in domainconfig:
				domainconfig[name] = value
	return domainconfig


if __name__ == "__main__":
	# load global configuration
	if os.path.isfile(ACME_CONF):
		with open(ACME_CONF) as config_fd:
			config = yaml.load(config_fd)
	if not config:
		config = {}
	if 'defaults' not in config:
		config['defaults'] = {}

	config['domains'] = []
	# load domain configuration
	for config_file in os.listdir(ACME_CONFD):
		if config_file.endswith(".conf"):
			with open(ACME_CONFD + config_file) as config_fd:
				for entry in yaml.load(config_fd).items():
					config['domains'].append(entry)

	# post-update actions (run only once)
	actions = set()

	# check certificate validity and obtain/renew certificates if needed
	for domain, domaincfgs in config['domains']:
		# skip domains without any output files
		if domaincfgs is None:
			continue
		crt_file = ACME_DIR + "%s.crt" % domain
		ttl_days = int(config.get('ttl_days', 15))
		if not cert_isValid(crt_file, ttl_days):
			cert_get(domain, config)
		for domaincfg in domaincfgs:
			cfg = complete_config(domaincfg, config['defaults'])
			if not target_isCurrent(cfg['path'], crt_file):
				actions.add(cert_put(domain, cfg))

		# run post-update actions
		for action in actions:
			subprocess.call(action.split())
Use whichever python is available The code is not specific to python2, so any python should do 2016-02-13 00:56:47 +01:00			`#!/usr/bin/env python`
Initial commit 2016-01-10 15:00:43 +01:00			`# -- coding: utf-8 --`

			`# Automated Certificate Manager using ACME`
			`# Copyright (c) Markus Hauschild, 2016.`


Acutally invoke acme_tiny (using the staging API) 2016-01-11 20:51:23 +01:00			`import acme_tiny`
Initial commit 2016-01-10 15:00:43 +01:00			`import datetime`
			`import dateutil.parser`
			`import dateutil.relativedelta`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`import grp`
Initial commit 2016-01-10 15:00:43 +01:00			`import os`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`import pwd`
Initial commit 2016-01-10 15:00:43 +01:00			`import re`
Implement check&copy in cert_get 2016-01-12 17:43:41 +01:00			`import shutil`
Initial commit 2016-01-10 15:00:43 +01:00			`import subprocess`
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`import tempfile`
standalone webserver mode This patch adds the ability to start a simple webserver that is sufficient to solve the ACME challenge. 2016-02-13 00:48:38 +01:00			`import threading`
Initial commit 2016-01-10 15:00:43 +01:00			`import yaml`

standalone webserver mode This patch adds the ability to start a simple webserver that is sufficient to solve the ACME challenge. 2016-02-13 00:48:38 +01:00			`try:`
			`from SimpleHTTPServer import SimpleHTTPRequestHandler`
			`except ImportError:`
			`from http.server import SimpleHTTPRequestHandler`

			`try:`
			`from SocketServer import TCPServer as HTTPServer`
			`except ImportError:`
			`from http.server import HTTPServer`
Initial commit 2016-01-10 15:00:43 +01:00
			`ACME_DIR="/etc/acme/"`
			`ACME_CONF=ACME_DIR + "acme.conf"`
			`ACME_CONFD=ACME_DIR + "domains.d/"`

Fixes exception types 2016-01-11 21:31:11 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`class FileNotFoundError(OSError):`
indentation error fixes one instance of space-indentation instead of tab-indentation 2016-02-13 01:02:34 +01:00			`pass`
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00

Fixes exception types 2016-01-11 21:31:11 +01:00			`class InvalidCertificateError(Exception):`
			`pass`

standalone webserver mode This patch adds the ability to start a simple webserver that is sufficient to solve the ACME challenge. 2016-02-13 00:48:38 +01:00			`# @brief custom request handler for ACME challenges`
			`# @note current working directory is temporarily changed by the script before`
			`# the webserver starts, which allows using SimpleHTTPRequestHandler`
			`class ACMERequestHandler(SimpleHTTPRequestHandler):`
			`# @brief remove directories from GET URL`
			`# @details the current working directory contains the challenge files,`
			`# there is no need for creating subdirectories for the path`
			`# that ACME expects.`
			`# Additionally, this allows redirecting the ACME path to this`
			`# webserver without having to know which subdirectory is`
			`# redirected, which simplifies integration with existing`
			`# webservers.`
			`def translate_path(self, path):`
			`spath = path.split('/')`
			`assert(spath[0] == '')`
			`spath = spath[1:]`
			`if spath[0] == '.well-known':`
			`spath = spath[1:]`
			`if spath[0] == 'acme-challenge':`
			`spath = spath[1:]`
			`assert(len(spath) == 1)`
			`spath.insert(0, '')`
			`path = '/'.join(spath)`
			`return SimpleHTTPRequestHandler.translate_path(self, path)`

			`# @brief start the standalone webserver`
			`# @param server the HTTPServer object`
			`# @note this function is used to be passed to threading.Thread`
			`def start_standalone(server):`
			`server.serve_forever()`
Fixes exception types 2016-01-11 21:31:11 +01:00
replace target files based on timestamp instead of relying on the cached certificate file being updated. This allows multiple configuration files for the same domain. To avoid replacing existing entries, the format is changed from a dictionary to a list, and setting domains in acme.conf is no longer supported. 2016-02-28 14:44:10 +01:00			`# @brief check whether existing target file is still valid or source crt has been updated`
			`# @param target string containing the path to the target file`
			`# @param crt_file string containing the path to the certificate file`
			`# @return True if target file is at least as new as the certificate, False otherwise`
			`def target_isCurrent(target, crt_file):`
			`target_date = os.path.getmtime(target)`
			`crt_date = os.path.getmtime(crt_file)`
			`return target_date >= crt_date`

Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief check whether existing certificate is still valid or expiring soon`
Refactor cert_isValid, minor improvements 2016-01-10 16:40:22 +01:00			`# @param crt_file string containing the path to the certificate file`
			`# @param ttl_days the minimum amount of days for which the certificate must be valid`
			`# @return True if certificate is still valid for at least ttl_days, False otherwise`
			`def cert_isValid(crt_file, ttl_days):`
Initial commit 2016-01-10 15:00:43 +01:00			`if not os.path.isfile(crt_file):`
			`return False`
			`else:`
			`# check validity using OpenSSL`
			`vc = subprocess.check_output(['openssl', 'x509', '-in', crt_file, '-noout', '-dates'])`

Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`m = re.search(b"notBefore=(.+)", vc)`
Initial commit 2016-01-10 15:00:43 +01:00			`if m:`
			`valid_from = dateutil.parser.parse(m.group(1), ignoretz=True)`
			`else:`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise InvalidCertificateError("No notBefore date found")`
Initial commit 2016-01-10 15:00:43 +01:00
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`m = re.search(b"notAfter=(.+)", vc)`
Initial commit 2016-01-10 15:00:43 +01:00			`if m:`
			`valid_to = dateutil.parser.parse(m.group(1), ignoretz=True)`
			`else:`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise InvalidCertificateError("No notAfter date found")`
Initial commit 2016-01-10 15:00:43 +01:00
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`now = datetime.datetime.now()`
			`if valid_from > now:`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise InvalidCertificateError("Certificate seems to be from the future")`
Initial commit 2016-01-10 15:00:43 +01:00
Refactor cert_isValid, minor improvements 2016-01-10 16:40:22 +01:00			`expiry_limit = now + dateutil.relativedelta.relativedelta(days=+ttl_days)`
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`if valid_to < expiry_limit:`
Initial commit 2016-01-10 15:00:43 +01:00			`return False`

			`return True`


Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief fetch new certificate from letsencrypt`
			`# @param domain string containing the domain name`
			`# @param settings the domain's configuration options`
Initial commit 2016-01-10 15:00:43 +01:00			`def cert_get(domain, settings):`
More checks (e.g. for acme_tiny) 2016-01-11 20:15:31 +01:00			`print("Getting certificate for %s." % domain)`

Initial commit 2016-01-10 15:00:43 +01:00			`key_file = ACME_DIR + "server.key"`
Improve checks for required files 2016-01-11 20:56:08 +01:00			`if not os.path.isfile(key_file):`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise FileNotFoundError("The server key file (%s) is missing!" % key_file)`
More checks (e.g. for acme_tiny) 2016-01-11 20:15:31 +01:00
			`acc_file = ACME_DIR + "account.key"`
Improve checks for required files 2016-01-11 20:56:08 +01:00			`if not os.path.isfile(acc_file):`
Fixes exception types 2016-01-11 21:31:11 +01:00			`raise FileNotFoundError("The account key file (%s) is missing!" % acc_file)`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`_, csr_file = tempfile.mkstemp(".csr", "%s." % domain)`
			`_, crt_file = tempfile.mkstemp(".crt", "%s." % domain)`
Initial commit 2016-01-10 15:00:43 +01:00
Use challenge dir from configuration 2016-01-12 17:33:20 +01:00			`challenge_dir = settings.get("webdir", "/var/www/acme-challenge/")`
			`if not os.path.isdir(challenge_dir):`
			`raise FileNotFoundError("Challenge directory (%s) does not exist!" % challenge_dir)`
Initial commit 2016-01-10 15:00:43 +01:00
standalone webserver mode This patch adds the ability to start a simple webserver that is sufficient to solve the ACME challenge. 2016-02-13 00:48:38 +01:00			`if settings['mode'] == 'standalone':`
			`port = settings.get('port', 80)`

			`current_dir = os.getcwd()`
			`os.chdir(challenge_dir)`
			`HTTPServer.allow_reuse_address = True`
			`server = HTTPServer(("", port), ACMERequestHandler)`
			`server_thread = threading.Thread(target=start_standalone, args=(server, ))`
			`server_thread.start()`

Add checks for errors during certificate creation 2016-01-11 21:38:09 +01:00			`try:`
Adds support for SubjectAltName in CSR generation To use this feature, add multiple domain names in the configuration, separated by spaces 2016-02-28 16:21:56 +01:00			`allnames = domain.split(' ')`
			`if len(allnames) == 1:`
			`cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-subj', '/CN=%s' % domain])`
			`else:`
			`cnt = 0`
			`altnames = []`
			`for alias in allnames[1:]`
			`cnt = cnt + 1`
			`altnames.append('DNS.%d=%s' % cnt, alias)`
			`subject = '/CN=%s subjectAltName=%s' % allnames[0], ','.join(altnames)`
			`cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-reqexts', 'SAN', '-subj', subject])`
Add checks for errors during certificate creation 2016-01-11 21:38:09 +01:00
			`# get certificate`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`crt = acme_tiny.get_crt(acc_file, csr_file, challenge_dir)`
Add checks for errors during certificate creation 2016-01-11 21:38:09 +01:00			`with open(crt_file, "w") as crt_fd:`
			`crt_fd.write(crt)`
Acutally invoke acme_tiny (using the staging API) 2016-01-11 20:51:23 +01:00
Implement check&copy in cert_get 2016-01-12 17:43:41 +01:00			`# if resulting certificate is valid: store in final location`
			`if cert_isValid(crt_file, 60):`
			`crt_final = ACME_DIR + "%s.crt" % domain`
			`shutil.copy2(crt_file, crt_final)`
Refactor cert_isValid, minor improvements 2016-01-10 16:40:22 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`finally:`
standalone webserver mode This patch adds the ability to start a simple webserver that is sufficient to solve the ACME challenge. 2016-02-13 00:48:38 +01:00			`if settings['mode'] == 'standalone':`
			`os.chdir(current_dir)`
			`server.shutdown()`
			`server_thread.join()`
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`os.remove(csr_file)`
			`os.remove(crt_file)`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`# @brief put new certificate in place`
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00			`# @param domain string containing the domain name`
			`# @param settings the domain's configuration options`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`# @return the action to be executed after the certificate update`
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00			`def cert_put(domain, settings):`
More fine grained TODOs for cert_put 2016-01-16 18:58:12 +01:00			`# TODO error handling`
New format: ca to be able to create cert-chains. 2016-02-21 15:27:46 +01:00			`ca_file = settings.get("cafile", "")`
More fine grained TODOs for cert_put 2016-01-16 18:58:12 +01:00			`crt_user = settings['user']`
			`crt_group = settings['group']`
			`crt_perm = settings['perm']`
			`crt_path = settings['path']`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`crt_format = settings['format'].split(",")`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`crt_action = settings['action']`
More fine grained TODOs for cert_put 2016-01-16 18:58:12 +01:00
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`key_file = ACME_DIR + "server.key"`
More fine grained TODOs for cert_put 2016-01-16 18:58:12 +01:00			`crt_final = ACME_DIR + "%s.crt" % domain`

Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`with open(crt_path, "w+") as crt_fd:`
			`for fmt in crt_format:`
			`if fmt == "crt":`
			`src_fd = open(crt_final, "r")`
			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`if fmt == "key":`
			`src_fd = open(key_file, "r")`
			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
New format: ca to be able to create cert-chains. 2016-02-21 15:27:46 +01:00			`if fmt == "ca":`
			`if not os.path.isfile(ca_file):`
			`raise FileNotFoundError("The server key file (%s) is missing!" % ca_file)`
			`src_fd = open(ca_file, "r")`
			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`else:`
Fix accidentally removed TODO. 2016-02-21 12:44:24 +01:00			`# TODO error handling`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`pass`

			`# set owner and permissions`
			`uid = pwd.getpwnam(crt_user).pw_uid`
			`gid = grp.getgrnam(crt_group).gr_gid`
Check result of file metadata changes Changing ownership and permissions is not supported on all filesystems. This patch prints a warning whenever it fails to set these properties, but continues without a fatal error. 2016-02-13 00:57:28 +01:00			`try:`
			`os.chown(crt_path, uid, gid)`
			`except OSError:`
			`print('Warning: Could not set certificate file ownership!')`
			`try:`
			`os.chmod(crt_path, int(crt_perm, 8))`
			`except OSError:`
			`print('Warning: Could not set certificate file permissions!')`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`return crt_action`
Initial commit 2016-01-10 15:00:43 +01:00

Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief augment configuration with defaults`
			`# @param domainconfig the domain configuration`
			`# @param defaults the default configuration`
			`# @return the augmented configuration`
			`def complete_config(domainconfig, defaults):`
Fix error if default values are empty. 2016-02-23 17:53:50 +01:00			`if defaults:`
			`for name, value in defaults.items():`
			`if name not in domainconfig:`
			`domainconfig[name] = value`
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`return domainconfig`


Initial commit 2016-01-10 15:00:43 +01:00			`if __name__ == "__main__":`
Minor code and documentation improvements 2016-01-10 15:48:16 +01:00			`# load global configuration`
			`if os.path.isfile(ACME_CONF):`
			`with open(ACME_CONF) as config_fd:`
			`config = yaml.load(config_fd)`
			`if not config:`
			`config = {}`
Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`if 'defaults' not in config:`
			`config['defaults'] = {}`
Minor code and documentation improvements 2016-01-10 15:48:16 +01:00
replace target files based on timestamp instead of relying on the cached certificate file being updated. This allows multiple configuration files for the same domain. To avoid replacing existing entries, the format is changed from a dictionary to a list, and setting domains in acme.conf is no longer supported. 2016-02-28 14:44:10 +01:00			`config['domains'] = []`
Minor code and documentation improvements 2016-01-10 15:48:16 +01:00			`# load domain configuration`
Initial commit 2016-01-10 15:00:43 +01:00			`for config_file in os.listdir(ACME_CONFD):`
			`if config_file.endswith(".conf"):`
			`with open(ACME_CONFD + config_file) as config_fd:`
replace target files based on timestamp instead of relying on the cached certificate file being updated. This allows multiple configuration files for the same domain. To avoid replacing existing entries, the format is changed from a dictionary to a list, and setting domains in acme.conf is no longer supported. 2016-02-28 14:44:10 +01:00			`for entry in yaml.load(config_fd).items():`
			`config['domains'].append(entry)`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00
			`# post-update actions (run only once)`
			`actions = set()`
Initial commit 2016-01-10 15:00:43 +01:00
Minor code and documentation improvements 2016-01-10 15:48:16 +01:00			`# check certificate validity and obtain/renew certificates if needed`
replace target files based on timestamp instead of relying on the cached certificate file being updated. This allows multiple configuration files for the same domain. To avoid replacing existing entries, the format is changed from a dictionary to a list, and setting domains in acme.conf is no longer supported. 2016-02-28 14:44:10 +01:00			`for domain, domaincfgs in config['domains']:`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00			`# skip domains without any output files`
			`if domaincfgs is None:`
			`continue`
Refactor cert_isValid, minor improvements 2016-01-10 16:40:22 +01:00			`crt_file = ACME_DIR + "%s.crt" % domain`
			`ttl_days = int(config.get('ttl_days', 15))`
			`if not cert_isValid(crt_file, ttl_days):`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00			`cert_get(domain, config)`
replace target files based on timestamp instead of relying on the cached certificate file being updated. This allows multiple configuration files for the same domain. To avoid replacing existing entries, the format is changed from a dictionary to a list, and setting domains in acme.conf is no longer supported. 2016-02-28 14:44:10 +01:00			`for domaincfg in domaincfgs:`
			`cfg = complete_config(domaincfg, config['defaults'])`
			`if not target_isCurrent(cfg['path'], crt_file):`
Actually add actions to the set. 2016-02-28 22:52:12 +01:00			`actions.add(cert_put(domain, cfg))`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00
			`# run post-update actions`
			`for action in actions:`
			`subprocess.call(action.split())`