From fa3fc196f3d4bc520cc704f18f38a2c9afa0b55f Mon Sep 17 00:00:00 2001 From: Kishi85 Date: Thu, 28 Mar 2019 12:33:59 +0100 Subject: [PATCH] configuration: unify how ca_file and ca_static are determined ensure legacy compatibility (also include defaults case) and update README.md --- README.md | 5 +++-- acertmgr/__init__.py | 3 ++- acertmgr/configuration.py | 18 +++++++----------- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 00cf26c..63aad2d 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ By default the directory (work_dir) containing the working data (csr,certificate | --force-renew | **c** | (or --renew-now) Immediately renew all certificates containing the given domain(s) | | | --revoke | **c** | Revoke the certificate at the given path | | | --revoke-reason | **c** | Provide a reason code for the revocation (see https://tools.ietf.org/html/rfc5280#section-5.3.1 for valid values) | | -| domain (san-domain...): | **d** | (domainconfig section start) Domains to use in the cert request, will be MD5 hashed as cert_id | | +| domain (san-domain...): | **d** | (domainconfig section start) Domains to use in the cert request. This value will be MD5-hashed as cert_id. | | | api | d,**g** | Determines the API version used | v2 | | authority | d,**g** | URL to the certificate authorities API | https://acme-v02.api.letsencrypt.org | | authority_tos_agreement | d,**g**,c | Indicates agreement to the ToS of the certificate authority (--authority-tos-agreement on command line) | | @@ -73,6 +73,7 @@ By default the directory (work_dir) containing the working data (csr,certificate | key_length | d,**g** | Key-length for newly generated private keys | 4096 | | csr_static | **d**,g | Whether to re-use a static CSR or generate a new dynamic CSR | false | | csr_file | **d**,g | Path to store (and load) the certificate CSR file | {cert_dir}/{cert_id}.csr | +| ca_static | **d**,g | Whether to re-use a static CA or download a CA file | false | | ca_file | **d**,g | Path to store (and load) the certificate authority file | {cert_dir}/{cert_id}.ca | | cert_file | **d** | Path to store (and load) the certificate file | {cert_dir}/{cert_id}.crt | | cert_revoke_superseded | **d**,g | Revoke the previous certificate with reason "superseded" after successful deployment | false | @@ -84,7 +85,7 @@ By default the directory (work_dir) containing the working data (csr,certificate | port | **d**,g | [standalone] Serve the challenge using a HTTP server on this port | 80 | | dns_ttl | **d**,g | [dns.*] Write TXT records with this TTL (also determines the update wait time at twice this value | 60 | | dns_updatedomain | **d**,g | [dns.*] Write the TXT records to this domain (you have to create the necessary CNAME on the real challenge domain manually) | | -| nsupdate_server | **d**,g | [dns.nsupdate] DNS Server to delegate the update to | | +| nsupdate_server | **d**,g | [dns.nsupdate] DNS Server to delegate the update to | {determine from zone SOA} | | nsupdate_keyfile | **d**,g | [dns.nsupdate] Bind-formatted TSIG key file to use for updates (may be used instead of nsupdate_key*) | | | nsupdate_keyname | **d**,g | [dns.nsupdate] TSIG key name to use for updates | | | nsupdate_keyvalue | **d**,g | [dns.nsupdate] TSIG key value to use for updates | | diff --git a/acertmgr/__init__.py b/acertmgr/__init__.py index a233420..81dcb22 100755 --- a/acertmgr/__init__.py +++ b/acertmgr/__init__.py @@ -59,7 +59,8 @@ def cert_get(settings): if tools.is_cert_valid(crt, settings['ttl_days']): print("Certificate '{}' renewed and valid until {}".format(crt, crt.not_valid_after)) tools.write_pem_file(crt, settings['cert_file'], stat.S_IREAD) - if "static_ca" in settings and not settings['static_ca'] and ca is not None: + if (not str(settings.get('ca_static')).lower() == 'true' or not os.path.exists(settings['ca_file'])) \ + and ca is not None: tools.write_pem_file(ca, settings['ca_file']) diff --git a/acertmgr/configuration.py b/acertmgr/configuration.py index eb1b8c9..910cc7a 100644 --- a/acertmgr/configuration.py +++ b/acertmgr/configuration.py @@ -154,18 +154,14 @@ def parse_config_entry(entry, globalconfig, runtimeconfig): update_config_value(config, 'key_length', localconfig, globalconfig, DEFAULT_KEY_LENGTH) config['key_length'] = int(config['key_length']) - # SSL CA location - ca_files = [x for x in entry if 'ca_file' in x] - if len(ca_files) > 0: - config['static_ca'] = True - config['ca_file'] = ca_files[0] - elif 'server_ca' in globalconfig: + # SSL CA location / use static + update_config_value(config, 'ca_file', localconfig, globalconfig, + globalconfig.get('server_ca', config['defaults'].get('server_ca', + os.path.join(config['cert_dir'], "{}.ca".format(config['id']))))) + update_config_value(config, 'ca_static', localconfig, globalconfig, "false") + if 'server_ca' in globalconfig or 'server_ca' in config['defaults']: + config['ca_static'] = "true" print("WARNING: Legacy configuration directive 'server_ca' used. Support will be removed in 1.0") - config['static_ca'] = True - config['ca_file'] = globalconfig['server_ca'] - else: - config['static_ca'] = False - config['ca_file'] = os.path.join(config['cert_dir'], "{}.ca".format(config['id'])) # Domain action configuration config['actions'] = list()