mirror of
https://github.com/moepman/acertmgr.git
synced 2024-09-20 23:54:47 +02:00
316ecdba2e
Authorities (e.g. Let's Encrypt) usually have Terms of Serivce (ToS) that have to be agreed to. Up until this point we automatically indicated agreement to those ToS and sent the necessary value. This commit changes the behaviour to be in line with recommendations from Let's Encrypt that the user themselves have to indicate their agreement by no longer automatically doing so (except for cases of legacy configuration files to provide compatibility). The user can now indicate ToS agreement by either setting the associated configuration variable (authority_tos_agreement) to the required value and/or providing the required value via a command-line parameter (--authority-tos-agreement=<value>/--tos-agreement=<value>/--tos=<value>)
225 lines
8.7 KiB
Python
225 lines
8.7 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# config - acertmgr config parser
|
|
# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.
|
|
# Copyright (c) Rudolf Mayerhofer, 2019.
|
|
# available under the ISC license, see LICENSE
|
|
|
|
import argparse
|
|
import copy
|
|
import hashlib
|
|
import io
|
|
import os
|
|
|
|
# Backward compatiblity for older versions/installations of acertmgr
|
|
LEGACY_WORK_DIR = "/etc/acme"
|
|
LEGACY_CONF_FILE = os.path.join(LEGACY_WORK_DIR, "acme.conf")
|
|
LEGACY_CONF_DIR = os.path.join(LEGACY_WORK_DIR, "domains.d")
|
|
|
|
# Configuration defaults to use if not specified otherwise
|
|
DEFAULT_CONF_FILE = "/etc/acertmgr/acertmgr.conf"
|
|
DEFAULT_CONF_DIR = "/etc/acertmgr"
|
|
DEFAULT_KEY_LENGTH = 4096 # bits
|
|
DEFAULT_TTL = 30 # days
|
|
DEFAULT_API = "v2"
|
|
DEFAULT_AUTHORITY = "https://acme-v02.api.letsencrypt.org"
|
|
LEGACY_AUTHORITY_TOS_AGREEMENT = "true"
|
|
|
|
|
|
# @brief augment configuration with defaults
|
|
# @param domainconfig the domain configuration
|
|
# @param defaults the default configuration
|
|
# @return the augmented configuration
|
|
def complete_action_config(domainconfig, config):
|
|
defaults = config['defaults']
|
|
domainconfig['ca_file'] = config['ca_file']
|
|
domainconfig['cert_file'] = config['cert_file']
|
|
domainconfig['key_file'] = config['key_file']
|
|
for name, value in defaults.items():
|
|
if name not in domainconfig:
|
|
domainconfig[name] = value
|
|
if 'action' not in domainconfig:
|
|
domainconfig['action'] = None
|
|
return domainconfig
|
|
|
|
|
|
# @brief update config[name] with value from localconfig>globalconfig>default
|
|
def update_config_value(config, name, localconfig, globalconfig, default):
|
|
values = [x for x in localconfig if name in x]
|
|
if len(values) > 0:
|
|
config[name] = values[0]
|
|
else:
|
|
config[name] = globalconfig.get(name, default)
|
|
|
|
|
|
# @brief load the configuration from a file
|
|
def parse_config_entry(entry, globalconfig, work_dir, authority_tos_agreement):
|
|
config = dict()
|
|
|
|
# Basic domain information
|
|
config['domains'], data = entry
|
|
config['domainlist'] = config['domains'].split(' ')
|
|
config['id'] = hashlib.md5(config['domains'].encode('utf-8')).hexdigest()
|
|
|
|
# Action config defaults
|
|
config['defaults'] = globalconfig.get('defaults', {})
|
|
|
|
# API version
|
|
update_config_value(config, 'api', entry, globalconfig, DEFAULT_API)
|
|
|
|
# Certificate authority
|
|
update_config_value(config, 'authority', entry, globalconfig, DEFAULT_AUTHORITY)
|
|
|
|
# Certificate authority ToS agreement
|
|
update_config_value(config, 'authority_tos_agreement', entry, globalconfig, authority_tos_agreement)
|
|
|
|
# Certificate authority contact email addresses
|
|
update_config_value(config, 'authority_contact_email', entry, globalconfig, None)
|
|
|
|
# Account key
|
|
update_config_value(config, 'account_key', entry, globalconfig, os.path.join(work_dir, "account.key"))
|
|
|
|
# Certificate directory
|
|
update_config_value(config, 'cert_dir', entry, globalconfig, work_dir)
|
|
|
|
# TTL days
|
|
update_config_value(config, 'ttl_days', entry, globalconfig, DEFAULT_TTL)
|
|
|
|
# SSL cert location (with compatibility to older versions)
|
|
update_config_value(config, 'cert_file', entry, globalconfig,
|
|
globalconfig.get('server_cert',
|
|
os.path.join(config['cert_dir'], "{}.crt".format(config['id']))))
|
|
|
|
# SSL key location (with compatibility to older versions)
|
|
update_config_value(config, 'key_file', entry, globalconfig,
|
|
globalconfig.get('server_key',
|
|
os.path.join(config['cert_dir'], "{}.key".format(config['id']))))
|
|
|
|
# SSL key length (if key has to be (re-)generated, converted to int)
|
|
update_config_value(config, 'key_length', entry, globalconfig, DEFAULT_KEY_LENGTH)
|
|
config['key_length'] = int(config['key_length'])
|
|
|
|
# SSL CA location
|
|
ca_files = [x for x in entry if 'ca_file' in x]
|
|
if len(ca_files) > 0:
|
|
config['static_ca'] = True
|
|
config['ca_file'] = ca_files[0]
|
|
elif 'server_ca' in globalconfig:
|
|
config['static_ca'] = True
|
|
config['ca_file'] = globalconfig['server_ca']
|
|
else:
|
|
config['static_ca'] = False
|
|
config['ca_file'] = os.path.join(config['cert_dir'], "{}.ca".format(config['id']))
|
|
|
|
# Domain action configuration
|
|
config['actions'] = list()
|
|
for actioncfg in [x for x in data if 'path' in x]:
|
|
config['actions'].append(complete_action_config(actioncfg, config))
|
|
|
|
# Domain challenge handler configuration
|
|
config['handlers'] = dict()
|
|
handlerconfigs = [x for x in data if 'mode' in x]
|
|
for domain in config['domainlist']:
|
|
# Use global config as base handler config
|
|
cfg = copy.deepcopy(globalconfig)
|
|
|
|
# Determine generic domain handler config values
|
|
genericfgs = [x for x in handlerconfigs if 'domain' not in x]
|
|
if len(genericfgs) > 0:
|
|
cfg.update(genericfgs[0])
|
|
|
|
# Update handler config with more specific values
|
|
specificcfgs = [x for x in handlerconfigs if ('domain' in x and x['domain'] == domain)]
|
|
if len(specificcfgs) > 0:
|
|
cfg.update(specificcfgs[0])
|
|
|
|
config['handlers'][domain] = cfg
|
|
|
|
return config
|
|
|
|
|
|
# @brief load the configuration from a file
|
|
def load():
|
|
parser = argparse.ArgumentParser(description="acertmgr - Automated Certificate Manager using ACME/Let's Encrypt")
|
|
parser.add_argument("-c", "--config-file", nargs="?",
|
|
help="global configuration file (default='{}')".format(DEFAULT_CONF_FILE))
|
|
parser.add_argument("-d", "--config-dir", nargs="?",
|
|
help="domain configuration directory (default='{}')".format(DEFAULT_CONF_DIR))
|
|
parser.add_argument("-w", "--work-dir", nargs="?",
|
|
help="persistent work data directory (default=config_dir)")
|
|
parser.add_argument("--authority-tos-agreement", "--tos-agreement", "--tos", nargs="?",
|
|
help="Agree to the authorities Terms of Service (value required depends on authority)")
|
|
args = parser.parse_args()
|
|
|
|
# Determine global configuration file
|
|
if args.config_file:
|
|
global_config_file = args.config_file
|
|
elif os.path.isfile(LEGACY_CONF_FILE):
|
|
global_config_file = LEGACY_CONF_FILE
|
|
else:
|
|
global_config_file = DEFAULT_CONF_FILE
|
|
|
|
# Determine domain configuration directory
|
|
if args.config_dir:
|
|
domain_config_dir = args.config_dir
|
|
elif os.path.isdir(LEGACY_CONF_DIR):
|
|
domain_config_dir = LEGACY_CONF_DIR
|
|
else:
|
|
domain_config_dir = DEFAULT_CONF_DIR
|
|
|
|
# Determine work directory...
|
|
if args.work_dir:
|
|
work_dir = args.work_dir
|
|
elif os.path.isdir(LEGACY_WORK_DIR) and domain_config_dir == LEGACY_CONF_DIR:
|
|
work_dir = LEGACY_WORK_DIR
|
|
else:
|
|
# .. or use the domain configuration directory otherwise
|
|
work_dir = domain_config_dir
|
|
|
|
# Determine authority agreement
|
|
if args.authority_tos_agreement:
|
|
authority_tos_agreement = args.authority_tos_agreement
|
|
elif global_config_file == LEGACY_CONF_FILE:
|
|
# Old global config file assumes ToS are agreed
|
|
authority_tos_agreement = LEGACY_AUTHORITY_TOS_AGREEMENT
|
|
else:
|
|
authority_tos_agreement = None
|
|
|
|
# load global configuration
|
|
globalconfig = dict()
|
|
if os.path.isfile(global_config_file):
|
|
with io.open(global_config_file) as config_fd:
|
|
try:
|
|
import json
|
|
globalconfig = json.load(config_fd)
|
|
except ValueError:
|
|
import yaml
|
|
config_fd.seek(0)
|
|
globalconfig = yaml.safe_load(config_fd)
|
|
|
|
# create work directory if it does not exist
|
|
if not os.path.isdir(work_dir):
|
|
os.mkdir(work_dir, int("0700", 8))
|
|
|
|
# load domain configuration
|
|
config = list()
|
|
if os.path.isdir(domain_config_dir):
|
|
for domain_config_file in os.listdir(domain_config_dir):
|
|
domain_config_file = os.path.join(domain_config_dir, domain_config_file)
|
|
# check file extension and skip if global config file
|
|
if domain_config_file.endswith(".conf") and \
|
|
os.path.abspath(domain_config_file) != os.path.abspath(global_config_file):
|
|
with io.open(domain_config_file) as config_fd:
|
|
try:
|
|
import json
|
|
for entry in json.load(config_fd).items():
|
|
config.append(parse_config_entry(entry, globalconfig, work_dir, authority_tos_agreement))
|
|
except ValueError:
|
|
import yaml
|
|
config_fd.seek(0)
|
|
for entry in yaml.safe_load(config_fd).items():
|
|
config.append(parse_config_entry(entry, globalconfig, work_dir, authority_tos_agreement))
|
|
|
|
return config
|