wo/core/acme.py

import csv
import os

import requests

from wo.core.fileutils import WOFileUtils
from wo.core.git import WOGit
from wo.core.logging import Log
from wo.core.shellexec import WOShellExec, CommandExecutionError
from wo.core.variables import WOVar


class WOAcme:
    """Acme.sh utilities for WordOps"""

    wo_acme_exec = ("/etc/letsencrypt/acme.sh --config-home "
                    "'/etc/letsencrypt/config'")

    def export_cert(self):
        """Export acme.sh csv certificate list"""
        if not WOShellExec.cmd_exec(
                self, "{0} ".format(WOAcme.wo_acme_exec) +
                "--list --listraw > /var/lib/wo/cert.csv"):
            Log.error(self, "Unable to export certs list")
        WOFileUtils.chmod(self, '/var/lib/wo/cert.csv', 0o600)

    def setupletsencrypt(self, acme_domains, acmedata):
        """Issue SSL certificates with acme.sh"""
        all_domains = '\' -d \''.join(acme_domains)
        wo_acme_dns = acmedata['acme_dns']
        keylenght = acmedata['keylength']
        if acmedata['dns'] is True:
            acme_mode = "--dns {0}".format(wo_acme_dns)
            validation_mode = "DNS mode with {0}".format(wo_acme_dns)
            if acmedata['dnsalias'] is True:
                acme_mode = acme_mode + \
                    " --challenge-alias {0}".format(acmedata['acme_alias'])
        else:
            acme_mode = "-w /var/www/html"
            validation_mode = "Webroot challenge"
            Log.debug(self, "Validation : Webroot mode")
            if not os.path.isdir('/var/www/html/.well-known/acme-challenge'):
                WOFileUtils.mkdir(
                    self, '/var/www/html/.well-known/acme-challenge')
            WOFileUtils.chown(
                self, '/var/www/html/.well-known', 'www-data', 'www-data',
                recursive=True)
            WOFileUtils.chmod(self, '/var/www/html/.well-known', 0o750,
                              recursive=True)

        Log.info(self, "Validation mode : {0}".format(validation_mode))
        Log.wait(self, "Issuing SSL cert with acme.sh")
        if not WOShellExec.cmd_exec(
                self, "{0} ".format(WOAcme.wo_acme_exec) +
                "--issue -d '{0}' {1} -k {2} -f"
                .format(all_domains, acme_mode, keylenght)):
            Log.failed(self, "Issuing SSL cert with acme.sh")
            if acmedata['dns'] is True:
                Log.error(
                    self, "Please make sure your properly "
                    "set your DNS API credentials for acme.sh")
                return False
            else:
                Log.error(
                    self, "Your domain is properly configured "
                    "but acme.sh was unable to issue certificate.\n"
                    "You can find more informations in "
                    "/var/log/wo/wordops.log")
                return False
        else:
            Log.valide(self, "Issuing SSL cert with acme.sh")
            return True

    def deploycert(self, wo_domain_name):
        """Deploy Let's Encrypt certificates with acme.sh"""
        if not os.path.isfile('/etc/letsencrypt/renewal/{0}_ecc/fullchain.cer'
                              .format(wo_domain_name)):
            Log.error(self, 'Certificate not found. Deployment canceled')

        Log.debug(self, "Cert deployment for domain: {0}"
                  .format(wo_domain_name))

        try:
            Log.wait(self, "Deploying SSL cert")
            if WOShellExec.cmd_exec(
                self, "mkdir -p {0}/{1} && {2} --install-cert -d {1} --ecc "
                "--cert-file {0}/{1}/cert.pem --key-file {0}/{1}/key.pem "
                "--fullchain-file {0}/{1}/fullchain.pem "
                "--ca-file {0}/{1}/ca.pem --reloadcmd \"nginx -t && "
                "service nginx restart\" "
                .format(WOVar.wo_ssl_live,
                        wo_domain_name, WOAcme.wo_acme_exec)):
                Log.valide(self, "Deploying SSL cert")
            else:
                Log.failed(self, "Deploying SSL cert")
                Log.error(self, "Unable to deploy certificate")

            if os.path.isdir('/var/www/{0}/conf/nginx'
                             .format(wo_domain_name)):

                sslconf = open("/var/www/{0}/conf/nginx/ssl.conf"
                               .format(wo_domain_name),
                               encoding='utf-8', mode='w')
                sslconf.write(
                    "listen 443 ssl http2;\n"
                    "listen [::]:443 ssl http2;\n"
                    "ssl_certificate     {0}/{1}/fullchain.pem;\n"
                    "ssl_certificate_key     {0}/{1}/key.pem;\n"
                    "ssl_trusted_certificate {0}/{1}/ca.pem;\n"
                    "ssl_stapling_verify on;\n"
                    .format(WOVar.wo_ssl_live, wo_domain_name))
                sslconf.close()

            if not WOFileUtils.grep(self, '/var/www/22222/conf/nginx/ssl.conf',
                                    '/etc/letsencrypt'):
                Log.info(self, "Securing WordOps backend with current cert")
                sslconf = open("/var/www/22222/conf/nginx/ssl.conf",
                               encoding='utf-8', mode='w')
                sslconf.write("ssl_certificate     {0}/{1}/fullchain.pem;\n"
                              "ssl_certificate_key     {0}/{1}/key.pem;\n"
                              "ssl_trusted_certificate {0}/{1}/ca.pem;\n"
                              "ssl_stapling_verify on;\n"
                              .format(WOVar.wo_ssl_live, wo_domain_name))
                sslconf.close()

            WOGit.add(self, ["/etc/letsencrypt"],
                      msg="Adding letsencrypt folder")

        except IOError as e:
            Log.debug(self, str(e))
            Log.debug(self, "Error occured while generating "
                      "ssl.conf")
        return 0

    def renew(self, domain):
        """Renew letsencrypt certificate with acme.sh"""
        try:
            WOShellExec.cmd_exec(
                self, "{0} ".format(WOAcme.wo_acme_exec) +
                "--renew -d {0} --ecc --force".format(domain))
        except CommandExecutionError as e:
            Log.debug(self, str(e))
            Log.error(self, 'Unable to renew certificate')
        return True

    def check_dns(self, acme_domains):
        """Check if a list of domains point to the server IP"""
        server_ip = requests.get('http://v4.wordops.eu/').text
        for domain in acme_domains:
            domain_ip = requests.get('http://v4.wordops.eu/dns/{0}/'
                                     .format(domain)).text
            if(not domain_ip == server_ip):
                Log.warn(
                    self, "{0}".format(domain) +
                    " point to the IP {0}".format(domain_ip) +
                    " but your server IP is {0}.".format(server_ip) +
                    "\nUse the flag --force to bypass this check.")
                Log.error(
                    self, "You have to set the "
                    "proper DNS record for your domain", False)
                return False
        Log.debug(self, "DNS record are properly set")
        return True

    def cert_check(self, wo_domain_name):
        """Check certificate existance with acme.sh and return Boolean"""
        WOAcme.export_cert(self)
        # define new csv dialect
        csv.register_dialect('acmeconf', delimiter='|')
        # open file
        certfile = open('/var/lib/wo/cert.csv', mode='r', encoding='utf-8')
        reader = csv.reader(certfile, 'acmeconf')
        for row in reader:
            # check if domain exist
            if wo_domain_name == row[0]:
                # check if cert expiration exist
                if not row[3] == '':
                    return True
        certfile.close()
        return False

    def removeconf(self, domain):
        sslconf = ("/var/www/{0}/conf/nginx/ssl.conf"
                   .format(domain))
        sslforce = ("/etc/nginx/conf.d/force-ssl-{0}.conf"
                    .format(domain))
        acmedir = [
            '{0}'.format(sslforce), '{0}'.format(sslconf),
            '{0}/{1}_ecc'.format(WOVar.wo_ssl_archive, domain),
            '{0}.disabled'.format(sslconf), '{0}.disabled'
            .format(sslforce), '{0}/{1}'
            .format(WOVar.wo_ssl_live, domain),
            '/etc/letsencrypt/shared/{0}.conf'.format(domain)]
        wo_domain = domain
        if WOAcme.cert_check(self, wo_domain):
            Log.info(self, "Removing Acme configuration")
            Log.debug(self, "Removing Acme configuration")
            try:
                WOShellExec.cmd_exec(
                    self, "{0} ".format(WOAcme.wo_acme_exec) +
                    "--remove -d {0} --ecc".format(domain))
            except CommandExecutionError as e:
                Log.debug(self, "{0}".format(e))
                Log.error(self, "Cert removal failed")
            # remove all files and directories
            for dir in acmedir:
                if os.path.exists('{0}'.format(dir)):
                    WOFileUtils.rm(self, '{0}'.format(dir))
            # find all broken symlinks
            WOFileUtils.findBrokenSymlink(self, "/var/www")
        else:
            if os.path.islink("{0}".format(sslconf)):
                WOFileUtils.remove_symlink(self, "{0}".format(sslconf))
                WOFileUtils.rm(self, '{0}'.format(sslforce))

        if WOFileUtils.grepcheck(self, '/var/www/22222/conf/nginx/ssl.conf',
                                 '{0}'.format(domain)):
            Log.info(
                self, "Setting back default certificate for WordOps backend")
            with open("/var/www/22222/conf/nginx/"
                      "ssl.conf", "w") as ssl_conf_file:
                ssl_conf_file.write("ssl_certificate "
                                    "/var/www/22222/cert/22222.crt;\n"
                                    "ssl_certificate_key "
                                    "/var/www/22222/cert/22222.key;\n")
Improve acme 2019-10-01 15:22:03 +02:00			`import csv`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`import os`

			`import requests`

			`from wo.core.fileutils import WOFileUtils`
			`from wo.core.git import WOGit`
			`from wo.core.logging import Log`
Move removeconf into acme 2019-10-28 10:35:26 +01:00			`from wo.core.shellexec import WOShellExec, CommandExecutionError`
Refactor acme.sh and WOVariables 2019-10-02 13:13:32 +02:00			`from wo.core.variables import WOVar`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00

Fix WOAcme 2019-10-01 17:29:29 +02:00			`class WOAcme:`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`"""Acme.sh utilities for WordOps"""`

Improve acme 2019-10-01 15:22:03 +02:00			`wo_acme_exec = ("/etc/letsencrypt/acme.sh --config-home "`
			`"'/etc/letsencrypt/config'")`

			`def export_cert(self):`
			`"""Export acme.sh csv certificate list"""`
			`if not WOShellExec.cmd_exec(`
Fix WOAcme 2019-10-01 17:29:29 +02:00			`self, "{0} ".format(WOAcme.wo_acme_exec) +`
Improve acme 2019-10-01 15:22:03 +02:00			`"--list --listraw > /var/lib/wo/cert.csv"):`
			`Log.error(self, "Unable to export certs list")`
Several improvements * Run `mysql_upgrade` during MySQL upgrade with `wo stack upgrade` to perform migration if needed * WordOps now check if a repository already exist before trying to adding it again. * install script refactored 2019-10-25 23:58:08 +02:00			`WOFileUtils.chmod(self, '/var/lib/wo/cert.csv', 0o600)`
Improve acme 2019-10-01 15:22:03 +02:00
Fix incorrect variable 2019-09-23 01:02:44 +02:00			`def setupletsencrypt(self, acme_domains, acmedata):`
Fix some errors with pylint 2019-09-30 12:38:28 +02:00			`"""Issue SSL certificates with acme.sh"""`
Fix incorrect variable 2019-09-23 01:02:44 +02:00			`all_domains = '\' -d \''.join(acme_domains)`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`wo_acme_dns = acmedata['acme_dns']`
Fix keylength 2019-09-30 15:05:07 +02:00			`keylenght = acmedata['keylength']`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`if acmedata['dns'] is True:`
			`acme_mode = "--dns {0}".format(wo_acme_dns)`
			`validation_mode = "DNS mode with {0}".format(wo_acme_dns)`
Add DNS alias mode 2019-09-24 02:36:46 +02:00			`if acmedata['dnsalias'] is True:`
			`acme_mode = acme_mode + \`
			`" --challenge-alias {0}".format(acmedata['acme_alias'])`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`else:`
			`acme_mode = "-w /var/www/html"`
			`validation_mode = "Webroot challenge"`
			`Log.debug(self, "Validation : Webroot mode")`
Several improvements * Run `mysql_upgrade` during MySQL upgrade with `wo stack upgrade` to perform migration if needed * WordOps now check if a repository already exist before trying to adding it again. * install script refactored 2019-10-25 23:58:08 +02:00			`if not os.path.isdir('/var/www/html/.well-known/acme-challenge'):`
			`WOFileUtils.mkdir(`
			`self, '/var/www/html/.well-known/acme-challenge')`
			`WOFileUtils.chown(`
			`self, '/var/www/html/.well-known', 'www-data', 'www-data',`
			`recursive=True)`
			`WOFileUtils.chmod(self, '/var/www/html/.well-known', 0o750,`
			`recursive=True)`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00
			`Log.info(self, "Validation mode : {0}".format(validation_mode))`
			`Log.wait(self, "Issuing SSL cert with acme.sh")`
Refactor acme validation 2019-09-23 01:16:52 +02:00			`if not WOShellExec.cmd_exec(`
Fix WOAcme 2019-10-01 17:29:29 +02:00			`self, "{0} ".format(WOAcme.wo_acme_exec) +`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`"--issue -d '{0}' {1} -k {2} -f"`
Refactor acme validation 2019-09-23 01:16:52 +02:00			`.format(all_domains, acme_mode, keylenght)):`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`Log.failed(self, "Issuing SSL cert with acme.sh")`
			`if acmedata['dns'] is True:`
Several fixes * don't deploy ssl certificate if acme.sh failed * install script issues * GPG keys error with old EasyEngine Nginx repository 2019-10-18 10:49:06 +02:00			`Log.error(`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`self, "Please make sure your properly "`
			`"set your DNS API credentials for acme.sh")`
Several fixes * don't deploy ssl certificate if acme.sh failed * install script issues * GPG keys error with old EasyEngine Nginx repository 2019-10-18 10:49:06 +02:00			`return False`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`else:`
Improve acme and check dns before issuing cert 2019-09-24 01:59:49 +02:00			`Log.error(`
			`self, "Your domain is properly configured "`
			`"but acme.sh was unable to issue certificate.\n"`
			`"You can find more informations in "`
Several fixes * don't deploy ssl certificate if acme.sh failed * install script issues * GPG keys error with old EasyEngine Nginx repository 2019-10-18 10:49:06 +02:00			`"/var/log/wo/wordops.log")`
			`return False`
Fix acme return true 2019-09-23 01:14:59 +02:00			`else:`
			`Log.valide(self, "Issuing SSL cert with acme.sh")`
			`return True`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00
			`def deploycert(self, wo_domain_name):`
Improve acme process and error log 2019-10-26 19:28:56 +02:00			`"""Deploy Let's Encrypt certificates with acme.sh"""`
Fix cert deployment 2019-09-23 01:00:58 +02:00			`if not os.path.isfile('/etc/letsencrypt/renewal/{0}_ecc/fullchain.cer'`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`.format(wo_domain_name)):`
			`Log.error(self, 'Certificate not found. Deployment canceled')`

			`Log.debug(self, "Cert deployment for domain: {0}"`
			`.format(wo_domain_name))`

			`try:`
			`Log.wait(self, "Deploying SSL cert")`
			`if WOShellExec.cmd_exec(`
			`self, "mkdir -p {0}/{1} && {2} --install-cert -d {1} --ecc "`
			`"--cert-file {0}/{1}/cert.pem --key-file {0}/{1}/key.pem "`
			`"--fullchain-file {0}/{1}/fullchain.pem "`
			`"--ca-file {0}/{1}/ca.pem --reloadcmd \"nginx -t && "`
			`"service nginx restart\" "`
Refactor acme.sh and WOVariables 2019-10-02 13:13:32 +02:00			`.format(WOVar.wo_ssl_live,`
Fix WOAcme 2019-10-01 17:29:29 +02:00			`wo_domain_name, WOAcme.wo_acme_exec)):`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`Log.valide(self, "Deploying SSL cert")`
			`else:`
			`Log.failed(self, "Deploying SSL cert")`
			`Log.error(self, "Unable to deploy certificate")`

			`if os.path.isdir('/var/www/{0}/conf/nginx'`
			`.format(wo_domain_name)):`

			`sslconf = open("/var/www/{0}/conf/nginx/ssl.conf"`
			`.format(wo_domain_name),`
			`encoding='utf-8', mode='w')`
			`sslconf.write(`
			`"listen 443 ssl http2;\n"`
			`"listen [::]:443 ssl http2;\n"`
			`"ssl_certificate {0}/{1}/fullchain.pem;\n"`
			`"ssl_certificate_key {0}/{1}/key.pem;\n"`
			`"ssl_trusted_certificate {0}/{1}/ca.pem;\n"`
			`"ssl_stapling_verify on;\n"`
Refactor acme.sh and WOVariables 2019-10-02 13:13:32 +02:00			`.format(WOVar.wo_ssl_live, wo_domain_name))`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`sslconf.close()`

			`if not WOFileUtils.grep(self, '/var/www/22222/conf/nginx/ssl.conf',`
			`'/etc/letsencrypt'):`
Fix some errors with pylint 2019-09-30 12:38:28 +02:00			`Log.info(self, "Securing WordOps backend with current cert")`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`sslconf = open("/var/www/22222/conf/nginx/ssl.conf",`
			`encoding='utf-8', mode='w')`
			`sslconf.write("ssl_certificate {0}/{1}/fullchain.pem;\n"`
			`"ssl_certificate_key {0}/{1}/key.pem;\n"`
			`"ssl_trusted_certificate {0}/{1}/ca.pem;\n"`
			`"ssl_stapling_verify on;\n"`
Refactor acme.sh and WOVariables 2019-10-02 13:13:32 +02:00			`.format(WOVar.wo_ssl_live, wo_domain_name))`
Refactor acme.sh integration 2019-09-22 19:30:39 +02:00			`sslconf.close()`

			`WOGit.add(self, ["/etc/letsencrypt"],`
			`msg="Adding letsencrypt folder")`

			`except IOError as e:`
			`Log.debug(self, str(e))`
			`Log.debug(self, "Error occured while generating "`
			`"ssl.conf")`
Simplify several functions 2019-10-01 04:08:54 +02:00			`return 0`
Improve acme and check dns before issuing cert 2019-09-24 01:59:49 +02:00
Refactor `-le=renew` 2019-10-29 18:47:52 +01:00			`def renew(self, domain):`
			`"""Renew letsencrypt certificate with acme.sh"""`
			`try:`
			`WOShellExec.cmd_exec(`
			`self, "{0} ".format(WOAcme.wo_acme_exec) +`
			`"--renew -d {0} --ecc --force".format(domain))`
			`except CommandExecutionError as e:`
			`Log.debug(self, str(e))`
			`Log.error(self, 'Unable to renew certificate')`
			`return True`

Improve acme and check dns before issuing cert 2019-09-24 01:59:49 +02:00			`def check_dns(self, acme_domains):`
			`"""Check if a list of domains point to the server IP"""`
			`server_ip = requests.get('http://v4.wordops.eu/').text`
			`for domain in acme_domains:`
			`domain_ip = requests.get('http://v4.wordops.eu/dns/{0}/'`
			`.format(domain)).text`
			`if(not domain_ip == server_ip):`
			`Log.warn(`
Improve acme process and error log 2019-10-26 19:28:56 +02:00			`self, "{0}".format(domain) +`
			`" point to the IP {0}".format(domain_ip) +`
			`" but your server IP is {0}.".format(server_ip) +`
			`"\nUse the flag --force to bypass this check.")`
Improve acme and check dns before issuing cert 2019-09-24 01:59:49 +02:00			`Log.error(`
Improve acme process and error log 2019-10-26 19:28:56 +02:00			`self, "You have to set the "`
			`"proper DNS record for your domain", False)`
Improve acme and check dns before issuing cert 2019-09-24 01:59:49 +02:00			`return False`
Fix small issues detected by codacy 2019-10-28 09:22:04 +01:00			`Log.debug(self, "DNS record are properly set")`
			`return True`
Improve acme 2019-10-01 15:22:03 +02:00
			`def cert_check(self, wo_domain_name):`
			`"""Check certificate existance with acme.sh and return Boolean"""`
Fix WOAcme 2019-10-01 17:29:29 +02:00			`WOAcme.export_cert(self)`
Improve acme 2019-10-01 15:22:03 +02:00			`# define new csv dialect`
			`csv.register_dialect('acmeconf', delimiter='\|')`
			`# open file`
			`certfile = open('/var/lib/wo/cert.csv', mode='r', encoding='utf-8')`
			`reader = csv.reader(certfile, 'acmeconf')`
			`for row in reader:`
			`# check if domain exist`
Fix acme certificate on domain 2019-11-05 16:11:43 +01:00			`if wo_domain_name == row[0]:`
Improve acme 2019-10-01 15:22:03 +02:00			`# check if cert expiration exist`
			`if not row[3] == '':`
Improve acme process and error log 2019-10-26 19:28:56 +02:00			`return True`
Improve acme 2019-10-01 15:22:03 +02:00			`certfile.close()`
Improve acme process and error log 2019-10-26 19:28:56 +02:00			`return False`
Move removeconf into acme 2019-10-28 10:35:26 +01:00
			`def removeconf(self, domain):`
			`sslconf = ("/var/www/{0}/conf/nginx/ssl.conf"`
			`.format(domain))`
			`sslforce = ("/etc/nginx/conf.d/force-ssl-{0}.conf"`
			`.format(domain))`
Simplify acme 2019-10-28 11:15:53 +01:00			`acmedir = [`
			`'{0}'.format(sslforce), '{0}'.format(sslconf),`
			`'{0}/{1}_ecc'.format(WOVar.wo_ssl_archive, domain),`
			`'{0}.disabled'.format(sslconf), '{0}.disabled'`
			`.format(sslforce), '{0}/{1}'`
			`.format(WOVar.wo_ssl_live, domain),`
			`'/etc/letsencrypt/shared/{0}.conf'.format(domain)]`
Move removeconf into acme 2019-10-28 10:35:26 +01:00			`wo_domain = domain`
			`if WOAcme.cert_check(self, wo_domain):`
			`Log.info(self, "Removing Acme configuration")`
			`Log.debug(self, "Removing Acme configuration")`
			`try:`
			`WOShellExec.cmd_exec(`
			`self, "{0} ".format(WOAcme.wo_acme_exec) +`
			`"--remove -d {0} --ecc".format(domain))`
			`except CommandExecutionError as e:`
			`Log.debug(self, "{0}".format(e))`
			`Log.error(self, "Cert removal failed")`
Simplify acme 2019-10-28 11:15:53 +01:00			`# remove all files and directories`
			`for dir in acmedir:`
			`if os.path.exists('{0}'.format(dir)):`
			`WOFileUtils.rm(self, '{0}'.format(dir))`
Move removeconf into acme 2019-10-28 10:35:26 +01:00			`# find all broken symlinks`
			`WOFileUtils.findBrokenSymlink(self, "/var/www")`
			`else:`
			`if os.path.islink("{0}".format(sslconf)):`
			`WOFileUtils.remove_symlink(self, "{0}".format(sslconf))`
			`WOFileUtils.rm(self, '{0}'.format(sslforce))`

			`if WOFileUtils.grepcheck(self, '/var/www/22222/conf/nginx/ssl.conf',`
			`'{0}'.format(domain)):`
			`Log.info(`
			`self, "Setting back default certificate for WordOps backend")`
			`with open("/var/www/22222/conf/nginx/"`
			`"ssl.conf", "w") as ssl_conf_file:`
			`ssl_conf_file.write("ssl_certificate "`
			`"/var/www/22222/cert/22222.crt;\n"`
			`"ssl_certificate_key "`
			`"/var/www/22222/cert/22222.key;\n")`