implementing wildcard SSL certs
This commit is contained in:
VirtuBox
@@ -333,6 +333,11 @@ class WOSiteCreateController(CementBaseController):
|
||||
action='store' or 'store_const',
|
||||
choices=('on', 'subdomain', 'wildcard'),
|
||||
const='on', nargs='?')),
|
||||
(['--dns'],
|
||||
dict(help="choose dns provider api for letsencrypt",
|
||||
action='store' or 'store_const',
|
||||
choices=('cf', 'do'),
|
||||
const='cf', nargs='?')),
|
||||
(['--hsts'],
|
||||
dict(help="enable HSTS for site secured with letsencrypt",
|
||||
action='store_true')),
|
||||
@@ -726,43 +731,18 @@ class WOSiteCreateController(CementBaseController):
|
||||
Log.error(self, "Check the log for details: "
|
||||
"`tail /var/log/wo/wordops.log` and please try again")
|
||||
|
||||
if self.app.pargs.letsencrypt == "on":
|
||||
if self.app.pargs.letsencrypt:
|
||||
data['letsencrypt'] = True
|
||||
letsencrypt = True
|
||||
|
||||
if data['letsencrypt'] is True:
|
||||
setupLetsEncrypt(self, wo_domain)
|
||||
if self.app.pargs.letsencrypt == "on":
|
||||
setupLetsEncrypt(self, wo_domain)
|
||||
elif self.app.pargs.letsencrypt == "subodmain":
|
||||
setupLetsEncryptSubdomain(self, wo_domain)
|
||||
elif self.app.pargs.letsencrypt == "wildcard":
|
||||
setupLetsEncryptWildcard(self, wo_domain)
|
||||
|
||||
httpsRedirect(self, wo_domain)
|
||||
|
||||
if self.app.pargs.hsts:
|
||||
setupHsts(self, wo_domain)
|
||||
|
||||
if not WOService.reload_service(self, 'nginx'):
|
||||
Log.error(self, "service nginx reload failed. "
|
||||
"check issues with `nginx -t` command")
|
||||
|
||||
Log.info(self, "Congratulations! Successfully Configured "
|
||||
"SSl for Site "
|
||||
" https://{0}".format(wo_domain))
|
||||
|
||||
# Add nginx conf folder into GIT
|
||||
WOGit.add(self, ["{0}/conf/nginx".format(wo_site_webroot)],
|
||||
msg="Adding letsencrypts config of site: {0}"
|
||||
.format(wo_domain))
|
||||
updateSiteInfo(self, wo_domain, ssl=letsencrypt)
|
||||
|
||||
elif data['letsencrypt'] is False:
|
||||
Log.info(self, "Not using Let\'s encrypt for Site "
|
||||
" http://{0}".format(wo_domain))
|
||||
|
||||
if self.app.pargs.letsencrypt == "subdomain":
|
||||
data['letsencrypt'] = True
|
||||
letsencrypt = True
|
||||
|
||||
if data['letsencrypt'] is True:
|
||||
setupLetsEncryptSubdomain(self, wo_domain)
|
||||
httpsRedirect(self, wo_domain)
|
||||
|
||||
if self.app.pargs.hsts:
|
||||
setupHsts(self, wo_domain)
|
||||
|
||||
|
||||
@@ -1433,6 +1433,92 @@ def setupLetsEncryptSubdomain(self, wo_domain_name):
|
||||
"you are running Let\'s Encrypt Client "
|
||||
"\n to allow it to verify the site automatically.")
|
||||
|
||||
# setup letsencrypt for domain + www.domain
|
||||
|
||||
|
||||
def setupLetsEncryptWildcard(self, wo_domain_name):
|
||||
|
||||
if os.path.isfile("/etc/letsencrypt/renewal/{0}_ecc/{0}.conf"
|
||||
.format(wo_domain_name)):
|
||||
if os.path.isfile("/etc/letsencrypt/"
|
||||
"renewal/{0}_ecc/"
|
||||
"fullchain.cer".format(wo_domain_name)):
|
||||
Log.debug(self, "Let's Encrypt certificate "
|
||||
"found for the domain: {0}"
|
||||
.format(wo_domain_name))
|
||||
ssl = archivedCertificateHandle(self, wo_domain_name)
|
||||
else:
|
||||
Log.info(self, "Issuing SSL cert with acme.sh")
|
||||
ssl = WOShellExec.cmd_exec(self, "/etc/letsencrypt/acme.sh "
|
||||
"--config-home "
|
||||
"'/etc/letsencrypt/config' "
|
||||
"--issue "
|
||||
"-d {0} -d *.{0} --dns dns_cf "
|
||||
"-k ec-384 -f"
|
||||
.format(wo_domain_name))
|
||||
else:
|
||||
Log.info(self, "Issuing SSL cert with acme.sh")
|
||||
ssl = WOShellExec.cmd_exec(self, "/etc/letsencrypt/acme.sh "
|
||||
"--config-home "
|
||||
"'/etc/letsencrypt/config' "
|
||||
"--issue "
|
||||
"-d {0} -d *.{0} --dns dns_cf "
|
||||
"-k ec-384 -f"
|
||||
.format(wo_domain_name))
|
||||
|
||||
if ssl:
|
||||
|
||||
try:
|
||||
Log.info(self, "Deploying SSL cert with acme.sh")
|
||||
Log.debug(self, "Cert deployment for domain: {0}"
|
||||
.format(wo_domain_name))
|
||||
sslsetup = WOShellExec.cmd_exec(self, "mkdir -p {0}/{1} && "
|
||||
"/etc/letsencrypt/acme.sh "
|
||||
"--config-home "
|
||||
"'/etc/letsencrypt/config' "
|
||||
"--install-cert -d {1} --ecc "
|
||||
"--cert-file {0}/{1}/cert.pem "
|
||||
"--key-file {0}/{1}/key.pem "
|
||||
"--fullchain-file "
|
||||
"{0}/{1}/fullchain.pem "
|
||||
"--ca-file {0}/{1}/ca.pem "
|
||||
"--reloadcmd "
|
||||
"\"nginx -t && "
|
||||
"service nginx restart\" "
|
||||
.format(WOVariables.wo_ssl_live,
|
||||
wo_domain_name))
|
||||
Log.info(
|
||||
self, "Adding /var/www/{0}/conf/nginx/ssl.conf"
|
||||
.format(wo_domain_name))
|
||||
|
||||
sslconf = open("/var/www/{0}/conf/nginx/ssl.conf"
|
||||
.format(wo_domain_name),
|
||||
encoding='utf-8', mode='w')
|
||||
sslconf.write("listen 443 ssl http2;\n"
|
||||
"listen [::]:443 ssl http2;\n"
|
||||
"ssl_certificate {0}/{1}/fullchain.pem;\n"
|
||||
"ssl_certificate_key {0}/{1}/key.pem;\n"
|
||||
"ssl_trusted_certificate {0}/{1}/ca.pem;\n"
|
||||
"ssl_stapling_verify on;\n"
|
||||
.format(WOVariables.wo_ssl_live, wo_domain_name))
|
||||
sslconf.close()
|
||||
updateSiteInfo(self, wo_domain_name, ssl=True)
|
||||
|
||||
WOGit.add(self, ["/etc/letsencrypt"],
|
||||
msg="Adding letsencrypt folder")
|
||||
|
||||
except IOError as e:
|
||||
Log.debug(self, str(e))
|
||||
Log.debug(self, "Error occured while generating "
|
||||
"ssl.conf")
|
||||
else:
|
||||
Log.error(self, "Unable to install certificate", False)
|
||||
Log.error(self, "Please make sure that your site is pointed to \n"
|
||||
"same server on which "
|
||||
"you are running Let\'s Encrypt Client "
|
||||
"\n to allow it to verify the site automatically.")
|
||||
|
||||
|
||||
# letsencrypt cert renewal
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user