From 819557fa5315cac96509efab202f57009ea357e7 Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Sat, 13 Jul 2019 19:56:01 +0200 Subject: [PATCH] implementing wildcard SSL certs --- wo/cli/plugins/site.py | 46 +++++------------ wo/cli/plugins/site_functions.py | 86 ++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+), 33 deletions(-) diff --git a/wo/cli/plugins/site.py b/wo/cli/plugins/site.py index 7f1597c..54818c6 100644 --- a/wo/cli/plugins/site.py +++ b/wo/cli/plugins/site.py @@ -333,6 +333,11 @@ class WOSiteCreateController(CementBaseController): action='store' or 'store_const', choices=('on', 'subdomain', 'wildcard'), const='on', nargs='?')), + (['--dns'], + dict(help="choose dns provider api for letsencrypt", + action='store' or 'store_const', + choices=('cf', 'do'), + const='cf', nargs='?')), (['--hsts'], dict(help="enable HSTS for site secured with letsencrypt", action='store_true')), @@ -726,43 +731,18 @@ class WOSiteCreateController(CementBaseController): Log.error(self, "Check the log for details: " "`tail /var/log/wo/wordops.log` and please try again") - if self.app.pargs.letsencrypt == "on": + if self.app.pargs.letsencrypt: data['letsencrypt'] = True letsencrypt = True - if data['letsencrypt'] is True: - setupLetsEncrypt(self, wo_domain) + if self.app.pargs.letsencrypt == "on": + setupLetsEncrypt(self, wo_domain) + elif self.app.pargs.letsencrypt == "subodmain": + setupLetsEncryptSubdomain(self, wo_domain) + elif self.app.pargs.letsencrypt == "wildcard": + setupLetsEncryptWildcard(self, wo_domain) + httpsRedirect(self, wo_domain) - - if self.app.pargs.hsts: - setupHsts(self, wo_domain) - - if not WOService.reload_service(self, 'nginx'): - Log.error(self, "service nginx reload failed. " - "check issues with `nginx -t` command") - - Log.info(self, "Congratulations! Successfully Configured " - "SSl for Site " - " https://{0}".format(wo_domain)) - - # Add nginx conf folder into GIT - WOGit.add(self, ["{0}/conf/nginx".format(wo_site_webroot)], - msg="Adding letsencrypts config of site: {0}" - .format(wo_domain)) - updateSiteInfo(self, wo_domain, ssl=letsencrypt) - - elif data['letsencrypt'] is False: - Log.info(self, "Not using Let\'s encrypt for Site " - " http://{0}".format(wo_domain)) - - if self.app.pargs.letsencrypt == "subdomain": - data['letsencrypt'] = True - letsencrypt = True - - if data['letsencrypt'] is True: - setupLetsEncryptSubdomain(self, wo_domain) - httpsRedirect(self, wo_domain) - if self.app.pargs.hsts: setupHsts(self, wo_domain) diff --git a/wo/cli/plugins/site_functions.py b/wo/cli/plugins/site_functions.py index 9d35048..73f8a8a 100644 --- a/wo/cli/plugins/site_functions.py +++ b/wo/cli/plugins/site_functions.py @@ -1433,6 +1433,92 @@ def setupLetsEncryptSubdomain(self, wo_domain_name): "you are running Let\'s Encrypt Client " "\n to allow it to verify the site automatically.") +# setup letsencrypt for domain + www.domain + + +def setupLetsEncryptWildcard(self, wo_domain_name): + + if os.path.isfile("/etc/letsencrypt/renewal/{0}_ecc/{0}.conf" + .format(wo_domain_name)): + if os.path.isfile("/etc/letsencrypt/" + "renewal/{0}_ecc/" + "fullchain.cer".format(wo_domain_name)): + Log.debug(self, "Let's Encrypt certificate " + "found for the domain: {0}" + .format(wo_domain_name)) + ssl = archivedCertificateHandle(self, wo_domain_name) + else: + Log.info(self, "Issuing SSL cert with acme.sh") + ssl = WOShellExec.cmd_exec(self, "/etc/letsencrypt/acme.sh " + "--config-home " + "'/etc/letsencrypt/config' " + "--issue " + "-d {0} -d *.{0} --dns dns_cf " + "-k ec-384 -f" + .format(wo_domain_name)) + else: + Log.info(self, "Issuing SSL cert with acme.sh") + ssl = WOShellExec.cmd_exec(self, "/etc/letsencrypt/acme.sh " + "--config-home " + "'/etc/letsencrypt/config' " + "--issue " + "-d {0} -d *.{0} --dns dns_cf " + "-k ec-384 -f" + .format(wo_domain_name)) + + if ssl: + + try: + Log.info(self, "Deploying SSL cert with acme.sh") + Log.debug(self, "Cert deployment for domain: {0}" + .format(wo_domain_name)) + sslsetup = WOShellExec.cmd_exec(self, "mkdir -p {0}/{1} && " + "/etc/letsencrypt/acme.sh " + "--config-home " + "'/etc/letsencrypt/config' " + "--install-cert -d {1} --ecc " + "--cert-file {0}/{1}/cert.pem " + "--key-file {0}/{1}/key.pem " + "--fullchain-file " + "{0}/{1}/fullchain.pem " + "--ca-file {0}/{1}/ca.pem " + "--reloadcmd " + "\"nginx -t && " + "service nginx restart\" " + .format(WOVariables.wo_ssl_live, + wo_domain_name)) + Log.info( + self, "Adding /var/www/{0}/conf/nginx/ssl.conf" + .format(wo_domain_name)) + + sslconf = open("/var/www/{0}/conf/nginx/ssl.conf" + .format(wo_domain_name), + encoding='utf-8', mode='w') + sslconf.write("listen 443 ssl http2;\n" + "listen [::]:443 ssl http2;\n" + "ssl_certificate {0}/{1}/fullchain.pem;\n" + "ssl_certificate_key {0}/{1}/key.pem;\n" + "ssl_trusted_certificate {0}/{1}/ca.pem;\n" + "ssl_stapling_verify on;\n" + .format(WOVariables.wo_ssl_live, wo_domain_name)) + sslconf.close() + updateSiteInfo(self, wo_domain_name, ssl=True) + + WOGit.add(self, ["/etc/letsencrypt"], + msg="Adding letsencrypt folder") + + except IOError as e: + Log.debug(self, str(e)) + Log.debug(self, "Error occured while generating " + "ssl.conf") + else: + Log.error(self, "Unable to install certificate", False) + Log.error(self, "Please make sure that your site is pointed to \n" + "same server on which " + "you are running Let\'s Encrypt Client " + "\n to allow it to verify the site automatically.") + + # letsencrypt cert renewal