Refactor acme.sh integration
This commit is contained in:
VirtuBox
@@ -20,6 +20,7 @@ from wo.core.services import WOService
|
||||
from wo.core.shellexec import CommandExecutionError, WOShellExec
|
||||
from wo.core.sslutils import SSL
|
||||
from wo.core.variables import WOVariables
|
||||
from wo.core.acme import WOAcme
|
||||
|
||||
|
||||
class SiteError(Exception):
|
||||
@@ -1348,129 +1349,6 @@ def doCleanupAction(self, domain='', webroot='', dbname='', dbuser='',
|
||||
|
||||
# setup letsencrypt for domain + www.domain
|
||||
|
||||
|
||||
def setupLetsEncrypt(self, wo_domain_name, subdomain=False, wildcard=False,
|
||||
wo_dns=False, wo_acme_dns='dns_cf'):
|
||||
|
||||
if os.path.isfile("/etc/letsencrypt/"
|
||||
"renewal/{0}_ecc/"
|
||||
"fullchain.cer".format(wo_domain_name)):
|
||||
Log.debug(self, "Let's Encrypt certificate "
|
||||
"found for the domain: {0}"
|
||||
.format(wo_domain_name))
|
||||
ssl = archivedCertificateHandle(self, wo_domain_name)
|
||||
else:
|
||||
keylenght = "{0}".format(self.app.config.get('letsencrypt',
|
||||
'keylength'))
|
||||
wo_acme_exec = ("/etc/letsencrypt/acme.sh --config-home "
|
||||
"'/etc/letsencrypt/config'")
|
||||
if wo_dns:
|
||||
acme_mode = "--dns {0}".format(wo_acme_dns)
|
||||
validation_mode = "DNS with {0}".format(wo_acme_dns)
|
||||
Log.debug(
|
||||
self, "Validation : DNS mode with {0}".format(wo_acme_dns))
|
||||
else:
|
||||
acme_mode = "-w /var/www/html"
|
||||
validation_mode = "Webroot challenge"
|
||||
Log.debug(self, "Validation : Webroot mode")
|
||||
if subdomain:
|
||||
Log.info(self, "Certificate type: Subdomain")
|
||||
Log.info(self, "Validation mode : {0}".format(validation_mode))
|
||||
Log.wait(self, "Issuing SSL cert with acme.sh")
|
||||
ssl = WOShellExec.cmd_exec(self, "{0} ".format(wo_acme_exec) +
|
||||
"--issue "
|
||||
"-d {0} {1} "
|
||||
"-k {2} -f"
|
||||
.format(wo_domain_name,
|
||||
acme_mode,
|
||||
keylenght))
|
||||
elif wildcard:
|
||||
Log.info(self, "Certificate type: Wildcard")
|
||||
Log.info(self, "Validation mode : {0}".format(validation_mode))
|
||||
Log.wait(self, "Issuing SSL cert with acme.sh")
|
||||
ssl = WOShellExec.cmd_exec(self, "{0} ".format(wo_acme_exec) +
|
||||
"--issue "
|
||||
"-d {0} -d '*.{0}' --dns {1} "
|
||||
"-k {2} -f"
|
||||
.format(wo_domain_name,
|
||||
wo_acme_dns,
|
||||
keylenght))
|
||||
else:
|
||||
Log.info(self, "Certificate type: Domain + www")
|
||||
Log.info(self, "Validation mode : {0}".format(validation_mode))
|
||||
Log.wait(self, "Issuing SSL cert with acme.sh")
|
||||
ssl = WOShellExec.cmd_exec(self, "{0} ".format(wo_acme_exec) +
|
||||
"--issue "
|
||||
"-d {0} -d www.{0} {1} "
|
||||
"-k {2} -f"
|
||||
.format(wo_domain_name,
|
||||
acme_mode, keylenght))
|
||||
if ssl:
|
||||
Log.valide(self, "Issuing SSL cert with acme.sh")
|
||||
Log.wait(self, "Deploying SSL cert")
|
||||
Log.debug(self, "Cert deployment for domain: {0}"
|
||||
.format(wo_domain_name))
|
||||
try:
|
||||
|
||||
WOShellExec.cmd_exec(self, "mkdir -p {0}/{1} && "
|
||||
"/etc/letsencrypt/acme.sh "
|
||||
"--config-home "
|
||||
"'/etc/letsencrypt/config' "
|
||||
"--install-cert -d {1} --ecc "
|
||||
"--cert-file {0}/{1}/cert.pem "
|
||||
"--key-file {0}/{1}/key.pem "
|
||||
"--fullchain-file "
|
||||
"{0}/{1}/fullchain.pem "
|
||||
"--ca-file {0}/{1}/ca.pem "
|
||||
"--reloadcmd "
|
||||
"\"nginx -t && "
|
||||
"service nginx restart\" "
|
||||
.format(WOVariables.wo_ssl_live,
|
||||
wo_domain_name))
|
||||
Log.valide(self, "Deploying SSL cert")
|
||||
if os.path.isdir('/var/www/{0}/conf/nginx'
|
||||
.format(wo_domain_name)):
|
||||
|
||||
sslconf = open("/var/www/{0}/conf/nginx/ssl.conf"
|
||||
.format(wo_domain_name),
|
||||
encoding='utf-8', mode='w')
|
||||
sslconf.write(
|
||||
"listen 443 ssl http2;\n"
|
||||
"listen [::]:443 ssl http2;\n"
|
||||
"ssl_certificate {0}/{1}/fullchain.pem;\n"
|
||||
"ssl_certificate_key {0}/{1}/key.pem;\n"
|
||||
"ssl_trusted_certificate {0}/{1}/ca.pem;\n"
|
||||
"ssl_stapling_verify on;\n"
|
||||
.format(WOVariables.wo_ssl_live, wo_domain_name))
|
||||
sslconf.close()
|
||||
# updateSiteInfo(self, wo_domain_name, ssl=True)
|
||||
if not WOFileUtils.grep(self, '/var/www/22222/conf/nginx/ssl.conf',
|
||||
'/etc/letsencrypt'):
|
||||
Log.info(self, "Securing WordOps backend with {0} certificate"
|
||||
.format(wo_domain_name))
|
||||
sslconf = open("/var/www/22222/conf/nginx/ssl.conf",
|
||||
encoding='utf-8', mode='w')
|
||||
sslconf.write("ssl_certificate {0}/{1}/fullchain.pem;\n"
|
||||
"ssl_certificate_key {0}/{1}/key.pem;\n"
|
||||
"ssl_trusted_certificate {0}/{1}/ca.pem;\n"
|
||||
"ssl_stapling_verify on;\n"
|
||||
.format(WOVariables.wo_ssl_live, wo_domain_name))
|
||||
sslconf.close()
|
||||
|
||||
WOGit.add(self, ["/etc/letsencrypt"],
|
||||
msg="Adding letsencrypt folder")
|
||||
|
||||
except IOError as e:
|
||||
Log.debug(self, str(e))
|
||||
Log.debug(self, "Error occured while generating "
|
||||
"ssl.conf")
|
||||
else:
|
||||
Log.error(self, "Unable to install certificate", False)
|
||||
Log.error(self, "Please make sure that your site is pointed to \n"
|
||||
"same server on which "
|
||||
"you are running Let\'s Encrypt Client "
|
||||
"\n to allow it to verify the site automatically.")
|
||||
|
||||
# copy wildcard certificate to a subdomain
|
||||
|
||||
|
||||
@@ -1616,14 +1494,16 @@ def httpsRedirect(self, wo_domain_name, redirect=True, wildcard=False):
|
||||
|
||||
|
||||
def archivedCertificateHandle(self, domain):
|
||||
Log.warn(self, "You already have an existing certificate "
|
||||
"for the domain requested.\n"
|
||||
"(ref: {0}/"
|
||||
"{1}_ecc/{1}.conf)".format(WOVariables.wo_ssl_archive, domain) +
|
||||
"\nPlease select an option from below?"
|
||||
"\n\t1: Reinstall existing certificate"
|
||||
"\n\t2: Renew & replace the certificate (limit ~5 per 7 days)"
|
||||
"")
|
||||
Log.warn(
|
||||
self, "You already have an existing certificate "
|
||||
"for the domain requested.\n"
|
||||
"(ref: {0}/"
|
||||
"{1}_ecc/{1}.conf)".format(WOVariables.wo_ssl_archive, domain) +
|
||||
"\nPlease select an option from below?"
|
||||
"\n\t1: Reinstall existing certificate"
|
||||
"\n\t2: Issue a new certificate to replace "
|
||||
"the current one (limit ~5 per 7 days)"
|
||||
"")
|
||||
check_prompt = input(
|
||||
"\nType the appropriate number [1-2] or any other key to cancel: ")
|
||||
if not os.path.isfile("{0}/{1}/fullchain.pem"
|
||||
@@ -1634,20 +1514,7 @@ def archivedCertificateHandle(self, domain):
|
||||
|
||||
if check_prompt == "1":
|
||||
Log.info(self, "Reinstalling SSL cert with acme.sh")
|
||||
ssl = WOShellExec.cmd_exec(self, "mkdir -p {0}/{1} && "
|
||||
"/etc/letsencrypt/acme.sh "
|
||||
"--config-home "
|
||||
"'/etc/letsencrypt/config' "
|
||||
"--install-cert -d {1} --ecc "
|
||||
"--cert-file {0}/{1}/cert.pem "
|
||||
"--key-file {0}/{1}/key.pem "
|
||||
"--fullchain-file "
|
||||
"{0}/{1}/fullchain.pem "
|
||||
"--ca-file {0}/{1}/ca.pem "
|
||||
"--reloadcmd "
|
||||
"\"nginx -t && service nginx restart\" "
|
||||
.format(WOVariables.wo_ssl_live,
|
||||
domain))
|
||||
ssl = WOAcme.deploycert(self, domain)
|
||||
if ssl:
|
||||
|
||||
try:
|
||||
|
||||
Reference in New Issue
Block a user