diff --git a/OTcerts.py b/OTcerts.py index af789ab..bc4dcfb 100644 --- a/OTcerts.py +++ b/OTcerts.py @@ -246,136 +246,156 @@ if __name__ == '__main__': dryrun=config['main'].getboolean('dryrun') service_reload = dict() - ot_conn=connect_db(dict(config['ot_db'])) - dns_conn=connect_db(dict(config['dns_db'])) - if dryrun: print("DRYRUN, nessun certificato verra' richiesto, nessun link/file creato o modificato") - - # Caso speciale per le webmail - if args.webmail: - logging.info('Asking certificates for webmail') - vhost_name = config['webmail']['vhost'].strip() - webmails_list = ["webmail.{}".format(d.strip()) for d in config['webmail']['domains'].split(',') if len(d.strip())>0] - logging.info('vhost {}, domains_list {}'.format(vhost_name, webmails_list)) - if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=webmails_list): - link_cert(config, vhost_name, vhost_name, dryrun=dryrun) - service_reload['webmail'] = True - else: - logger.error('Error asking certificate for {}'.format(vhost_name)) - - # Caso speciale per il server POP/IMAP - if args.mbox: - logging.info('Asking certificates for POP/IMAP server') - vhost_name = config['mail']['mbox_vhost'].strip() - server_addresses = [s.strip() for s in config['mail']['mbox_server_addresses'].split(',') if len(s.strip())>0] - mbox_fmt = ','.join(['%s'] * len(server_addresses)) - mbox_query = mbox_list_stmt.format(mbox_fmt) - alias_list = get_alias_list(config, dns_conn, mbox_query, server_addresses) - # Per usi futuri, aggiungo l'alias 'mail.indivia.net' - alias_list.append('mail.indivia.net') - logging.info('vhost {}, domains_list {}'.format(vhost_name, alias_list)) - if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['mbox_webroot'].strip(), - dryrun=dryrun, domains_list=alias_list): - # non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt - # link_cert(config, vhost_name, vhost_name, dryrun=dryrun) - service_reload['mbox'] = True - pass - else: - logger.error('Error asking certificate for {}'.format(vhost_name)) - - # Caso speciale per il server SMTP - if args.smtp: - logging.info('Asking certificates for SMTP server') - vhost_name = config['mail']['smtp_vhost'].strip() - server_addresses = [s.strip() for s in config['mail']['smtp_server_addresses'].split(',') if len(s.strip())>0] - smtp_fmt = ','.join(['%s'] * len(server_addresses)) - smtp_query = smtp_list_stmt.format(smtp_fmt) - alias_list = get_alias_list(config, dns_conn, smtp_query, server_addresses) - logging.info('vhost {}, domains_list {}'.format(vhost_name, alias_list)) - if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['smtp_webroot'].strip(), - dryrun=dryrun, domains_list=alias_list): - # non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt - # link_cert(config, vhost_name, vhost_name, dryrun=dryrun) - service_reload['smtp'] = True - pass - else: - logger.error('Error asking certificate for {}'.format(vhost_name)) - - # Caso speciale per l'hosting - if args.hosting: - logging.info('Asking certificates for hosted web domains') - # Subdomains da escludere - ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0]) - domains_dict = get_domain_list(config, ot_conn, dns_conn) - - for domain_name, domain_feat in domains_dict.items(): - domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains) - # Controlla se i nameserver sono gestiti da noi - if domain_feat['managed_ns']: - # Nel caso il nameserver sia gestito, chiedi certificati per il dominio e la wildcard - logger.info('Get certificates for {}, *.{}'.format(domain_name, domain_name)) - if acme_request(config, domain_name, acme_test='DNS-01', dryrun=dryrun): - link_cert(config, domain_name, domain_name, dryrun=dryrun) - # Crea il link per ogni subdomain - for subdomain in domain_feat['subdomains']: - link_cert(config, domain_name, subdomain, dryrun=dryrun) - service_reload['hosting'] = True - - else: - # Nel caso i nameserver NON siano gestiti, allora chiedi un certificato per ogni sottodominio - # Crea il link per ogni subdomain - for subdomain in domain_feat['subdomains']: - logger.info('Get certificates for {}'.format(subdomain)) - if acme_request(config, subdomain, acme_test='HTTP-01', dryrun=dryrun): - link_cert(config, subdomain, subdomain, dryrun=dryrun) - service_reload['hosting'] = True - ot_conn.close() - dns_conn.close() - - # Genero il certificato per l'interfaccia di mailman - if args.liste: - logging.info('Asking certificates for liste.indivia.net') - vhost_name = config['mailman']['vhost'].strip() - liste_list = ["liste.{}".format(d.strip()) for d in config['mailman']['domains'].split(',') if len(d.strip())>0] - if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=liste_list): - link_cert(config, vhost_name, vhost_name, dryrun=dryrun) - service_reload['liste'] = True - else: - logger.error('Error asking certificate for {}'.format(vhost_name)) - if args.renew: pre_hook_cmd = None post_hook_cmd = None logging.info('Renewing certificates ') - if set(['webmail','hosting','liste']) & set(service_reload.keys()): + if args.webmail or args.hosting or args.liste: post_hook_cmd = "systemctl reload apache2" - elif set(['smtp',]) & set(service_reload.keys()): + elif args.smtp: post_hook_cmd = "systemctl reload postfix" - elif set(['mbox',]) & set(service_reload.keys()): + elif args.mbox: post_hook_cmd = "systemctl restart dovecot" logger.debug("post_hook_cmd: {}".format(post_hook_cmd)) if acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=dryrun): logger.info("Done renew") - else: - if set(['webmail','hosting','liste']) & set(service_reload.keys()): + + else: + # Fai le nuove richieste per i certificati + + # Caso speciale per le webmail + if args.webmail: + logging.info('Asking certificates for webmail') + vhost_name = config['webmail']['vhost'].strip() + webmails_list = ["webmail.{}".format(d.strip()) for d in config['webmail']['domains'].split(',') if len(d.strip())>0] + logging.info('vhost {}, domains_list {}'.format(vhost_name, webmails_list)) + if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=webmails_list): + link_cert(config, vhost_name, vhost_name, dryrun=dryrun) + else: + logger.error('Error asking certificate for {}'.format(vhost_name)) + # reload apache - logger.info("Restarting apache") + logger.info("Reloading apache") # ret = subprocess.run("systemctl reload apache2") ret = os.system("systemctl reload apache2") logger.info(ret) - if set(['smtp',]) & set(service_reload.keys()): - # reload postfix - logger.info("Restarting postfix") - # ret = subprocess.run("systemctl reload postfix") - ret = os.system("systemctl reload postfix") + + # Caso speciale per l'hosting + if args.hosting: + logging.info('Asking certificates for hosted web domains') + ot_conn=connect_db(dict(config['ot_db'])) + dns_conn=connect_db(dict(config['dns_db'])) + # Subdomains da escludere + ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0]) + domains_dict = get_domain_list(config, ot_conn, dns_conn) + + for domain_name, domain_feat in domains_dict.items(): + domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains) + # Controlla se i nameserver sono gestiti da noi + if domain_feat['managed_ns']: + # Nel caso il nameserver sia gestito, chiedi certificati per il dominio e la wildcard + logger.info('Get certificates for {}, *.{}'.format(domain_name, domain_name)) + if acme_request(config, domain_name, acme_test='DNS-01', dryrun=dryrun): + link_cert(config, domain_name, domain_name, dryrun=dryrun) + # Crea il link per ogni subdomain + for subdomain in domain_feat['subdomains']: + link_cert(config, domain_name, subdomain, dryrun=dryrun) + + else: + # Nel caso i nameserver NON siano gestiti, allora chiedi un certificato per ogni sottodominio + # Crea il link per ogni subdomain + for subdomain in domain_feat['subdomains']: + logger.info('Get certificates for {}'.format(subdomain)) + if acme_request(config, subdomain, acme_test='HTTP-01', dryrun=dryrun): + link_cert(config, subdomain, subdomain, dryrun=dryrun) + + ot_conn.close() + dns_conn.close() + + # reload apache + logger.info("Reloading apache") + # ret = subprocess.run("systemctl reload apache2") + ret = os.system("systemctl reload apache2") logger.info(ret) - if set(['mbox',]) & set(service_reload.keys()): + + + # Caso speciale per l'interfaccia di mailman + if args.liste: + logging.info('Asking certificates for liste.indivia.net') + vhost_name = config['mailman']['vhost'].strip() + liste_list = ["liste.{}".format(d.strip()) for d in config['mailman']['domains'].split(',') if len(d.strip())>0] + if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=liste_list): + link_cert(config, vhost_name, vhost_name, dryrun=dryrun) + else: + logger.error('Error asking certificate for {}'.format(vhost_name)) + + # reload apache + logger.info("Reloading apache") + # ret = subprocess.run("systemctl reload apache2") + ret = os.system("systemctl reload apache2") + logger.info(ret) + + + # Caso speciale per il server POP/IMAP + if args.mbox: + dns_conn=connect_db(dict(config['dns_db'])) + logging.info('Asking certificates for POP/IMAP server') + vhost_name = config['mail']['mbox_vhost'].strip() + server_addresses = [s.strip() for s in config['mail']['mbox_server_addresses'].split(',') if len(s.strip())>0] + mbox_fmt = ','.join(['%s'] * len(server_addresses)) + mbox_query = mbox_list_stmt.format(mbox_fmt) + alias_list = get_alias_list(config, dns_conn, mbox_query, server_addresses) + # Per usi futuri, aggiungo l'alias 'mail.indivia.net' + alias_list.append('mail.indivia.net') + logging.info('vhost {}, domains_list {}'.format(vhost_name, alias_list)) + if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['mbox_webroot'].strip(), + dryrun=dryrun, domains_list=alias_list): + # non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt + # link_cert(config, vhost_name, vhost_name, dryrun=dryrun) + service_reload['mbox'] = True + pass + else: + logger.error('Error asking certificate for {}'.format(vhost_name)) + + dns_conn.close() + # restart dovecot logger.info("Restarting dovecot") # ret = subprocess.run("systemctl restart dovecot") ret = os.system("systemctl restart dovecot") logger.info(ret) + + + # Caso speciale per il server SMTP + if args.smtp: + logging.info('Asking certificates for SMTP server') + dns_conn=connect_db(dict(config['dns_db'])) + vhost_name = config['mail']['smtp_vhost'].strip() + server_addresses = [s.strip() for s in config['mail']['smtp_server_addresses'].split(',') if len(s.strip())>0] + smtp_fmt = ','.join(['%s'] * len(server_addresses)) + smtp_query = smtp_list_stmt.format(smtp_fmt) + alias_list = get_alias_list(config, dns_conn, smtp_query, server_addresses) + logging.info('vhost {}, domains_list {}'.format(vhost_name, alias_list)) + if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['smtp_webroot'].strip(), + dryrun=dryrun, domains_list=alias_list): + # non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt + # link_cert(config, vhost_name, vhost_name, dryrun=dryrun) + service_reload['smtp'] = True + pass + else: + logger.error('Error asking certificate for {}'.format(vhost_name)) + + dns_conn.close() + + # reload postfix + logger.info("Restarting postfix") + # ret = subprocess.run("systemctl reload postfix") + ret = os.system("systemctl reload postfix") + logger.info(ret) + +