iNDivia.net/otcerts
6
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Refactor renew

Browse source
This commit is contained in:
jigen 2020-02-26 01:59:03 +01:00
parent b684ad330a
commit 3c849560ac
1 changed files with 128 additions and 108 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

236
OTcerts.py
View file

@ -246,136 +246,156 @@ if __name__ == '__main__':
dryrun=config['main'].getboolean('dryrun') dryrun=config['main'].getboolean('dryrun')
service_reload = dict() service_reload = dict()
ot_conn=connect_db(dict(config['ot_db']))
dns_conn=connect_db(dict(config['dns_db']))
if dryrun: if dryrun:
print("DRYRUN, nessun certificato verra' richiesto, nessun link/file creato o modificato") print("DRYRUN, nessun certificato verra' richiesto, nessun link/file creato o modificato")
# Caso speciale per le webmail
if args.webmail:
logging.info('Asking certificates for webmail')
vhost_name = config['webmail']['vhost'].strip()
webmails_list = ["webmail.{}".format(d.strip()) for d in config['webmail']['domains'].split(',') if len(d.strip())>0]
logging.info('vhost {}, domains_list {}'.format(vhost_name, webmails_list))
if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=webmails_list):
link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
service_reload['webmail'] = True
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
# Caso speciale per il server POP/IMAP
if args.mbox:
logging.info('Asking certificates for POP/IMAP server')
vhost_name = config['mail']['mbox_vhost'].strip()
server_addresses = [s.strip() for s in config['mail']['mbox_server_addresses'].split(',') if len(s.strip())>0]
mbox_fmt = ','.join(['%s'] * len(server_addresses))
mbox_query = mbox_list_stmt.format(mbox_fmt)
alias_list = get_alias_list(config, dns_conn, mbox_query, server_addresses)
# Per usi futuri, aggiungo l'alias 'mail.indivia.net'
alias_list.append('mail.indivia.net')
logging.info('vhost {}, domains_list {}'.format(vhost_name, alias_list))
if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['mbox_webroot'].strip(),
dryrun=dryrun, domains_list=alias_list):
# non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt
# link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
service_reload['mbox'] = True
pass
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
# Caso speciale per il server SMTP
if args.smtp:
logging.info('Asking certificates for SMTP server')
vhost_name = config['mail']['smtp_vhost'].strip()
server_addresses = [s.strip() for s in config['mail']['smtp_server_addresses'].split(',') if len(s.strip())>0]
smtp_fmt = ','.join(['%s'] * len(server_addresses))
smtp_query = smtp_list_stmt.format(smtp_fmt)
alias_list = get_alias_list(config, dns_conn, smtp_query, server_addresses)
logging.info('vhost {}, domains_list {}'.format(vhost_name, alias_list))
if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['smtp_webroot'].strip(),
dryrun=dryrun, domains_list=alias_list):
# non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt
# link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
service_reload['smtp'] = True
pass
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
# Caso speciale per l'hosting
if args.hosting:
logging.info('Asking certificates for hosted web domains')
# Subdomains da escludere
ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0])
domains_dict = get_domain_list(config, ot_conn, dns_conn)
for domain_name, domain_feat in domains_dict.items():
domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains)
# Controlla se i nameserver sono gestiti da noi
if domain_feat['managed_ns']:
# Nel caso il nameserver sia gestito, chiedi certificati per il dominio e la wildcard
logger.info('Get certificates for {}, *.{}'.format(domain_name, domain_name))
if acme_request(config, domain_name, acme_test='DNS-01', dryrun=dryrun):
link_cert(config, domain_name, domain_name, dryrun=dryrun)
# Crea il link per ogni subdomain
for subdomain in domain_feat['subdomains']:
link_cert(config, domain_name, subdomain, dryrun=dryrun)
service_reload['hosting'] = True
else:
# Nel caso i nameserver NON siano gestiti, allora chiedi un certificato per ogni sottodominio
# Crea il link per ogni subdomain
for subdomain in domain_feat['subdomains']:
logger.info('Get certificates for {}'.format(subdomain))
if acme_request(config, subdomain, acme_test='HTTP-01', dryrun=dryrun):
link_cert(config, subdomain, subdomain, dryrun=dryrun)
service_reload['hosting'] = True
ot_conn.close()
dns_conn.close()
# Genero il certificato per l'interfaccia di mailman
if args.liste:
logging.info('Asking certificates for liste.indivia.net')
vhost_name = config['mailman']['vhost'].strip()
liste_list = ["liste.{}".format(d.strip()) for d in config['mailman']['domains'].split(',') if len(d.strip())>0]
if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=liste_list):
link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
service_reload['liste'] = True
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
if args.renew: if args.renew:
pre_hook_cmd = None pre_hook_cmd = None
post_hook_cmd = None post_hook_cmd = None
logging.info('Renewing certificates ') logging.info('Renewing certificates ')
if set(['webmail','hosting','liste']) & set(service_reload.keys()): if args.webmail or args.hosting or args.liste:
post_hook_cmd = "systemctl reload apache2" post_hook_cmd = "systemctl reload apache2"
elif set(['smtp',]) & set(service_reload.keys()): elif args.smtp:
post_hook_cmd = "systemctl reload postfix" post_hook_cmd = "systemctl reload postfix"
elif set(['mbox',]) & set(service_reload.keys()): elif args.mbox:
post_hook_cmd = "systemctl restart dovecot" post_hook_cmd = "systemctl restart dovecot"
logger.debug("post_hook_cmd: {}".format(post_hook_cmd)) logger.debug("post_hook_cmd: {}".format(post_hook_cmd))
if acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=dryrun): if acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=dryrun):
logger.info("Done renew") logger.info("Done renew")
else:
if set(['webmail','hosting','liste']) & set(service_reload.keys()): else:
# Fai le nuove richieste per i certificati
# Caso speciale per le webmail
if args.webmail:
logging.info('Asking certificates for webmail')
vhost_name = config['webmail']['vhost'].strip()
webmails_list = ["webmail.{}".format(d.strip()) for d in config['webmail']['domains'].split(',') if len(d.strip())>0]
logging.info('vhost {}, domains_list {}'.format(vhost_name, webmails_list))
if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=webmails_list):
link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
# reload apache # reload apache
logger.info("Restarting apache") logger.info("Reloading apache")
# ret = subprocess.run("systemctl reload apache2") # ret = subprocess.run("systemctl reload apache2")
ret = os.system("systemctl reload apache2") ret = os.system("systemctl reload apache2")
logger.info(ret) logger.info(ret)
if set(['smtp',]) & set(service_reload.keys()):
# reload postfix # Caso speciale per l'hosting
logger.info("Restarting postfix") if args.hosting:
# ret = subprocess.run("systemctl reload postfix") logging.info('Asking certificates for hosted web domains')
ret = os.system("systemctl reload postfix") ot_conn=connect_db(dict(config['ot_db']))
dns_conn=connect_db(dict(config['dns_db']))
# Subdomains da escludere
ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0])
domains_dict = get_domain_list(config, ot_conn, dns_conn)
for domain_name, domain_feat in domains_dict.items():
domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains)
# Controlla se i nameserver sono gestiti da noi
if domain_feat['managed_ns']:
# Nel caso il nameserver sia gestito, chiedi certificati per il dominio e la wildcard
logger.info('Get certificates for {}, *.{}'.format(domain_name, domain_name))
if acme_request(config, domain_name, acme_test='DNS-01', dryrun=dryrun):
link_cert(config, domain_name, domain_name, dryrun=dryrun)
# Crea il link per ogni subdomain
for subdomain in domain_feat['subdomains']:
link_cert(config, domain_name, subdomain, dryrun=dryrun)
else:
# Nel caso i nameserver NON siano gestiti, allora chiedi un certificato per ogni sottodominio
# Crea il link per ogni subdomain
for subdomain in domain_feat['subdomains']:
logger.info('Get certificates for {}'.format(subdomain))
if acme_request(config, subdomain, acme_test='HTTP-01', dryrun=dryrun):
link_cert(config, subdomain, subdomain, dryrun=dryrun)
ot_conn.close()
dns_conn.close()
# reload apache
logger.info("Reloading apache")
# ret = subprocess.run("systemctl reload apache2")
ret = os.system("systemctl reload apache2")
logger.info(ret) logger.info(ret)
if set(['mbox',]) & set(service_reload.keys()):
# Caso speciale per l'interfaccia di mailman
if args.liste:
logging.info('Asking certificates for liste.indivia.net')
vhost_name = config['mailman']['vhost'].strip()
liste_list = ["liste.{}".format(d.strip()) for d in config['mailman']['domains'].split(',') if len(d.strip())>0]
if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=liste_list):
link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
# reload apache
logger.info("Reloading apache")
# ret = subprocess.run("systemctl reload apache2")
ret = os.system("systemctl reload apache2")
logger.info(ret)
# Caso speciale per il server POP/IMAP
if args.mbox:
dns_conn=connect_db(dict(config['dns_db']))
logging.info('Asking certificates for POP/IMAP server')
vhost_name = config['mail']['mbox_vhost'].strip()
server_addresses = [s.strip() for s in config['mail']['mbox_server_addresses'].split(',') if len(s.strip())>0]
mbox_fmt = ','.join(['%s'] * len(server_addresses))
mbox_query = mbox_list_stmt.format(mbox_fmt)
alias_list = get_alias_list(config, dns_conn, mbox_query, server_addresses)
# Per usi futuri, aggiungo l'alias 'mail.indivia.net'
alias_list.append('mail.indivia.net')
logging.info('vhost {}, domains_list {}'.format(vhost_name, alias_list))
if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['mbox_webroot'].strip(),
dryrun=dryrun, domains_list=alias_list):
# non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt
# link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
service_reload['mbox'] = True
pass
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
dns_conn.close()
# restart dovecot # restart dovecot
logger.info("Restarting dovecot") logger.info("Restarting dovecot")
# ret = subprocess.run("systemctl restart dovecot") # ret = subprocess.run("systemctl restart dovecot")
ret = os.system("systemctl restart dovecot") ret = os.system("systemctl restart dovecot")
logger.info(ret) logger.info(ret)
# Caso speciale per il server SMTP
if args.smtp:
logging.info('Asking certificates for SMTP server')
dns_conn=connect_db(dict(config['dns_db']))
vhost_name = config['mail']['smtp_vhost'].strip()
server_addresses = [s.strip() for s in config['mail']['smtp_server_addresses'].split(',') if len(s.strip())>0]
smtp_fmt = ','.join(['%s'] * len(server_addresses))
smtp_query = smtp_list_stmt.format(smtp_fmt)
alias_list = get_alias_list(config, dns_conn, smtp_query, server_addresses)
logging.info('vhost {}, domains_list {}'.format(vhost_name, alias_list))
if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['smtp_webroot'].strip(),
dryrun=dryrun, domains_list=alias_list):
# non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt
# link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
service_reload['smtp'] = True
pass
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
dns_conn.close()
# reload postfix
logger.info("Restarting postfix")
# ret = subprocess.run("systemctl reload postfix")
ret = os.system("systemctl reload postfix")
logger.info(ret)