iNDivia.net/otcerts
6
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Cleaned script

Browse source
This commit is contained in:
jigen 2020-02-23 20:00:37 +01:00
parent b9fbafc392
commit 6433bbdd1f
1 changed files with 23 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
OTcerts.py
View file

@ -11,9 +11,9 @@ import mysql.connector
# Query for IMAP/POP3 certificate
mbox_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (name LIKE 'imap.%' or name LIKE 'pop3.%' or name LIKE 'mail.%')"
# Query for SMTP certificate
# Query for SMTP certificate
smtp_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (name LIKE 'smtp.%' or name LIKE 'mail.%')"
# Get list of defined domains in vhosts configuration database
domains_list_stmt = """SELECT DISTINCT(SUBSTRING_INDEX(urls.dns_name, '.', -2)) AS domain_names
@ -30,8 +30,6 @@ subdomains_list_stmt = "SELECT DISTINCT(urls.dns_name) AS domain_names "\
"ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id and vhosts.vhost_id = vhosts_features.vhost_id) "\
"WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s and "\
"urls.dns_name LIKE %(domain)s)"
default_conf_file="./etc/ot_certs.ini"
logging.basicConfig(level=logging.INFO)
@ -42,7 +40,7 @@ def init_prog(argv):
"""
Parse command line args and config file
"""
parser = argparse.ArgumentParser(
description="Manage LetsEncrypt certificates")
parser.add_argument("-c", "--config", type=open,
@ -91,7 +89,7 @@ def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()):
"""
Return a Python list containing subdomain of domain paramer
eg: ['app.arkiwi.org']
"""
"""
result_dict=dict()
@ -102,11 +100,8 @@ def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()):
subdomains_res = ot_cursor.fetchall()
ot_cursor.close()
#if filtered:
subdomains_filtered = [s[0].decode('utf-8') for s in subdomains_res
if not(s[0].decode('utf-8').startswith(ex_subdomains))]
# else:
# subdomains_filtered = [s[0].decode('utf-8') for s in subdomains_res]
return subdomains_filtered
@ -121,7 +116,7 @@ def get_domain_list(config, ot_conn, dns_conn):
ot_cursor=ot_conn.cursor()
ot_cursor.execute(domains_list_stmt, {'webserver':config['main']['webserver'].strip(" '\"")})
dns_cursor=dns_conn.cursor()
for domain_barr, in ot_cursor:
domain_name = domain_barr.decode("utf-8")
@ -137,7 +132,7 @@ def get_domain_list(config, ot_conn, dns_conn):
result_dict.update({domain_name: {'managed_ns':False, 'domain_id':None}})
else:
logger.error('Unexpected result for domain {}'.format(domain_name))
dns_cursor.close()
ot_cursor.close()
return result_dict
@ -148,7 +143,7 @@ def get_alias_list(config, dns_conn, query, aliases):
"""
result_list = list()
dns_cursor=dns_conn.cursor()
try:
dns_cursor.execute(query, aliases)
@ -168,7 +163,7 @@ def acme_request(config, domain_name, acme_test='DNS-01', webroot=None, dryrun=F
args += "--server {} ".format(config['certbot']['server'])
if dryrun:
args += "--dry-run "
args += "--dry-run "
if acme_test == 'DNS-01':
args += " --manual certonly "
args += "--preferred-challenges dns-01 "
@ -176,17 +171,17 @@ def acme_request(config, domain_name, acme_test='DNS-01', webroot=None, dryrun=F
args += "--manual-cleanup-hook {} ".format(config['certbot']['cleanup_hook'])
args += "-d {},*.{}".format(domain_name, domain_name)
elif acme_test == 'HTTP-01':
args += " --webroot certonly "
args += " --webroot certonly "
args += "--preferred-challenges http-01 "
if webroot is None:
args += "-w {}/{}/htdocs ".format(config['apache']['webroot'], domain_name)
else:
args += "-w {} ".format(webroot)
if domains_list is None:
args += "-d {}".format(domain_name)
else:
args += "--expand --cert-name {} ".format(domain_name)
args += "--expand --cert-name {} ".format(domain_name)
args += "-d {}".format(",".join(domains_list))
else:
logger.error('acme test {} not supported'.format(acme_test))
@ -195,7 +190,7 @@ def acme_request(config, domain_name, acme_test='DNS-01', webroot=None, dryrun=F
logging.info("{} {}".format(config['certbot']['bin'], args))
else:
os.system("{} {}".format(config['certbot']['bin'], args))
return True
def symlink_force(target, link_name):
@ -217,25 +212,25 @@ def link_cert(config, source, dest, dryrun=False):
else:
symlink_force(src_name, link_name)
if __name__ == '__main__':
args, config = init_prog(sys.argv)
dryrun=config['main'].getboolean('dryrun')
ot_conn=connect_db(dict(config['ot_db']))
dns_conn=connect_db(dict(config['dns_db']))
if dryrun:
print("DRYRUN, nessun certificato verra' richiesto, nessun link/file creato o modificato")
# Caso speciale per le webmail
if args.webmail:
logging.info('Asking certificates for webmail')
vhost_name = config['webmail']['vhost'].strip()
webmails_list = ["webmail.{}".format(d.strip()) for d in config['webmail']['domains'].split(',') if len(d.strip())>0]
if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=webmails_list):
if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=webmails_list):
link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
@ -251,7 +246,7 @@ if __name__ == '__main__':
# Per usi futuri, aggiungo l'alias 'mail.indivia.net'
alias_list.append('mail.indivia.net')
if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['mbox_webroot'].strip(),
dryrun=dryrun, domains_list=alias_list):
dryrun=dryrun, domains_list=alias_list):
# non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt
# link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
pass
@ -273,21 +268,21 @@ if __name__ == '__main__':
pass
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
# Caso speciale per l'hosting
# Caso speciale per l'hosting
if args.hosting:
logging.info('Asking certificates for hosted web domains')
# Subdomains da escludere
ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0])
domains_dict = get_domain_list(config, ot_conn, dns_conn)
for domain_name, domain_feat in domains_dict.items():
domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains)
# Controlla se i nameserver sono gestiti da noi
if domain_feat['managed_ns']:
# Nel caso il nameserver sia gestito, chiedi certificati per il dominio e la wildcard
if acme_request(config, domain_name, acme_test='DNS-01', dryrun=dryrun):
link_cert(config, domain_name, domain_name, dryrun=dryrun)
link_cert(config, domain_name, domain_name, dryrun=dryrun)
# Crea il link per ogni subdomain
for subdomain in domain_feat['subdomains']:
link_cert(config, domain_name, subdomain, dryrun=dryrun)
@ -300,12 +295,12 @@ if __name__ == '__main__':
ot_conn.close()
dns_conn.close()
# Genero il certificato per l'interfaccia di mailman
# Genero il certificato per l'interfaccia di mailman
if args.liste:
logging.info('Asking certificates for liste.indivia.net')
vhost_name = config['mailman']['vhost'].strip()
liste_list = ["liste.{}".format(d.strip()) for d in config['mailman']['domains'].split(',') if len(d.strip())>0]
if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=liste_list):
if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=liste_list):
link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
else:
logger.error('Error asking certificate for {}'.format(vhost_name))