diff --git a/OTcerts.py b/OTcerts.py index 945ef35..dc9d107 100644 --- a/OTcerts.py +++ b/OTcerts.py @@ -11,9 +11,9 @@ import mysql.connector # Query for IMAP/POP3 certificate mbox_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (name LIKE 'imap.%' or name LIKE 'pop3.%' or name LIKE 'mail.%')" -# Query for SMTP certificate +# Query for SMTP certificate smtp_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (name LIKE 'smtp.%' or name LIKE 'mail.%')" - + # Get list of defined domains in vhosts configuration database domains_list_stmt = """SELECT DISTINCT(SUBSTRING_INDEX(urls.dns_name, '.', -2)) AS domain_names @@ -30,8 +30,6 @@ subdomains_list_stmt = "SELECT DISTINCT(urls.dns_name) AS domain_names "\ "ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id and vhosts.vhost_id = vhosts_features.vhost_id) "\ "WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s and "\ "urls.dns_name LIKE %(domain)s)" - - default_conf_file="./etc/ot_certs.ini" logging.basicConfig(level=logging.INFO) @@ -42,7 +40,7 @@ def init_prog(argv): """ Parse command line args and config file """ - + parser = argparse.ArgumentParser( description="Manage LetsEncrypt certificates") parser.add_argument("-c", "--config", type=open, @@ -91,7 +89,7 @@ def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()): """ Return a Python list containing subdomain of domain paramer eg: ['app.arkiwi.org'] - """ + """ result_dict=dict() @@ -102,11 +100,8 @@ def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()): subdomains_res = ot_cursor.fetchall() ot_cursor.close() - #if filtered: subdomains_filtered = [s[0].decode('utf-8') for s in subdomains_res if not(s[0].decode('utf-8').startswith(ex_subdomains))] - # else: - # subdomains_filtered = [s[0].decode('utf-8') for s in subdomains_res] return subdomains_filtered @@ -121,7 +116,7 @@ def get_domain_list(config, ot_conn, dns_conn): ot_cursor=ot_conn.cursor() ot_cursor.execute(domains_list_stmt, {'webserver':config['main']['webserver'].strip(" '\"")}) - + dns_cursor=dns_conn.cursor() for domain_barr, in ot_cursor: domain_name = domain_barr.decode("utf-8") @@ -137,7 +132,7 @@ def get_domain_list(config, ot_conn, dns_conn): result_dict.update({domain_name: {'managed_ns':False, 'domain_id':None}}) else: logger.error('Unexpected result for domain {}'.format(domain_name)) - + dns_cursor.close() ot_cursor.close() return result_dict @@ -148,7 +143,7 @@ def get_alias_list(config, dns_conn, query, aliases): """ result_list = list() - + dns_cursor=dns_conn.cursor() try: dns_cursor.execute(query, aliases) @@ -168,7 +163,7 @@ def acme_request(config, domain_name, acme_test='DNS-01', webroot=None, dryrun=F args += "--server {} ".format(config['certbot']['server']) if dryrun: - args += "--dry-run " + args += "--dry-run " if acme_test == 'DNS-01': args += " --manual certonly " args += "--preferred-challenges dns-01 " @@ -176,17 +171,17 @@ def acme_request(config, domain_name, acme_test='DNS-01', webroot=None, dryrun=F args += "--manual-cleanup-hook {} ".format(config['certbot']['cleanup_hook']) args += "-d {},*.{}".format(domain_name, domain_name) elif acme_test == 'HTTP-01': - args += " --webroot certonly " + args += " --webroot certonly " args += "--preferred-challenges http-01 " if webroot is None: args += "-w {}/{}/htdocs ".format(config['apache']['webroot'], domain_name) else: args += "-w {} ".format(webroot) - + if domains_list is None: args += "-d {}".format(domain_name) else: - args += "--expand --cert-name {} ".format(domain_name) + args += "--expand --cert-name {} ".format(domain_name) args += "-d {}".format(",".join(domains_list)) else: logger.error('acme test {} not supported'.format(acme_test)) @@ -195,7 +190,7 @@ def acme_request(config, domain_name, acme_test='DNS-01', webroot=None, dryrun=F logging.info("{} {}".format(config['certbot']['bin'], args)) else: os.system("{} {}".format(config['certbot']['bin'], args)) - + return True def symlink_force(target, link_name): @@ -217,25 +212,25 @@ def link_cert(config, source, dest, dryrun=False): else: symlink_force(src_name, link_name) - + if __name__ == '__main__': args, config = init_prog(sys.argv) dryrun=config['main'].getboolean('dryrun') - + ot_conn=connect_db(dict(config['ot_db'])) dns_conn=connect_db(dict(config['dns_db'])) if dryrun: print("DRYRUN, nessun certificato verra' richiesto, nessun link/file creato o modificato") - + # Caso speciale per le webmail if args.webmail: logging.info('Asking certificates for webmail') vhost_name = config['webmail']['vhost'].strip() webmails_list = ["webmail.{}".format(d.strip()) for d in config['webmail']['domains'].split(',') if len(d.strip())>0] - if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=webmails_list): + if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=webmails_list): link_cert(config, vhost_name, vhost_name, dryrun=dryrun) else: logger.error('Error asking certificate for {}'.format(vhost_name)) @@ -251,7 +246,7 @@ if __name__ == '__main__': # Per usi futuri, aggiungo l'alias 'mail.indivia.net' alias_list.append('mail.indivia.net') if acme_request(config, vhost_name, acme_test='HTTP-01', webroot=config['mail']['mbox_webroot'].strip(), - dryrun=dryrun, domains_list=alias_list): + dryrun=dryrun, domains_list=alias_list): # non e' richiesto il link, punto direttamente le configurazioni alle dir di letsencrypt # link_cert(config, vhost_name, vhost_name, dryrun=dryrun) pass @@ -273,21 +268,21 @@ if __name__ == '__main__': pass else: logger.error('Error asking certificate for {}'.format(vhost_name)) - - # Caso speciale per l'hosting + + # Caso speciale per l'hosting if args.hosting: logging.info('Asking certificates for hosted web domains') # Subdomains da escludere ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0]) domains_dict = get_domain_list(config, ot_conn, dns_conn) - + for domain_name, domain_feat in domains_dict.items(): domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains) # Controlla se i nameserver sono gestiti da noi if domain_feat['managed_ns']: # Nel caso il nameserver sia gestito, chiedi certificati per il dominio e la wildcard if acme_request(config, domain_name, acme_test='DNS-01', dryrun=dryrun): - link_cert(config, domain_name, domain_name, dryrun=dryrun) + link_cert(config, domain_name, domain_name, dryrun=dryrun) # Crea il link per ogni subdomain for subdomain in domain_feat['subdomains']: link_cert(config, domain_name, subdomain, dryrun=dryrun) @@ -300,12 +295,12 @@ if __name__ == '__main__': ot_conn.close() dns_conn.close() - # Genero il certificato per l'interfaccia di mailman + # Genero il certificato per l'interfaccia di mailman if args.liste: logging.info('Asking certificates for liste.indivia.net') vhost_name = config['mailman']['vhost'].strip() liste_list = ["liste.{}".format(d.strip()) for d in config['mailman']['domains'].split(',') if len(d.strip())>0] - if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=liste_list): + if acme_request(config, vhost_name, acme_test='HTTP-01', dryrun=dryrun, domains_list=liste_list): link_cert(config, vhost_name, vhost_name, dryrun=dryrun) else: logger.error('Error asking certificate for {}'.format(vhost_name))