From ec30f759be39331aae792396379cbc02b5e2372b Mon Sep 17 00:00:00 2001 From: jigen Date: Wed, 16 Sep 2020 19:33:26 +0200 Subject: [PATCH] Added 'proxy' option --- OTcerts.py | 66 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 59 insertions(+), 7 deletions(-) diff --git a/OTcerts.py b/OTcerts.py index 1f194d6..3bdda3c 100644 --- a/OTcerts.py +++ b/OTcerts.py @@ -24,6 +24,14 @@ and vhosts.vhost_id = vhosts_features.vhost_id and hosts.host_id = hosts_urls.h WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s) """ +# Get list of defined urls for specific webserver +urls_list_stmt = """SELECT DISTINCT(urls.dns_name) AS urls +FROM hosts INNER JOIN (hosts_urls, urls, vhosts_features, vhosts) +ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id +and vhosts.vhost_id = vhosts_features.vhost_id and hosts.host_id = hosts_urls.host_id) +WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s) +""" + # Get domain_id if defined in nameserver database domain_id_stmt="SELECT domains.id as domain_id FROM domains WHERE domains.name=%(domain)s" @@ -34,7 +42,7 @@ subdomains_list_stmt = "SELECT DISTINCT(urls.dns_name) AS domain_names "\ "urls.dns_name LIKE %(domain)s)" default_conf_file="./etc/ot_certs.ini" -logging.basicConfig(level=logging.INFO) +logging.basicConfig(level=logging.DEBUG) logger = logging.getLogger() @@ -53,6 +61,8 @@ def init_prog(argv): help="Invoca solamente il renew per i certificati gia' presenti") service_group = parser.add_mutually_exclusive_group(required=True) + service_group.add_argument("--proxy", default=False, action='store_true', required=False, + help="Richiedi i certificati per i siti proxaty") service_group.add_argument("--liste", default=False, action='store_true', required=False, help="Richiedi i certificati per liste.indivia.net") service_group.add_argument("--hosting", default=False, action='store_true', required=False, @@ -150,6 +160,27 @@ def get_domain_list(config, ot_conn, dns_conn): ot_cursor.close() return result_dict + +def get_url_list(config_section, server_name, ot_conn, dns_conn): + """ + Return a list + """ + + urls_list = [] + + ot_cursor=ot_conn.cursor() + ot_cursor.execute(urls_list_stmt, {'webserver':server_name}) + + ot_res = ot_cursor.fetchall() + + logger.debug(ot_res) + + urls_list = [t[0] for t in ot_res] + + ot_cursor.close() + return urls_list + + def get_alias_list(config, dns_conn, query, aliases): """ Return a list of domains to get the certificate for @@ -186,7 +217,7 @@ def acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=False): args +=' --post-hook "{}"'.format(post_hook_cmd) args += " renew" - + if dryrun: logging.info("{} {}".format(config['certbot']['bin'], args)) else: @@ -268,10 +299,12 @@ if __name__ == '__main__': logging.info('Renewing certificates ') if args.webmail or args.hosting or args.liste: post_hook_cmd = "systemctl reload apache2" - elif args.smtp: + elif args.smtp: post_hook_cmd = "systemctl reload postfix" elif args.mbox: post_hook_cmd = "systemctl restart dovecot" + elif args.proxy: + post_hook_cmd = "systemctl reload nginx" logger.debug("post_hook_cmd: {}".format(post_hook_cmd)) @@ -297,6 +330,25 @@ if __name__ == '__main__': ret = os.system("systemctl reload apache2") logger.info(ret) + # Caso speciale per il proxy + if args.proxy: + logging.info('Asking certificates for proxy web domains') + try: + proxy_conf = config['nginx'] + except KeyError as e: + logger.error("Error parsing configuration, KeyError {}".format(e)) + exit(-1) + ot_conn=connect_db(dict(config['ot_db'])) + dns_conn=connect_db(dict(config['dns_db'])) + + upstream_servers = [s.strip() for s in proxy_conf['upstream_servers'].split(',') if len(s.strip())>0] + for server_name in upstream_servers: + logger.debug("Upstream server {}".format(server_name)) + url_list = get_url_list(proxy_conf, server_name, + ot_conn, dns_conn) + logger.debug(url_list) + + # Caso speciale per l'hosting if args.hosting: logging.info('Asking certificates for hosted web domains') @@ -341,7 +393,7 @@ if __name__ == '__main__': ret = os.system("systemctl reload apache2") logger.info(ret) - + # Caso speciale per l'interfaccia di mailman if args.liste: logging.info('Asking certificates for liste.indivia.net') @@ -351,14 +403,14 @@ if __name__ == '__main__': link_cert(config, vhost_name, vhost_name, dryrun=dryrun) else: logger.error('Error asking certificate for {}'.format(vhost_name)) - + # reload apache logger.info("Reloading apache") # ret = subprocess.run("systemctl reload apache2") ret = os.system("systemctl reload apache2") - logger.info(ret) + logger.info(ret) + - # Caso speciale per il server POP/IMAP if args.mbox: dns_conn=connect_db(dict(config['dns_db']))