Compare commits

..

No commits in common. "master" and "renew_reload" have entirely different histories.

View file

@ -1,5 +1,4 @@
import os import os
import sys import sys
import errno import errno
@ -8,9 +7,6 @@ import configparser
import logging import logging
import mysql.connector import mysql.connector
import subprocess import subprocess
from pwd import getpwnam
from grp import getgrnam
# Query for IMAP/POP3 certificate # Query for IMAP/POP3 certificate
mbox_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (name LIKE 'imap.%' or name LIKE 'pop3.%' or name LIKE 'mail.%')" mbox_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (name LIKE 'imap.%' or name LIKE 'pop3.%' or name LIKE 'mail.%')"
@ -20,18 +16,9 @@ smtp_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (
# Get list of defined domains in vhosts configuration database # Get list of defined domains in vhosts configuration database
domains_list_stmt = """SELECT DISTINCT(SUBSTRING_INDEX(urls.dns_name, '.', -2)) AS domain_names domains_list_stmt = """SELECT DISTINCT(SUBSTRING_INDEX(urls.dns_name, '.', -2)) AS domain_names
FROM hosts INNER JOIN (hosts_urls, urls, vhosts_features, vhosts) FROM urls INNER JOIN (hosts_urls, hosts, vhosts_features, vhosts)
ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id and vhosts.vhost_id = vhosts_features.vhost_id)
and vhosts.vhost_id = vhosts_features.vhost_id and hosts.host_id = hosts_urls.host_id)
WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s)
"""
# Get list of defined urls for specific webserver
urls_list_stmt = """SELECT DISTINCT(urls.dns_name) AS urls
FROM hosts INNER JOIN (hosts_urls, urls, vhosts_features, vhosts)
ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id
and vhosts.vhost_id = vhosts_features.vhost_id and hosts.host_id = hosts_urls.host_id)
WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s) WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s)
""" """
@ -62,10 +49,8 @@ def init_prog(argv):
help="Specifity config file (default: {})".format(default_conf_file)) help="Specifity config file (default: {})".format(default_conf_file))
parser.add_argument("--renew", default=False, action='store_true', required=False, parser.add_argument("--renew", default=False, action='store_true', required=False,
help="Invoca solamente il renew per i certificati gia' presenti") help="Invoca solamente il renew per i certificati gia' presenti")
service_group = parser.add_mutually_exclusive_group(required=True) service_group = parser.add_mutually_exclusive_group(required=True)
service_group.add_argument("--proxy", default=False, action='store_true', required=False,
help="Richiedi i certificati per i siti proxaty")
service_group.add_argument("--liste", default=False, action='store_true', required=False, service_group.add_argument("--liste", default=False, action='store_true', required=False,
help="Richiedi i certificati per liste.indivia.net") help="Richiedi i certificati per liste.indivia.net")
service_group.add_argument("--hosting", default=False, action='store_true', required=False, service_group.add_argument("--hosting", default=False, action='store_true', required=False,
@ -105,7 +90,7 @@ def connect_db(conf_dict):
def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()): def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()):
""" """
Return a Python list containing subdomain of domain parameter Return a Python list containing subdomain of domain paramer
eg: ['app.arkiwi.org'] eg: ['app.arkiwi.org']
""" """
result_dict=dict() result_dict=dict()
@ -118,12 +103,8 @@ def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()):
subdomains_res = ot_cursor.fetchall() subdomains_res = ot_cursor.fetchall()
ot_cursor.close() ot_cursor.close()
try: subdomains_filtered = [s[0].decode('utf-8') for s in subdomains_res
subdomains_filtered = [s[0].decode('utf-8') for s in subdomains_res
if not(s[0].decode('utf-8').startswith(ex_subdomains))] if not(s[0].decode('utf-8').startswith(ex_subdomains))]
except AttributeError:
subdomains_filtered = [s[0] for s in subdomains_res
if not(s[0].startswith(ex_subdomains))]
return subdomains_filtered return subdomains_filtered
@ -141,11 +122,7 @@ def get_domain_list(config, ot_conn, dns_conn):
dns_cursor=dns_conn.cursor() dns_cursor=dns_conn.cursor()
for domain_barr, in ot_cursor: for domain_barr, in ot_cursor:
try: domain_name = domain_barr.decode("utf-8")
domain_name = domain_barr.decode("utf-8")
except AttributeError:
domain_name = domain_barr;
logger.debug(domain_barr)
try: try:
dns_cursor.execute(domain_id_stmt, {'domain':domain_name}) dns_cursor.execute(domain_id_stmt, {'domain':domain_name})
except Exception as e: except Exception as e:
@ -163,30 +140,6 @@ def get_domain_list(config, ot_conn, dns_conn):
ot_cursor.close() ot_cursor.close()
return result_dict return result_dict
def get_url_list(config_section, server_name, ot_conn, dns_conn):
"""
Ritorna la lista delle url configurate per uno specifico server_name
NB: il questo momento il dato viene estratto dal db di ortiche, ma non viene
controllato se il dns e' configurato in maniera coerente. Questo potrebbe generare
errori in momenti successivi (es, durante il challenge HTTP-01)
"""
urls_list = []
ot_cursor=ot_conn.cursor()
ot_cursor.execute(urls_list_stmt, {'webserver':server_name})
ot_res = ot_cursor.fetchall()
logger.debug(ot_res)
urls_list = [t[0] for t in ot_res]
ot_cursor.close()
return urls_list
def get_alias_list(config, dns_conn, query, aliases): def get_alias_list(config, dns_conn, query, aliases):
""" """
Return a list of domains to get the certificate for Return a list of domains to get the certificate for
@ -223,7 +176,7 @@ def acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=False):
args +=' --post-hook "{}"'.format(post_hook_cmd) args +=' --post-hook "{}"'.format(post_hook_cmd)
args += " renew" args += " renew"
if dryrun: if dryrun:
logging.info("{} {}".format(config['certbot']['bin'], args)) logging.info("{} {}".format(config['certbot']['bin'], args))
else: else:
@ -290,28 +243,6 @@ def link_cert(config, source, dest, dryrun=False):
symlink_force(src_name, link_name) symlink_force(src_name, link_name)
def fix_permissions(config):
"""
Sistema i permessi dei certificati affinche' risultino leggibili dai demoni interessati
"""
archive_dir = config['certbot']['archive_certificates_dir']
uid = getpwnam(config['certbot']['certificates_user'])[2]
gid = getgrnam(config['certbot']['certificates_group'])[2]
for root, dirs, files in os.walk(archive_dir):
for momo in dirs:
logger.debug('Fixing user/group and permissions on {}'.format(os.path.join(root, momo)))
os.chown(os.path.join(root, momo), uid, gid)
os.chmod(os.path.join(root, momo), 0o755)
for momo in files:
logger.debug('Fixing user/group and permissions on {}'.format(os.path.join(root, momo)))
os.chown(os.path.join(root, momo), uid, gid)
if momo.startswith('privkey'):
os.chmod(os.path.join(root, momo), 0o640)
else:
os.chmod(os.path.join(root, momo), 0o644)
if __name__ == '__main__': if __name__ == '__main__':
args, config = init_prog(sys.argv) args, config = init_prog(sys.argv)
@ -327,20 +258,19 @@ if __name__ == '__main__':
logging.info('Renewing certificates ') logging.info('Renewing certificates ')
if args.webmail or args.hosting or args.liste: if args.webmail or args.hosting or args.liste:
post_hook_cmd = "systemctl reload apache2" post_hook_cmd = "systemctl reload apache2"
elif args.smtp: elif args.smtp:
post_hook_cmd = "systemctl reload postfix" post_hook_cmd = "systemctl reload postfix"
elif args.mbox: elif args.mbox:
post_hook_cmd = "systemctl restart dovecot" post_hook_cmd = "systemctl restart dovecot"
elif args.proxy:
post_hook_cmd = "systemctl reload nginx"
logger.debug("post_hook_cmd: {}".format(post_hook_cmd)) logger.debug("post_hook_cmd: {}".format(post_hook_cmd))
if acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=dryrun): if acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=dryrun):
logger.info("Done renew") logger.info("Done renew")
else:
else:
# Fai le nuove richieste per i certificati # Fai le nuove richieste per i certificati
# Caso speciale per le webmail # Caso speciale per le webmail
if args.webmail: if args.webmail:
logging.info('Asking certificates for webmail') logging.info('Asking certificates for webmail')
@ -351,58 +281,22 @@ if __name__ == '__main__':
link_cert(config, vhost_name, vhost_name, dryrun=dryrun) link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
else: else:
logger.error('Error asking certificate for {}'.format(vhost_name)) logger.error('Error asking certificate for {}'.format(vhost_name))
# reload apache # reload apache
logger.info("Reloading apache") logger.info("Reloading apache")
# ret = subprocess.run("systemctl reload apache2") # ret = subprocess.run("systemctl reload apache2")
ret = os.system("systemctl reload apache2") ret = os.system("systemctl reload apache2")
logger.info(ret) logger.info(ret)
# Caso speciale per il proxy
if args.proxy:
logging.info('Asking certificates for proxy web domains')
try:
proxy_conf = config['nginx']
except KeyError as e:
logger.error("Error parsing configuration, KeyError {}".format(e))
exit(-1)
ot_conn=connect_db(dict(config['ot_db']))
upstream_servers = [s.strip() for s in proxy_conf['upstream_servers'].split(',') if len(s.strip())>0]
for server_name in upstream_servers:
logger.debug("Upstream server {}".format(server_name))
url_list = get_url_list(proxy_conf, server_name,
ot_conn, None)
logger.debug(url_list)
for url in url_list:
acme_request(config, url, acme_test='HTTP-01', webroot=proxy_conf['http-01_webroot'],
dryrun=dryrun, domains_list=[url])
ot_conn.close()
if not dryrun:
fix_permissions(config)
logger.info("Reloading nginx")
ret = os.system("systemctl reload nginx")
logger.info(ret)
# Caso speciale per l'hosting # Caso speciale per l'hosting
if args.hosting: if args.hosting:
logging.info('Asking certificates for hosted web domains') logging.info('Asking certificates for hosted web domains')
try:
hosting_conf = config['apache']
except KeyError as e:
logger.error("Error parsing configuration, KeyError {}".format(e))
exit(-1)
ot_conn=connect_db(dict(config['ot_db'])) ot_conn=connect_db(dict(config['ot_db']))
dns_conn=connect_db(dict(config['dns_db'])) dns_conn=connect_db(dict(config['dns_db']))
# Subdomains da escludere # Subdomains da escludere
ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0]) ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0])
domains_dict = get_domain_list(config, ot_conn, dns_conn) domains_dict = get_domain_list(config, ot_conn, dns_conn)
logger.debug(domains_dict)
for domain_name, domain_feat in domains_dict.items(): for domain_name, domain_feat in domains_dict.items():
domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains) domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains)
# Controlla se i nameserver sono gestiti da noi # Controlla se i nameserver sono gestiti da noi
@ -432,7 +326,7 @@ if __name__ == '__main__':
ret = os.system("systemctl reload apache2") ret = os.system("systemctl reload apache2")
logger.info(ret) logger.info(ret)
# Caso speciale per l'interfaccia di mailman # Caso speciale per l'interfaccia di mailman
if args.liste: if args.liste:
logging.info('Asking certificates for liste.indivia.net') logging.info('Asking certificates for liste.indivia.net')
@ -442,14 +336,14 @@ if __name__ == '__main__':
link_cert(config, vhost_name, vhost_name, dryrun=dryrun) link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
else: else:
logger.error('Error asking certificate for {}'.format(vhost_name)) logger.error('Error asking certificate for {}'.format(vhost_name))
# reload apache # reload apache
logger.info("Reloading apache") logger.info("Reloading apache")
# ret = subprocess.run("systemctl reload apache2") # ret = subprocess.run("systemctl reload apache2")
ret = os.system("systemctl reload apache2") ret = os.system("systemctl reload apache2")
logger.info(ret) logger.info(ret)
# Caso speciale per il server POP/IMAP # Caso speciale per il server POP/IMAP
if args.mbox: if args.mbox:
dns_conn=connect_db(dict(config['dns_db'])) dns_conn=connect_db(dict(config['dns_db']))