Compare commits

...

4 commits

View file

@ -1,4 +1,5 @@
import os
import sys
import errno
@ -7,6 +8,9 @@ import configparser
import logging
import mysql.connector
import subprocess
from pwd import getpwnam
from grp import getgrnam
# Query for IMAP/POP3 certificate
mbox_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (name LIKE 'imap.%' or name LIKE 'pop3.%' or name LIKE 'mail.%')"
@ -16,9 +20,18 @@ smtp_list_stmt = "SELECT DISTINCT(name) FROM records WHERE content in ({}) and (
# Get list of defined domains in vhosts configuration database
domains_list_stmt = """SELECT DISTINCT(SUBSTRING_INDEX(urls.dns_name, '.', -2)) AS domain_names
FROM urls INNER JOIN (hosts_urls, hosts, vhosts_features, vhosts)
ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id and vhosts.vhost_id = vhosts_features.vhost_id)
domains_list_stmt = """SELECT DISTINCT(SUBSTRING_INDEX(urls.dns_name, '.', -2)) AS domain_names
FROM hosts INNER JOIN (hosts_urls, urls, vhosts_features, vhosts)
ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id
and vhosts.vhost_id = vhosts_features.vhost_id and hosts.host_id = hosts_urls.host_id)
WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s)
"""
# Get list of defined urls for specific webserver
urls_list_stmt = """SELECT DISTINCT(urls.dns_name) AS urls
FROM hosts INNER JOIN (hosts_urls, urls, vhosts_features, vhosts)
ON (urls.url_id = hosts_urls.url_id and urls.url_id = vhosts.url_id
and vhosts.vhost_id = vhosts_features.vhost_id and hosts.host_id = hosts_urls.host_id)
WHERE (hosts_urls.http = 'Y' and hosts.hostname = %(webserver)s)
"""
@ -49,8 +62,10 @@ def init_prog(argv):
help="Specifity config file (default: {})".format(default_conf_file))
parser.add_argument("--renew", default=False, action='store_true', required=False,
help="Invoca solamente il renew per i certificati gia' presenti")
service_group = parser.add_mutually_exclusive_group(required=True)
service_group.add_argument("--proxy", default=False, action='store_true', required=False,
help="Richiedi i certificati per i siti proxaty")
service_group.add_argument("--liste", default=False, action='store_true', required=False,
help="Richiedi i certificati per liste.indivia.net")
service_group.add_argument("--hosting", default=False, action='store_true', required=False,
@ -90,7 +105,7 @@ def connect_db(conf_dict):
def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()):
"""
Return a Python list containing subdomain of domain paramer
Return a Python list containing subdomain of domain parameter
eg: ['app.arkiwi.org']
"""
result_dict=dict()
@ -103,8 +118,12 @@ def get_subdomain_list(config, domain, ot_conn, ex_subdomains=tuple()):
subdomains_res = ot_cursor.fetchall()
ot_cursor.close()
subdomains_filtered = [s[0].decode('utf-8') for s in subdomains_res
try:
subdomains_filtered = [s[0].decode('utf-8') for s in subdomains_res
if not(s[0].decode('utf-8').startswith(ex_subdomains))]
except AttributeError:
subdomains_filtered = [s[0] for s in subdomains_res
if not(s[0].startswith(ex_subdomains))]
return subdomains_filtered
@ -122,7 +141,11 @@ def get_domain_list(config, ot_conn, dns_conn):
dns_cursor=dns_conn.cursor()
for domain_barr, in ot_cursor:
domain_name = domain_barr.decode("utf-8")
try:
domain_name = domain_barr.decode("utf-8")
except AttributeError:
domain_name = domain_barr;
logger.debug(domain_barr)
try:
dns_cursor.execute(domain_id_stmt, {'domain':domain_name})
except Exception as e:
@ -140,6 +163,30 @@ def get_domain_list(config, ot_conn, dns_conn):
ot_cursor.close()
return result_dict
def get_url_list(config_section, server_name, ot_conn, dns_conn):
"""
Ritorna la lista delle url configurate per uno specifico server_name
NB: il questo momento il dato viene estratto dal db di ortiche, ma non viene
controllato se il dns e' configurato in maniera coerente. Questo potrebbe generare
errori in momenti successivi (es, durante il challenge HTTP-01)
"""
urls_list = []
ot_cursor=ot_conn.cursor()
ot_cursor.execute(urls_list_stmt, {'webserver':server_name})
ot_res = ot_cursor.fetchall()
logger.debug(ot_res)
urls_list = [t[0] for t in ot_res]
ot_cursor.close()
return urls_list
def get_alias_list(config, dns_conn, query, aliases):
"""
Return a list of domains to get the certificate for
@ -176,7 +223,7 @@ def acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=False):
args +=' --post-hook "{}"'.format(post_hook_cmd)
args += " renew"
if dryrun:
logging.info("{} {}".format(config['certbot']['bin'], args))
else:
@ -243,6 +290,28 @@ def link_cert(config, source, dest, dryrun=False):
symlink_force(src_name, link_name)
def fix_permissions(config):
"""
Sistema i permessi dei certificati affinche' risultino leggibili dai demoni interessati
"""
archive_dir = config['certbot']['archive_certificates_dir']
uid = getpwnam(config['certbot']['certificates_user'])[2]
gid = getgrnam(config['certbot']['certificates_group'])[2]
for root, dirs, files in os.walk(archive_dir):
for momo in dirs:
logger.debug('Fixing user/group and permissions on {}'.format(os.path.join(root, momo)))
os.chown(os.path.join(root, momo), uid, gid)
os.chmod(os.path.join(root, momo), 0o755)
for momo in files:
logger.debug('Fixing user/group and permissions on {}'.format(os.path.join(root, momo)))
os.chown(os.path.join(root, momo), uid, gid)
if momo.startswith('privkey'):
os.chmod(os.path.join(root, momo), 0o640)
else:
os.chmod(os.path.join(root, momo), 0o644)
if __name__ == '__main__':
args, config = init_prog(sys.argv)
@ -258,19 +327,20 @@ if __name__ == '__main__':
logging.info('Renewing certificates ')
if args.webmail or args.hosting or args.liste:
post_hook_cmd = "systemctl reload apache2"
elif args.smtp:
elif args.smtp:
post_hook_cmd = "systemctl reload postfix"
elif args.mbox:
post_hook_cmd = "systemctl restart dovecot"
elif args.proxy:
post_hook_cmd = "systemctl reload nginx"
logger.debug("post_hook_cmd: {}".format(post_hook_cmd))
if acme_renew(config, pre_hook_cmd, post_hook_cmd, dryrun=dryrun):
logger.info("Done renew")
else:
else:
# Fai le nuove richieste per i certificati
# Caso speciale per le webmail
if args.webmail:
logging.info('Asking certificates for webmail')
@ -281,22 +351,58 @@ if __name__ == '__main__':
link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
# reload apache
logger.info("Reloading apache")
# ret = subprocess.run("systemctl reload apache2")
ret = os.system("systemctl reload apache2")
logger.info(ret)
# Caso speciale per il proxy
if args.proxy:
logging.info('Asking certificates for proxy web domains')
try:
proxy_conf = config['nginx']
except KeyError as e:
logger.error("Error parsing configuration, KeyError {}".format(e))
exit(-1)
ot_conn=connect_db(dict(config['ot_db']))
upstream_servers = [s.strip() for s in proxy_conf['upstream_servers'].split(',') if len(s.strip())>0]
for server_name in upstream_servers:
logger.debug("Upstream server {}".format(server_name))
url_list = get_url_list(proxy_conf, server_name,
ot_conn, None)
logger.debug(url_list)
for url in url_list:
acme_request(config, url, acme_test='HTTP-01', webroot=proxy_conf['http-01_webroot'],
dryrun=dryrun, domains_list=[url])
ot_conn.close()
if not dryrun:
fix_permissions(config)
logger.info("Reloading nginx")
ret = os.system("systemctl reload nginx")
logger.info(ret)
# Caso speciale per l'hosting
if args.hosting:
logging.info('Asking certificates for hosted web domains')
try:
hosting_conf = config['apache']
except KeyError as e:
logger.error("Error parsing configuration, KeyError {}".format(e))
exit(-1)
ot_conn=connect_db(dict(config['ot_db']))
dns_conn=connect_db(dict(config['dns_db']))
# Subdomains da escludere
ex_subdomains = tuple([s.strip() for s in config['main']['special_subdomains'].split(',') if len(s.strip())>0])
domains_dict = get_domain_list(config, ot_conn, dns_conn)
logger.debug(domains_dict)
for domain_name, domain_feat in domains_dict.items():
domain_feat['subdomains']=get_subdomain_list(config, domain_name, ot_conn, ex_subdomains=ex_subdomains)
# Controlla se i nameserver sono gestiti da noi
@ -326,7 +432,7 @@ if __name__ == '__main__':
ret = os.system("systemctl reload apache2")
logger.info(ret)
# Caso speciale per l'interfaccia di mailman
if args.liste:
logging.info('Asking certificates for liste.indivia.net')
@ -336,14 +442,14 @@ if __name__ == '__main__':
link_cert(config, vhost_name, vhost_name, dryrun=dryrun)
else:
logger.error('Error asking certificate for {}'.format(vhost_name))
# reload apache
logger.info("Reloading apache")
# ret = subprocess.run("systemctl reload apache2")
ret = os.system("systemctl reload apache2")
logger.info(ret)
logger.info(ret)
# Caso speciale per il server POP/IMAP
if args.mbox:
dns_conn=connect_db(dict(config['dns_db']))