add let's encrypt support #3
8 changed files with 146 additions and 8 deletions
|
@ -6,8 +6,8 @@ from os.path import dirname as _dirname, abspath as _abspath, join as _join, isf
|
||||||
from os import makedirs as _makedirs
|
from os import makedirs as _makedirs
|
||||||
|
|
||||||
|
|
||||||
HERE = _dirname(_abspath(__main__.__file__))
|
_HERE = _dirname(_abspath(__main__.__file__))
|
||||||
PASSWORD_DIR = _join(HERE, 'password')
|
_PASSWORD_DIR = _join(_HERE, 'password')
|
||||||
|
|
||||||
|
|
||||||
def get_password(server_name: str,
|
def get_password(server_name: str,
|
||||||
|
@ -56,7 +56,7 @@ def _set_password(server_name: str,
|
||||||
) -> str:
|
) -> str:
|
||||||
if not server_name or not username:
|
if not server_name or not username:
|
||||||
return
|
return
|
||||||
dir_name = _join('password', server_name, description)
|
dir_name = _join(_PASSWORD_DIR, server_name, description)
|
||||||
if not _isdir(dir_name):
|
if not _isdir(dir_name):
|
||||||
_makedirs(dir_name)
|
_makedirs(dir_name)
|
||||||
file_name = _join(dir_name, username)
|
file_name = _join(dir_name, username)
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
PKG="$PKG git openssh-server"
|
PKG="$PKG git"
|
||||||
|
|
34
seed/applicationservice/2022.03.08/letsencrypt/README.md
Normal file
34
seed/applicationservice/2022.03.08/letsencrypt/README.md
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
# Gestion Let's encrypt
|
||||||
|
|
||||||
|
## Fonctionnement du service application
|
||||||
|
|
||||||
|
Ce service gère le téléchargement et la mise à disposition des certificats Let's encrypt.
|
||||||
|
|
||||||
|
Le certificat doit être disponible avant l'installation de la machine de destination.
|
||||||
|
C'est pourquoi ce le certificat est téléchargement grâce au défi DNS-1.
|
||||||
|
|
||||||
|
Il faut donc installer certbot + python3-certbot-dns-xxx (sur une Fedora), par exemple pour OVH "python3-certbot-dns-ovh".
|
||||||
|
|
||||||
|
Attention, en utilisant ce service vous acceptez les conditions d'utilisation de Let's Encrypt !
|
||||||
|
|
||||||
|
## Utiliser Let's encrypt dans une machine
|
||||||
|
|
||||||
|
Dans applicationservice.yml ajouter la dépendance "letsencrypt".
|
||||||
|
|
||||||
|
Sur la machine installer Certb
|
||||||
|
|
||||||
|
## Configurer Let's encrypt
|
||||||
|
|
||||||
|
```
|
||||||
|
rougail.letsencrypt.domain_names": ["nom de domaine"],
|
||||||
|
rougail.letsencrypt.authority_cn": {"0": "nom de domaine"},
|
||||||
|
rougail.letsencrypt.authority_name": {"0": "NomAutorité"},
|
||||||
|
rougail.letsencrypt.plugin_name": {"0": "ovh"},
|
||||||
|
rougail.letsencrypt.credential_filename": {"0": "/home/user/ovh.ini"},
|
||||||
|
rougail.letsencrypt.email": {"0": "gnunux@gnunux.info"}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Exemple avec OVH
|
||||||
|
|
||||||
|
Installation du greffon Certbot : https://certbot-dns-ovh.readthedocs.io/en/stable/
|
||||||
|
Création d'une clef d'API : https://eu.api.ovh.com/createToken/
|
|
@ -0,0 +1,4 @@
|
||||||
|
format: '0.1'
|
||||||
|
description: Let's encrypt
|
||||||
|
depends:
|
||||||
|
- base-fedora-35
|
|
@ -0,0 +1,25 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<rougail version="0.10">
|
||||||
|
<variables>
|
||||||
|
<family name='letsencrypt' description="Défi DNS pour Let's encrypt" leadership="True">
|
||||||
|
<variable name="domain_names" type="domainname" description="Nom des domaines" multi="True"/>
|
||||||
|
<variable name="authority_cn" description="Nom de domaine de l'autorité" mandatory="True"/>
|
||||||
|
<variable name="authority_name" description="Nom de l'authorité" mandatory="True"/>
|
||||||
|
<variable name="plugin_name" type="string" description="Nom du greffon de mise à jour DNS du domaine" mandatory="True"/>
|
||||||
|
<variable name="credential_filename" type="filename" description="Nom du fichier de configuration du greffin" mandatory="True"/>
|
||||||
|
<variable name="email" type="mail" description="Courriel associé au certificat" mandatory="True"/>
|
||||||
|
</family>
|
||||||
|
</variables>
|
||||||
|
<constraints>
|
||||||
|
<check name="letsencrypt_certif">
|
||||||
|
<param type="variable">authority_cn</param>
|
||||||
|
<param type="variable">authority_name</param>
|
||||||
|
<param type="variable">plugin_name</param>
|
||||||
|
<param type="variable">credential_filename</param>
|
||||||
|
<param type="variable">email</param>
|
||||||
|
<target>domain_names</target>
|
||||||
|
</check>
|
||||||
|
</constraints>
|
||||||
|
</rougail>
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,75 @@
|
||||||
|
import __main__
|
||||||
|
from subprocess import run as _run
|
||||||
|
from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile, isdir as _isdir
|
||||||
|
from datetime import datetime as _datetime
|
||||||
|
from shutil import copyfile as _copyfile
|
||||||
|
from os import makedirs as _makedirs
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
_HERE = _dirname(_abspath(__main__.__file__))
|
||||||
|
_LE_DIR = _join(_HERE, 'pki', 'letsencrypt')
|
||||||
|
_X509_DIR = _join(_HERE, 'pki', 'x509')
|
||||||
|
|
||||||
|
|
||||||
|
def letsencrypt_certif(domain: str,
|
||||||
|
authority_cn: str,
|
||||||
|
authority_name: str,
|
||||||
|
plugin_name: str,
|
||||||
|
credential_filename: str,
|
||||||
|
email: str,
|
||||||
|
) -> None:
|
||||||
|
if None in (domain, authority_cn, authority_name, plugin_name, credential_filename, email):
|
||||||
|
return
|
||||||
|
date_file = _join(_LE_DIR, f'{domain}.date')
|
||||||
|
date = _datetime.now()
|
||||||
|
today = str(date.date())
|
||||||
|
if not _isfile(date_file):
|
||||||
|
letsencrypt_date = '0'
|
||||||
|
else:
|
||||||
|
with open(date_file, 'r') as fh:
|
||||||
|
letsencrypt_date = fh.read().strip()
|
||||||
|
if letsencrypt_date != today:
|
||||||
|
print(f"Obtain or renew Let's Encrypt certificate for {domain}...")
|
||||||
|
cli_args = ['certbot',
|
||||||
|
'certonly',
|
||||||
|
f'--dns-{plugin_name}',
|
||||||
|
f'--dns-{plugin_name}-credentials',
|
||||||
|
credential_filename,
|
||||||
|
'-d',
|
||||||
|
domain,
|
||||||
|
'--quiet',
|
||||||
|
'--config-dir',
|
||||||
|
f'{_LE_DIR}/{domain}/config',
|
||||||
|
'--work-dir',
|
||||||
|
f'{_LE_DIR}/{domain}/work',
|
||||||
|
'--logs-dir',
|
||||||
|
f'{_LE_DIR}/{domain}/logs',
|
||||||
|
'--agree-tos',
|
||||||
|
'-m',
|
||||||
|
email,
|
||||||
|
'--dns-ovh-propagation-seconds',
|
||||||
|
'360',
|
||||||
|
]
|
||||||
|
ret = _run(cli_args, capture_output=True)
|
||||||
|
if ret.returncode != 0:
|
||||||
|
raise ValueError(ret.stderr)
|
||||||
|
print("Done")
|
||||||
|
with open(date_file, 'w') as fh:
|
||||||
|
fh.write(today)
|
||||||
|
rootdir = _join(_X509_DIR, f'{authority_name}+{authority_cn}')
|
||||||
|
chaindir = _join(rootdir, 'ca')
|
||||||
|
certdir = _join(rootdir, 'certificats', domain, 'server')
|
||||||
|
week_number = date.isocalendar().week
|
||||||
|
for dirname in (chaindir, certdir):
|
||||||
|
if not _isdir(dirname):
|
||||||
|
_makedirs(dirname)
|
||||||
|
_copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'chain.pem'),
|
||||||
|
_join(chaindir, f'certificate_{week_number}.crt'),
|
||||||
|
)
|
||||||
|
_copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'privkey.pem'),
|
||||||
|
_join(certdir, 'private.key'),
|
||||||
|
)
|
||||||
|
_copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'fullchain.pem'),
|
||||||
|
_join(certdir, f'certificate_{week_number}.crt'),
|
||||||
|
)
|
|
@ -10,12 +10,12 @@ def _eprint(*args, **kwargs):
|
||||||
_dknewkey.eprint = _eprint
|
_dknewkey.eprint = _eprint
|
||||||
|
|
||||||
|
|
||||||
HERE = _dirname(_abspath(__main__.__file__))
|
_HERE = _dirname(_abspath(__main__.__file__))
|
||||||
DKIM_DIR = _join(HERE, 'pki/dkim')
|
_DKIM_DIR = _join(_HERE, 'pki/dkim')
|
||||||
|
|
||||||
|
|
||||||
def get_dkim_key(domain_name_eth0, domain):
|
def get_dkim_key(domain_name_eth0, domain):
|
||||||
dkim_dir = _join(DKIM_DIR, domain_name_eth0, domain)
|
dkim_dir = _join(_DKIM_DIR, domain_name_eth0, domain)
|
||||||
dkim_file_src = _join(dkim_dir, f'{domain}')
|
dkim_file_src = _join(dkim_dir, f'{domain}')
|
||||||
dkim_file_key = _join(dkim_dir, f'{domain}.key')
|
dkim_file_key = _join(dkim_dir, f'{domain}.key')
|
||||||
dkim_file = _join(dkim_dir, f'{domain}.dns')
|
dkim_file = _join(dkim_dir, f'{domain}.dns')
|
||||||
|
|
|
@ -35,7 +35,7 @@
|
||||||
<fill name="calc_oauth2_client_external">
|
<fill name="calc_oauth2_client_external">
|
||||||
<param type="variable" optional="True">revprox_client_external_domainname</param>
|
<param type="variable" optional="True">revprox_client_external_domainname</param>
|
||||||
<param type="variable" optional="True">revprox_client_location</param>
|
<param type="variable" optional="True">revprox_client_location</param>
|
||||||
<param>/index.php/login/oauth</param>
|
<param>index.php/login/oauth</param>
|
||||||
<target>oauth2_client_login</target>
|
<target>oauth2_client_login</target>
|
||||||
</fill>
|
</fill>
|
||||||
</constraints>
|
</constraints>
|
||||||
|
|
Loading…
Reference in a new issue