diff options
| author | John Estabrook <jestabro@sentrium.io> | 2019-12-13 13:33:04 -0600 |
|---|---|---|
| committer | John Estabrook <jestabro@sentrium.io> | 2020-02-05 09:29:02 -0600 |
| commit | e45cc2e9e6d555329160624988fd4ff2146aabcb (patch) | |
| tree | 00bf8dea8636a7b30d540f35382257007208f3aa /src/conf_mode/https.py | |
| parent | 3a9cabbc9568d5d059789b349374c8af3cb25e2f (diff) | |
| download | vyos-1x-e45cc2e9e6d555329160624988fd4ff2146aabcb.tar.gz vyos-1x-e45cc2e9e6d555329160624988fd4ff2146aabcb.zip | |
service https: T1585: add support for letsencrypt certificates
Diffstat (limited to 'src/conf_mode/https.py')
| -rwxr-xr-x | src/conf_mode/https.py | 42 |
1 files changed, 34 insertions, 8 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index fbd351e45..2b492be26 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -22,6 +22,7 @@ import os import jinja2 import vyos.defaults +import vyos.certbot_util from vyos.config import Config from vyos import ConfigError @@ -56,7 +57,12 @@ server { server_name {{ name }}; {% endfor %} -{% if server.vyos_cert %} +{% if server.certbot %} + ssl_certificate /etc/letsencrypt/live/{{ server.certbot_dir }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ server.certbot_dir }}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +{% elif server.vyos_cert %} include {{ server.vyos_cert.conf }}; {% else %} # @@ -91,9 +97,9 @@ server { default_server_block = { 'address' : '*', 'name' : ['_'], - # api : - # vyos_cert : - # le_cert : + 'api' : {}, + 'vyos_cert' : {}, + 'certbot' : False } def get_config(): @@ -121,13 +127,27 @@ def get_config(): server_block_list.append(default_server_block) vyos_cert_data = {} - if conf.exists('certificates'): - if conf.exists('certificates system-generated-certificate'): - vyos_cert_data = vyos.defaults.vyos_cert_data + if conf.exists('certificates system-generated-certificate'): + vyos_cert_data = vyos.defaults.vyos_cert_data if vyos_cert_data: for block in server_block_list: block['vyos_cert'] = vyos_cert_data + certbot = False + certbot_domains = [] + if conf.exists('certificates certbot domain-name'): + certbot_domains = conf.return_values('certificates certbot domain-name') + if certbot_domains: + certbot = True + for domain in certbot_domains: + sub_list = vyos.certbot_util.choose_server_block(server_block_list, + domain) + if sub_list: + for sb in sub_list: + sb['certbot'] = True + # certbot organizes certificates by first domain + sb['certbot_dir'] = certbot_domains[0] + api_data = {} if conf.exists('api'): api_data = vyos.defaults.api_data @@ -138,10 +158,16 @@ def get_config(): for block in server_block_list: block['api'] = api_data - https = {'server_block_list' : server_block_list} + https = {'server_block_list' : server_block_list, 'certbot': certbot} return https def verify(https): + if https['certbot']: + for sb in https['server_block_list']: + if sb['certbot']: + return None + raise ConfigError("At least one 'listen-address x.x.x.x server-name' " + "matching the 'certbot domain-name' is required.") return None def generate(https): |