summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/https.py42
-rwxr-xr-xsrc/conf_mode/le_cert.py119
2 files changed, 153 insertions, 8 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index fbd351e45..2b492be26 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -22,6 +22,7 @@ import os
import jinja2
import vyos.defaults
+import vyos.certbot_util
from vyos.config import Config
from vyos import ConfigError
@@ -56,7 +57,12 @@ server {
server_name {{ name }};
{% endfor %}
-{% if server.vyos_cert %}
+{% if server.certbot %}
+ ssl_certificate /etc/letsencrypt/live/{{ server.certbot_dir }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ server.certbot_dir }}/privkey.pem;
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+{% elif server.vyos_cert %}
include {{ server.vyos_cert.conf }};
{% else %}
#
@@ -91,9 +97,9 @@ server {
default_server_block = {
'address' : '*',
'name' : ['_'],
- # api :
- # vyos_cert :
- # le_cert :
+ 'api' : {},
+ 'vyos_cert' : {},
+ 'certbot' : False
}
def get_config():
@@ -121,13 +127,27 @@ def get_config():
server_block_list.append(default_server_block)
vyos_cert_data = {}
- if conf.exists('certificates'):
- if conf.exists('certificates system-generated-certificate'):
- vyos_cert_data = vyos.defaults.vyos_cert_data
+ if conf.exists('certificates system-generated-certificate'):
+ vyos_cert_data = vyos.defaults.vyos_cert_data
if vyos_cert_data:
for block in server_block_list:
block['vyos_cert'] = vyos_cert_data
+ certbot = False
+ certbot_domains = []
+ if conf.exists('certificates certbot domain-name'):
+ certbot_domains = conf.return_values('certificates certbot domain-name')
+ if certbot_domains:
+ certbot = True
+ for domain in certbot_domains:
+ sub_list = vyos.certbot_util.choose_server_block(server_block_list,
+ domain)
+ if sub_list:
+ for sb in sub_list:
+ sb['certbot'] = True
+ # certbot organizes certificates by first domain
+ sb['certbot_dir'] = certbot_domains[0]
+
api_data = {}
if conf.exists('api'):
api_data = vyos.defaults.api_data
@@ -138,10 +158,16 @@ def get_config():
for block in server_block_list:
block['api'] = api_data
- https = {'server_block_list' : server_block_list}
+ https = {'server_block_list' : server_block_list, 'certbot': certbot}
return https
def verify(https):
+ if https['certbot']:
+ for sb in https['server_block_list']:
+ if sb['certbot']:
+ return None
+ raise ConfigError("At least one 'listen-address x.x.x.x server-name' "
+ "matching the 'certbot domain-name' is required.")
return None
def generate(https):
diff --git a/src/conf_mode/le_cert.py b/src/conf_mode/le_cert.py
new file mode 100755
index 000000000..c657098e1
--- /dev/null
+++ b/src/conf_mode/le_cert.py
@@ -0,0 +1,119 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import subprocess
+
+import vyos.defaults
+from vyos.config import Config
+from vyos import ConfigError
+
+vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode']
+
+dependencies = [
+ 'https.py',
+]
+
+def request_certbot(cert):
+ email = cert.get('email')
+ if email is not None:
+ email_flag = '-m {0}'.format(email)
+ else:
+ email_flag = ''
+
+ domains = cert.get('domains')
+ if domains is not None:
+ domain_flag = '-d ' + ' -d '.join(domains)
+ else:
+ domain_flag = ''
+
+ certbot_cmd = 'certbot certonly -n --nginx --agree-tos --no-eff-email --expand {0} {1}'.format(email_flag, domain_flag)
+
+ completed = subprocess.run(certbot_cmd, shell=True)
+
+ return completed.returncode
+
+def get_config():
+ conf = Config()
+ if not conf.exists('service https certificates certbot'):
+ return None
+ else:
+ conf.set_level('service https certificates certbot')
+
+ cert = {}
+
+ if conf.exists('domain-name'):
+ cert['domains'] = conf.return_values('domain-name')
+
+ if conf.exists('email'):
+ cert['email'] = conf.return_value('email')
+
+ return cert
+
+def verify(cert):
+ if cert is None:
+ return None
+
+ if 'domains' not in cert:
+ raise ConfigError("At least one domain name is required to"
+ " request a letsencrypt certificate.")
+
+ if 'email' not in cert:
+ raise ConfigError("An email address is required to request"
+ " a letsencrypt certificate.")
+
+def generate(cert):
+ if cert is None:
+ return None
+
+ # certbot will attempt to reload nginx, even with 'certonly';
+ # start nginx if not active
+ ret = os.system('systemctl is-active --quiet nginx.ervice')
+ if ret:
+ os.system('sudo systemctl start nginx.service')
+
+ ret = request_certbot(cert)
+ if ret:
+ raise ConfigError("The certbot request failed for the"
+ " specified domains.")
+
+def apply(cert):
+ if cert is not None:
+ os.system('sudo systemctl restart certbot.timer')
+ else:
+ os.system('sudo systemctl stop certbot.timer')
+ return None
+
+ for dep in dependencies:
+ cmd = '{0}/{1}'.format(vyos_conf_scripts_dir, dep)
+ try:
+ subprocess.check_call(cmd, shell=True)
+ except subprocess.CalledProcessError as err:
+ raise ConfigError(str(err))
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ sys.exit(1)
+