From 3a9cabbc9568d5d059789b349374c8af3cb25e2f Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Fri, 13 Dec 2019 13:08:47 -0600 Subject: service https: T1443: reorder elements for clarity --- interface-definitions/https.xml.in | 47 +++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index 4c91bbd94..fd4395ce9 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -51,30 +51,6 @@ - - - TLS certificates - - - - - Use an automatically generated self-signed certificate - - - - - - Lifetime in days; default is 365 - - 1-65535 - Number of days - - - - - - - VyOS HTTP API configuration @@ -127,6 +103,29 @@ + + + TLS certificates + + + + + Use an automatically generated self-signed certificate + + + + + Lifetime in days; default is 365 + + 1-65535 + Number of days + + + + + + + -- cgit v1.2.3 From e45cc2e9e6d555329160624988fd4ff2146aabcb Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Fri, 13 Dec 2019 13:33:04 -0600 Subject: service https: T1585: add support for letsencrypt certificates --- debian/control | 1 + interface-definitions/https.xml.in | 18 ++++++ python/vyos/certbot_util.py | 58 ++++++++++++++++++ src/conf_mode/https.py | 42 ++++++++++--- src/conf_mode/le_cert.py | 119 +++++++++++++++++++++++++++++++++++++ 5 files changed, 230 insertions(+), 8 deletions(-) create mode 100644 python/vyos/certbot_util.py create mode 100755 src/conf_mode/le_cert.py diff --git a/debian/control b/debian/control index 9df421977..bca066aff 100644 --- a/debian/control +++ b/debian/control @@ -81,6 +81,7 @@ Depends: python3, crda, wireless-regdb, pmacct (>= 1.6.0), + python3-certbot-nginx, ${shlibs:Depends}, ${misc:Depends} Description: VyOS configuration scripts and data diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index fd4395ce9..4f940f7f6 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -124,6 +124,24 @@ + + + Request or apply a letsencrypt certificate for domain-name + + + + + Domain name(s) for which to obtain certificate + + + + + + Email address to associate with certificate + + + + diff --git a/python/vyos/certbot_util.py b/python/vyos/certbot_util.py new file mode 100644 index 000000000..df42d4780 --- /dev/null +++ b/python/vyos/certbot_util.py @@ -0,0 +1,58 @@ +# certbot_util -- adaptation of certbot_nginx name matching functions for VyOS +# https://github.com/certbot/certbot/blob/master/LICENSE.txt + +from certbot_nginx import parser + +NAME_RANK = 0 +START_WILDCARD_RANK = 1 +END_WILDCARD_RANK = 2 +REGEX_RANK = 3 + +def _rank_matches_by_name(server_block_list, target_name): + """Returns a ranked list of server_blocks that match target_name. + Adapted from the function of the same name in + certbot_nginx.NginxConfigurator + """ + matches = [] + for server_block in server_block_list: + name_type, name = parser.get_best_match(target_name, + server_block['name']) + if name_type == 'exact': + matches.append({'vhost': server_block, + 'name': name, + 'rank': NAME_RANK}) + elif name_type == 'wildcard_start': + matches.append({'vhost': server_block, + 'name': name, + 'rank': START_WILDCARD_RANK}) + elif name_type == 'wildcard_end': + matches.append({'vhost': server_block, + 'name': name, + 'rank': END_WILDCARD_RANK}) + elif name_type == 'regex': + matches.append({'vhost': server_block, + 'name': name, + 'rank': REGEX_RANK}) + + return sorted(matches, key=lambda x: x['rank']) + +def _select_best_name_match(matches): + """Returns the best name match of a ranked list of server_blocks. + Adapted from the function of the same name in + certbot_nginx.NginxConfigurator + """ + if not matches: + return None + elif matches[0]['rank'] in [START_WILDCARD_RANK, END_WILDCARD_RANK]: + rank = matches[0]['rank'] + wildcards = [x for x in matches if x['rank'] == rank] + return max(wildcards, key=lambda x: len(x['name']))['vhost'] + else: + return matches[0]['vhost'] + +def choose_server_block(server_block_list, target_name): + matches = _rank_matches_by_name(server_block_list, target_name) + server_blocks = [x for x in [_select_best_name_match(matches)] + if x is not None] + return server_blocks + diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index fbd351e45..2b492be26 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -22,6 +22,7 @@ import os import jinja2 import vyos.defaults +import vyos.certbot_util from vyos.config import Config from vyos import ConfigError @@ -56,7 +57,12 @@ server { server_name {{ name }}; {% endfor %} -{% if server.vyos_cert %} +{% if server.certbot %} + ssl_certificate /etc/letsencrypt/live/{{ server.certbot_dir }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ server.certbot_dir }}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +{% elif server.vyos_cert %} include {{ server.vyos_cert.conf }}; {% else %} # @@ -91,9 +97,9 @@ server { default_server_block = { 'address' : '*', 'name' : ['_'], - # api : - # vyos_cert : - # le_cert : + 'api' : {}, + 'vyos_cert' : {}, + 'certbot' : False } def get_config(): @@ -121,13 +127,27 @@ def get_config(): server_block_list.append(default_server_block) vyos_cert_data = {} - if conf.exists('certificates'): - if conf.exists('certificates system-generated-certificate'): - vyos_cert_data = vyos.defaults.vyos_cert_data + if conf.exists('certificates system-generated-certificate'): + vyos_cert_data = vyos.defaults.vyos_cert_data if vyos_cert_data: for block in server_block_list: block['vyos_cert'] = vyos_cert_data + certbot = False + certbot_domains = [] + if conf.exists('certificates certbot domain-name'): + certbot_domains = conf.return_values('certificates certbot domain-name') + if certbot_domains: + certbot = True + for domain in certbot_domains: + sub_list = vyos.certbot_util.choose_server_block(server_block_list, + domain) + if sub_list: + for sb in sub_list: + sb['certbot'] = True + # certbot organizes certificates by first domain + sb['certbot_dir'] = certbot_domains[0] + api_data = {} if conf.exists('api'): api_data = vyos.defaults.api_data @@ -138,10 +158,16 @@ def get_config(): for block in server_block_list: block['api'] = api_data - https = {'server_block_list' : server_block_list} + https = {'server_block_list' : server_block_list, 'certbot': certbot} return https def verify(https): + if https['certbot']: + for sb in https['server_block_list']: + if sb['certbot']: + return None + raise ConfigError("At least one 'listen-address x.x.x.x server-name' " + "matching the 'certbot domain-name' is required.") return None def generate(https): diff --git a/src/conf_mode/le_cert.py b/src/conf_mode/le_cert.py new file mode 100755 index 000000000..c657098e1 --- /dev/null +++ b/src/conf_mode/le_cert.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# + +import sys +import os +import subprocess + +import vyos.defaults +from vyos.config import Config +from vyos import ConfigError + +vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode'] + +dependencies = [ + 'https.py', +] + +def request_certbot(cert): + email = cert.get('email') + if email is not None: + email_flag = '-m {0}'.format(email) + else: + email_flag = '' + + domains = cert.get('domains') + if domains is not None: + domain_flag = '-d ' + ' -d '.join(domains) + else: + domain_flag = '' + + certbot_cmd = 'certbot certonly -n --nginx --agree-tos --no-eff-email --expand {0} {1}'.format(email_flag, domain_flag) + + completed = subprocess.run(certbot_cmd, shell=True) + + return completed.returncode + +def get_config(): + conf = Config() + if not conf.exists('service https certificates certbot'): + return None + else: + conf.set_level('service https certificates certbot') + + cert = {} + + if conf.exists('domain-name'): + cert['domains'] = conf.return_values('domain-name') + + if conf.exists('email'): + cert['email'] = conf.return_value('email') + + return cert + +def verify(cert): + if cert is None: + return None + + if 'domains' not in cert: + raise ConfigError("At least one domain name is required to" + " request a letsencrypt certificate.") + + if 'email' not in cert: + raise ConfigError("An email address is required to request" + " a letsencrypt certificate.") + +def generate(cert): + if cert is None: + return None + + # certbot will attempt to reload nginx, even with 'certonly'; + # start nginx if not active + ret = os.system('systemctl is-active --quiet nginx.ervice') + if ret: + os.system('sudo systemctl start nginx.service') + + ret = request_certbot(cert) + if ret: + raise ConfigError("The certbot request failed for the" + " specified domains.") + +def apply(cert): + if cert is not None: + os.system('sudo systemctl restart certbot.timer') + else: + os.system('sudo systemctl stop certbot.timer') + return None + + for dep in dependencies: + cmd = '{0}/{1}'.format(vyos_conf_scripts_dir, dep) + try: + subprocess.check_call(cmd, shell=True) + except subprocess.CalledProcessError as err: + raise ConfigError(str(err)) + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) + -- cgit v1.2.3