From e45cc2e9e6d555329160624988fd4ff2146aabcb Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Fri, 13 Dec 2019 13:33:04 -0600 Subject: service https: T1585: add support for letsencrypt certificates --- src/conf_mode/https.py | 42 +++++++++++++---- src/conf_mode/le_cert.py | 119 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 153 insertions(+), 8 deletions(-) create mode 100755 src/conf_mode/le_cert.py (limited to 'src') diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index fbd351e45..2b492be26 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -22,6 +22,7 @@ import os import jinja2 import vyos.defaults +import vyos.certbot_util from vyos.config import Config from vyos import ConfigError @@ -56,7 +57,12 @@ server { server_name {{ name }}; {% endfor %} -{% if server.vyos_cert %} +{% if server.certbot %} + ssl_certificate /etc/letsencrypt/live/{{ server.certbot_dir }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ server.certbot_dir }}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +{% elif server.vyos_cert %} include {{ server.vyos_cert.conf }}; {% else %} # @@ -91,9 +97,9 @@ server { default_server_block = { 'address' : '*', 'name' : ['_'], - # api : - # vyos_cert : - # le_cert : + 'api' : {}, + 'vyos_cert' : {}, + 'certbot' : False } def get_config(): @@ -121,13 +127,27 @@ def get_config(): server_block_list.append(default_server_block) vyos_cert_data = {} - if conf.exists('certificates'): - if conf.exists('certificates system-generated-certificate'): - vyos_cert_data = vyos.defaults.vyos_cert_data + if conf.exists('certificates system-generated-certificate'): + vyos_cert_data = vyos.defaults.vyos_cert_data if vyos_cert_data: for block in server_block_list: block['vyos_cert'] = vyos_cert_data + certbot = False + certbot_domains = [] + if conf.exists('certificates certbot domain-name'): + certbot_domains = conf.return_values('certificates certbot domain-name') + if certbot_domains: + certbot = True + for domain in certbot_domains: + sub_list = vyos.certbot_util.choose_server_block(server_block_list, + domain) + if sub_list: + for sb in sub_list: + sb['certbot'] = True + # certbot organizes certificates by first domain + sb['certbot_dir'] = certbot_domains[0] + api_data = {} if conf.exists('api'): api_data = vyos.defaults.api_data @@ -138,10 +158,16 @@ def get_config(): for block in server_block_list: block['api'] = api_data - https = {'server_block_list' : server_block_list} + https = {'server_block_list' : server_block_list, 'certbot': certbot} return https def verify(https): + if https['certbot']: + for sb in https['server_block_list']: + if sb['certbot']: + return None + raise ConfigError("At least one 'listen-address x.x.x.x server-name' " + "matching the 'certbot domain-name' is required.") return None def generate(https): diff --git a/src/conf_mode/le_cert.py b/src/conf_mode/le_cert.py new file mode 100755 index 000000000..c657098e1 --- /dev/null +++ b/src/conf_mode/le_cert.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# + +import sys +import os +import subprocess + +import vyos.defaults +from vyos.config import Config +from vyos import ConfigError + +vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode'] + +dependencies = [ + 'https.py', +] + +def request_certbot(cert): + email = cert.get('email') + if email is not None: + email_flag = '-m {0}'.format(email) + else: + email_flag = '' + + domains = cert.get('domains') + if domains is not None: + domain_flag = '-d ' + ' -d '.join(domains) + else: + domain_flag = '' + + certbot_cmd = 'certbot certonly -n --nginx --agree-tos --no-eff-email --expand {0} {1}'.format(email_flag, domain_flag) + + completed = subprocess.run(certbot_cmd, shell=True) + + return completed.returncode + +def get_config(): + conf = Config() + if not conf.exists('service https certificates certbot'): + return None + else: + conf.set_level('service https certificates certbot') + + cert = {} + + if conf.exists('domain-name'): + cert['domains'] = conf.return_values('domain-name') + + if conf.exists('email'): + cert['email'] = conf.return_value('email') + + return cert + +def verify(cert): + if cert is None: + return None + + if 'domains' not in cert: + raise ConfigError("At least one domain name is required to" + " request a letsencrypt certificate.") + + if 'email' not in cert: + raise ConfigError("An email address is required to request" + " a letsencrypt certificate.") + +def generate(cert): + if cert is None: + return None + + # certbot will attempt to reload nginx, even with 'certonly'; + # start nginx if not active + ret = os.system('systemctl is-active --quiet nginx.ervice') + if ret: + os.system('sudo systemctl start nginx.service') + + ret = request_certbot(cert) + if ret: + raise ConfigError("The certbot request failed for the" + " specified domains.") + +def apply(cert): + if cert is not None: + os.system('sudo systemctl restart certbot.timer') + else: + os.system('sudo systemctl stop certbot.timer') + return None + + for dep in dependencies: + cmd = '{0}/{1}'.format(vyos_conf_scripts_dir, dep) + try: + subprocess.check_call(cmd, shell=True) + except subprocess.CalledProcessError as err: + raise ConfigError(str(err)) + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) + -- cgit v1.2.3