# Copyright 2024 VyOS maintainers and contributors # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License # along with this library. If not, see . # T5886: Add support for ACME protocol (LetsEncrypt), migrate https certbot # to new "pki certificate" CLI tree # T5902: Remove virtual-host import os from vyos.configtree import ConfigTree from vyos.defaults import directories from vyos.utils.process import cmd vyos_certbot_dir = directories['certbot'] base = ['service', 'https'] def migrate(config: ConfigTree) -> None: if not config.exists(base): # Nothing to do return if config.exists(base + ['certificates', 'certbot']): # both domain-name and email must be set on CLI - ensured by previous verify() domain_names = config.return_values(base + ['certificates', 'certbot', 'domain-name']) email = config.return_value(base + ['certificates', 'certbot', 'email']) config.delete(base + ['certificates', 'certbot']) # Set default certname based on domain-name cert_name = 'https-' + domain_names[0].split('.')[0] # Overwrite certname from previous certbot calls if available # We can not use python code like os.scandir due to filesystem permissions. # This must be run as root certbot_live = f'{vyos_certbot_dir}/live/' # we need the trailing / if os.path.exists(certbot_live): tmp = cmd(f'sudo find {certbot_live} -maxdepth 1 -type d') tmp = tmp.split() # tmp = ['/config/auth/letsencrypt/live', '/config/auth/letsencrypt/live/router.vyos.net'] tmp.remove(certbot_live) cert_name = tmp[0].replace(certbot_live, '') config.set(['pki', 'certificate', cert_name, 'acme', 'email'], value=email) config.set_tag(['pki', 'certificate']) for domain in domain_names: config.set(['pki', 'certificate', cert_name, 'acme', 'domain-name'], value=domain, replace=False) # Update Webserver certificate config.set(base + ['certificates', 'certificate'], value=cert_name) if config.exists(base + ['virtual-host']): allow_client = [] listen_port = [] listen_address = [] for virtual_host in config.list_nodes(base + ['virtual-host']): allow_path = base + ['virtual-host', virtual_host, 'allow-client', 'address'] if config.exists(allow_path): tmp = config.return_values(allow_path) allow_client.extend(tmp) port_path = base + ['virtual-host', virtual_host, 'port'] if config.exists(port_path): tmp = config.return_value(port_path) listen_port.append(tmp) listen_address_path = base + ['virtual-host', virtual_host, 'listen-address'] if config.exists(listen_address_path): tmp = config.return_value(listen_address_path) listen_address.append(tmp) config.delete(base + ['virtual-host']) for client in allow_client: config.set(base + ['allow-client', 'address'], value=client, replace=False) # clear listen-address if "all" were specified if '*' in listen_address: listen_address = [] for address in listen_address: config.set(base + ['listen-address'], value=address, replace=False)