Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

certbot - add USE_LETS_ENCRYPT_STAGING=yes/no env var for using staging or production servers of let's encrypt

Browse Source
This commit is contained in:
bunkerity 2021-07-23 11:51:50 +02:00
parent 0dc2a5ec25
commit ef8969e2cf
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
6 changed files with 27 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
confs/global/nginx-temp.conf
View File

@ -15,7 +15,8 @@ http {
fastcgi_temp_path /tmp/fastcgi_temp; fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp; uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp; scgi_temp_path /tmp/scgi_temp;
lua_package_path "/usr/local/lib/lua/?.lua;;"; lua_package_path "/opt/bunkerized-nginx/lua/?.lua;/opt/bunkerized-nginx/plugins/?.lua;/opt/bunkerized-nginx/deps/lib/lua/?.lua;;";
lua_package_cpath "/opt/bunkerized-nginx/deps/lib/?.so;/opt/bunkerized-nginx/deps/lib/lua/?.so;;";
server { server {
listen 0.0.0.0:%HTTP_PORT% default_server; listen 0.0.0.0:%HTTP_PORT% default_server;
server_name _; server_name _;

11
entrypoint/jobs.sh
View File

@ -19,7 +19,7 @@ if [ "$files" != "" ] ; then
SELF_SIGNED_SSL_ORG="$(sed -nE 's/^SELF_SIGNED_SSL_ORG=(.*)$/\1/p' $file)" SELF_SIGNED_SSL_ORG="$(sed -nE 's/^SELF_SIGNED_SSL_ORG=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_OU="$(sed -nE 's/^SELF_SIGNED_SSL_OU=(.*)$/\1/p' $file)" SELF_SIGNED_SSL_OU="$(sed -nE 's/^SELF_SIGNED_SSL_OU=(.*)$/\1/p' $file)"
SELF_SIGNED_SSL_CN="$(sed -nE 's/^SELF_SIGNED_SSL_CN=(.*)$/\1/p' $file)" SELF_SIGNED_SSL_CN="$(sed -nE 's/^SELF_SIGNED_SSL_CN=(.*)$/\1/p' $file)"
/opt/bunkerized-nginx/jobs/main.py --name self-signed-cert --dst_cert "${dest}self-cert.pem" --dst_key "${dest}self-key.pem" --days "$SELF_SIGNED_SSL_EXPIRY" --subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" /opt/bunkerized-nginx/jobs/main.py --name self-signed-cert --dst_cert "${dest}self-cert.pem" --dst_key "${dest}self-key.pem" --expiry "$SELF_SIGNED_SSL_EXPIRY" --subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
if [ $? -eq 0 ] ; then if [ $? -eq 0 ] ; then
echo "[*] Generated self-signed certificate ${dest}self-cert.pem with key ${dest}self-key.pem" echo "[*] Generated self-signed certificate ${dest}self-cert.pem with key ${dest}self-key.pem"
else else
@ -37,7 +37,7 @@ if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value GENERATE_SEL
SELF_SIGNED_SSL_ORG="Your Company, Inc." SELF_SIGNED_SSL_ORG="Your Company, Inc."
SELF_SIGNED_SSL_OU="IT" SELF_SIGNED_SSL_OU="IT"
SELF_SIGNED_SSL_CN="www.yourdomain.com" SELF_SIGNED_SSL_CN="www.yourdomain.com"
/opt/bunkerized-nginx/jobs/main.py --name self-signed-cert --dst_cert "/etc/nginx/default-cert.pem" --dst_key "/etc/nginx/default-key.pem" --days "$SELF_SIGNED_SSL_EXPIRY" --subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN" /opt/bunkerized-nginx/jobs/main.py --name self-signed-cert --dst_cert "/etc/nginx/default-cert.pem" --dst_key "/etc/nginx/default-key.pem" --expiry "$SELF_SIGNED_SSL_EXPIRY" --subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
if [ $? -eq 0 ] ; then if [ $? -eq 0 ] ; then
echo "[*] Generated self-signed certificate for default server" echo "[*] Generated self-signed certificate for default server"
else else
@ -55,10 +55,15 @@ if [ "$files" != "" ] ; then
SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)" SERVER_NAME="$(sed -nE 's/^SERVER_NAME=(.*)$/\1/p' $file)"
FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)" FIRST_SERVER="$(echo $SERVER_NAME | cut -d ' ' -f 1)"
EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)" EMAIL_LETS_ENCRYPT="$(sed -nE 's/^EMAIL_LETS_ENCRYPT=(.*)$/\1/p' $file)"
USE_STAGING="$(grep "^USE_LETS_ENCRYPT_STAGING=yes$" $file)"
if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then if [ "$EMAIL_LETS_ENCRYPT" = "" ] ; then
EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}" EMAIL_LETS_ENCRYPT="contact@${FIRST_SERVER}"
fi fi
/opt/bunkerized-nginx/jobs/main.py --name certbot-new --domain "$(echo -n $SERVER_NAME | sed 's/ /,/g')" --email "$EMAIL_LETS_ENCRYPT" if [ "$USE_STAGING" = "" ] ; then
/opt/bunkerized-nginx/jobs/main.py --name certbot-new --domain "$(echo -n $SERVER_NAME | sed 's/ /,/g')" --email "$EMAIL_LETS_ENCRYPT"
else
/opt/bunkerized-nginx/jobs/main.py --name certbot-new --domain "$(echo -n $SERVER_NAME | sed 's/ /,/g')" --email "$EMAIL_LETS_ENCRYPT" --staging
fi
if [ $? -eq 0 ] ; then if [ $? -eq 0 ] ; then
echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')" echo "[*] Certbot new successfully executed for domain(s) $(echo -n $SERVER_NAME | sed 's/ /,/g')"
else else

4
jobs/CertbotNew.py
View File

@ -2,8 +2,10 @@ from Job import Job
class CertbotNew(Job) : class CertbotNew(Job) :
def __init__(self, redis_host=None, copy_cache=False, domain="", email="") : def __init__(self, redis_host=None, copy_cache=False, domain="", email="", staging=False) :
name = "certbot-new" name = "certbot-new"
data = ["certbot", "certonly", "--webroot", "-w", "/opt/bunkerized-nginx/acme-challenge", "-n", "-d", domain, "--email", email, "--agree-tos"] data = ["certbot", "certonly", "--webroot", "-w", "/opt/bunkerized-nginx/acme-challenge", "-n", "-d", domain, "--email", email, "--agree-tos"]
if staging :
data.append("--staging")
type = "exec" type = "exec"
super().__init__(name, data, filename=None, redis_host=redis_host, type=type, copy_cache=copy_cache) super().__init__(name, data, filename=None, redis_host=redis_host, type=type, copy_cache=copy_cache)

6
jobs/Job.py
View File

@ -1,4 +1,4 @@
import abc, requests, redis, os, datetime, traceback, re, shutil, enum, filecmp import abc, requests, redis, os, datetime, traceback, re, shutil, enum, filecmp, subprocess
class JobRet(enum.Enum) : class JobRet(enum.Enum) :
KO = 0 KO = 0
@ -41,7 +41,7 @@ class Job(abc.ABC) :
elif self._type == "exec" : elif self._type == "exec" :
return self.__exec() return self.__exec()
except Exception as e : except Exception as e :
self.__log("exception while running job : " + traceback.format_exc()) self._log("exception while running job : " + traceback.format_exc())
return JobRet.KO return JobRet.KO
return ret return ret
@ -101,7 +101,7 @@ class Job(abc.ABC) :
def __exec(self) : def __exec(self) :
proc = subprocess.run(self._data, capture_output=True) proc = subprocess.run(self._data, capture_output=True)
stdout = proc.stdout.decode("ascii") stdout = proc.stdout.decode("ascii")
stderr = proc.stderr.decode("err") stderr = proc.stderr.decode("ascii")
if len(stdout) > 1 : if len(stdout) > 1 :
self._log("stdout = " + stdout) self._log("stdout = " + stdout)
if len(stderr) > 1 : if len(stderr) > 1 :

3
jobs/main.py
View File

@ -30,6 +30,7 @@ if __name__ == "__main__" :
parser.add_argument("--cache", action="store_true", help="copy data from cache if available") parser.add_argument("--cache", action="store_true", help="copy data from cache if available")
parser.add_argument("--domain", default="", type=str, help="domain(s) for certbot-new job (e.g. : www.example.com or app1.example.com,app2.example.com)") parser.add_argument("--domain", default="", type=str, help="domain(s) for certbot-new job (e.g. : www.example.com or app1.example.com,app2.example.com)")
parser.add_argument("--email", default="", type=str, help="email for certbot-new job (e.g. : contact@example.com)") parser.add_argument("--email", default="", type=str, help="email for certbot-new job (e.g. : contact@example.com)")
parser.add_argument("--staging", action="store_true", help="use staging server for let's encrypt instead of the production one")
parser.add_argument("--dst_cert", default="", type=str, help="certificate path for self-signed-cert job (e.g. : /etc/nginx/default-cert.pem)") parser.add_argument("--dst_cert", default="", type=str, help="certificate path for self-signed-cert job (e.g. : /etc/nginx/default-cert.pem)")
parser.add_argument("--dst_key", default="", type=str, help="key path for self-signed-cert job (e.g. : /etc/nginx/default-key.pem)") parser.add_argument("--dst_key", default="", type=str, help="key path for self-signed-cert job (e.g. : /etc/nginx/default-key.pem)")
parser.add_argument("--expiry", default="", type=str, help="number of validity days for self-signed-cert job (e.g. : 365)") parser.add_argument("--expiry", default="", type=str, help="number of validity days for self-signed-cert job (e.g. : 365)")
@ -46,7 +47,7 @@ if __name__ == "__main__" :
print("[*] Executing job " + job) print("[*] Executing job " + job)
ret = 0 ret = 0
if job == "certbot-new" : if job == "certbot-new" :
instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache, domain=args.domain, email=args.email) instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache, domain=args.domain, email=args.email, staging=args.staging)
elif job == "self-signed-cert" : elif job == "self-signed-cert" :
instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache, dst_cert=args.dst_cert, dst_key=args.dst_key, expiry=args.expiry, subj=args.subj) instance = JOBS[job](redis_host=args.redis, copy_cache=args.cache, dst_cert=args.dst_cert, dst_key=args.dst_key, expiry=args.expiry, subj=args.subj)
else : else :

9
settings.json
View File

@ -537,6 +537,15 @@
"regex": "^([a-z0-9\\-\\.]+@[a-z\\-0-9\\.]+|.{0})$", "regex": "^([a-z0-9\\-\\.]+@[a-z\\-0-9\\.]+|.{0})$",
"type": "text" "type": "text"
}, },
{
"context": "multisite",
"default": "no",
"env": "USE_LETS_ENCRYPT_STAGING",
"id": "use-lets-encrypt-staging",
"label": "Use staging server instead of production one",
"regex": "^(yes|no)$",
"type": "checkbox"
},
{ {
"context": "multisite", "context": "multisite",
"default": "no", "default": "no",