Commit 30f9b711 authored by Alain Takoudjou's avatar Alain Takoudjou

autocert: use cron for renew, add promise to check certificate

parent 035c345c
...@@ -15,12 +15,16 @@ ...@@ -15,12 +15,16 @@
[template-instance] [template-instance]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 9e584e5273ecf222da40b0f318fd62fd md5sum = abcb4312498177b0577202c0094efcba
[template-autocert] [template-autocert]
filename = instance-autocert.cfg.jinja2.in filename = instance-autocert.cfg.jinja2.in
md5sum = 4f914e5bf419009cb627f1314b76db63 md5sum = a6dc701b75ffb888bf8648ea7dca33e2
[template-dehydrated-config] [template-dehydrated-config]
filename = config.in filename = config.in
md5sum = a12b0e12658a48658e366f3ed7c2e48e md5sum = a12b0e12658a48658e366f3ed7c2e48e
[template-sign-certificate.sh]
filename = sign-certificate.sh.in
md5sum = 2d655b0f0d2d46557d329038db3240f7
...@@ -64,10 +64,17 @@ command-line = ...@@ -64,10 +64,17 @@ command-line =
{{ parameter_dict['dehydrated-location'] }}/dehydrated {{ parameter_dict['dehydrated-location'] }}/dehydrated
--config ${dehydrated-config:output} --config ${dehydrated-config:output}
--cron --cron
wrapper-path = ${directory:scripts}/dehydrated wrapper-path = ${directory:bin}/dehydrated
depends = depends =
${dehydrated-domains.txt:recipe} ${dehydrated-domains.txt:recipe}
[cron-entry-dehydrated]
<= cron
recipe = slapos.cookbook:cron.d
name = dehydrated-renew
frequency = 0 0 * * 0
command = ${dehydrated-wrapper:wrapper-path} --keep-going
[caucase-updater] [caucase-updater]
recipe = slapos.cookbook:wrapper recipe = slapos.cookbook:wrapper
command-line = command-line =
...@@ -115,6 +122,7 @@ wait-for-files = ...@@ -115,6 +122,7 @@ wait-for-files =
wrapper-path = ${directory:bin}/kedifa-upload-{{ domain.replace('\.', '-') }} wrapper-path = ${directory:bin}/kedifa-upload-{{ domain.replace('\.', '-') }}
depends = depends =
{{ "${kedifa-generate-auth-" ~ domain ~ ":recipe}" }} {{ "${kedifa-generate-auth-" ~ domain ~ ":recipe}" }}
{{ "${promise-" ~ domain ~ ":recipe}" }}
[cron-entry-{{ domain }}] [cron-entry-{{ domain }}]
<= cron <= cron
...@@ -123,9 +131,54 @@ name = upload-{{ domain }} ...@@ -123,9 +131,54 @@ name = upload-{{ domain }}
frequency = 0 0 * * 0 frequency = 0 0 * * 0
command = {{ "${kedifa-upload-" ~ domain ~ ":wrapper-path}" }} command = {{ "${kedifa-upload-" ~ domain ~ ":wrapper-path}" }}
[dehydrated-sign-{{ domain }}]
<= base-wrapper
command-line =
{{ parameter_dict['kedifa-location'] }}
wrapper-path = ${directory:scripts}/kedifa-genauth-{{ domain.replace('\.', '-') }}
[promise-{{ domain }}]
recipe = slapos.recipe.template:jinja2
inline =
#!{{ bash_bin }}
set -e
CERT=${directory:dehydrated}/certs/{{ domain }}/fullchain.pem
KEY=${directory:dehydrated}/certs/{{ domain }}/privkey.pem
export PATH={{ openssl_location }}/bin:$PATH
if [ ! -s "$CERT" ]; then
echo "Certificate for {{ domain }} doesn't exists!"
exit 1
fi
certsum=$(openssl x509 -in $CERT -pubkey -noout -outform pem | sha256sum)
keysum=$(openssl pkey -in $KEY -pubout -outform pem | sha256sum)
if [ "$certsum" != "$keysum" ]; then
echo "Certificate and key did not match"
exit 2
fi
# Check if certificate will expire in 10 days
let datethreshold=60*60*24*10
openssl x509 -checkend $datethreshold -noout -in $CERT > /dev/null || RET=1
if [ $RET -ne 0 ]; then
ENDDATE=$(openssl x509 -enddate -noout -in $CERT | cut -d= -f 2)
echo "Certificate for {{ domain }} will expire in less than 10 days. Expiration date: $ENDDATE"
exit 3
fi
output = ${directory:promise}/check-certificate-{{ domain }}
mode = 755
{% do part_list.append("cron-entry-" ~ domain) -%} {% do part_list.append("cron-entry-" ~ domain) -%}
{% endfor %} {% endfor %}
[dehydrated-signcert]
recipe = slapos.recipe.template:jinja2
url = {{ parameter_dict['template-signcert'] }}
output = ${directory:scripts}/dehydrated-signcert
domain-list = {{ dumps(domain_list) }}
context =
key base_directory directory:dehydrated
key dehydrated_wrapper dehydrated-wrapper:wrapper-path
key domain_list :domain-list
[dehydrated-domains.txt] [dehydrated-domains.txt]
recipe = slapos.recipe.template recipe = slapos.recipe.template
inline = inline =
...@@ -152,6 +205,7 @@ log = ${:var}/log ...@@ -152,6 +205,7 @@ log = ${:var}/log
scripts = ${:etc}/run scripts = ${:etc}/run
services = ${:etc}/service services = ${:etc}/service
plugins = ${:etc}/plugin plugins = ${:etc}/plugin
promise = ${:etc}/promise
www = ${:srv}/www www = ${:srv}/www
tmp = ${:srv}/tmp tmp = ${:srv}/tmp
acme = ${:www}/.well-known/acme-challenge acme = ${:www}/.well-known/acme-challenge
...@@ -173,7 +227,8 @@ parts = ...@@ -173,7 +227,8 @@ parts =
httpd-listen-promise httpd-listen-promise
httpd-url-promise httpd-url-promise
dehydrated-register dehydrated-register
dehydrated-wrapper dehydrated-signcert
cron-entry-dehydrated
# Complete parts with sections # Complete parts with sections
{{ part_list | join('\n ') }} {{ part_list | join('\n ') }}
......
...@@ -32,7 +32,7 @@ context = ...@@ -32,7 +32,7 @@ context =
key ipv6 slap-configuration:ipv6 key ipv6 slap-configuration:ipv6
key slapparameter_dict slap-configuration:configuration key slapparameter_dict slap-configuration:configuration
raw buildout_bin_directory {{ bin_directory }} raw buildout_bin_directory {{ bin_directory }}
raw bash_executable_location {{ bash_location }}/bin/dash raw bash_bin {{ bash_location }}/bin/bash
raw curl_location {{ curl_location }} raw curl_location {{ curl_location }}
raw openssl_location {{ openssl_location }} raw openssl_location {{ openssl_location }}
raw openssl_bin {{ openssl_location }}/bin/openssl raw openssl_bin {{ openssl_location }}/bin/openssl
...@@ -44,6 +44,7 @@ context = ...@@ -44,6 +44,7 @@ context =
dehydrated-location = {{ dehydrated_location }} dehydrated-location = {{ dehydrated_location }}
kedifa-location = {{ kedifa_location }} kedifa-location = {{ kedifa_location }}
template-config = {{ template_dehydrated_config }} template-config = {{ template_dehydrated_config }}
template-signcert = {{ template_signcert }}
[dynamic-template-autocert] [dynamic-template-autocert]
<= jinja2-template-base <= jinja2-template-base
......
#!/bin/sh
# Sign a single certificate if not exists yet
BASE_DIR={{ base_directory }}
sign_cert() {
BASE_DOMAIN=$1
DOMAINS=$2
if [ -s "$BASE_DIR/certs/$BASE_DOMAIN/fullchain.pem" ]; then
exit 0;
fi
{{ dehydrated_wrapper }} --domain $DOMAINS --lock-suffix $BASE_DOMAIN
}
{% for domain_string in domain_list -%}
sign_cert {{ domain_string.split(' ')[0] }} "{{ domain_string }}"
{% endfor -%}
...@@ -62,6 +62,7 @@ context = ...@@ -62,6 +62,7 @@ context =
key openssl_location openssl:location key openssl_location openssl:location
key template_monitor_cfg monitor2-template:output key template_monitor_cfg monitor2-template:output
key template_autocert template-autocert:target key template_autocert template-autocert:target
key template_signcert template-sign-certificate.sh:target
key template_dehydrated_config template-dehydrated-config:target key template_dehydrated_config template-dehydrated-config:target
[template-autocert] [template-autocert]
...@@ -71,6 +72,9 @@ output = ${buildout:directory}/instance-autocert.cfg.jinja2 ...@@ -71,6 +72,9 @@ output = ${buildout:directory}/instance-autocert.cfg.jinja2
[template-dehydrated-config] [template-dehydrated-config]
<= download-template <= download-template
[template-sign-certificate.sh]
<= download-template
[versions] [versions]
caucase = 0.9.15 caucase = 0.9.15
kedifa = 0.0.6 kedifa = 0.0.6
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment