autocert: use cron for renew, add promise to check certificate

software/autocert/buildout.hash.cfg

@@ -15,12 +15,16 @@
 
 [template-instance]
 filename = instance.cfg.in
-md5sum = 9e584e5273ecf222da40b0f318fd62fd
+md5sum = abcb4312498177b0577202c0094efcba
 
 [template-autocert]
 filename = instance-autocert.cfg.jinja2.in
-md5sum = 4f914e5bf419009cb627f1314b76db63
+md5sum = a6dc701b75ffb888bf8648ea7dca33e2
 
 [template-dehydrated-config]
 filename = config.in
 md5sum = a12b0e12658a48658e366f3ed7c2e48e
+
+[template-sign-certificate.sh]
+filename = sign-certificate.sh.in
+md5sum = 2d655b0f0d2d46557d329038db3240f7

software/autocert/instance-autocert.cfg.jinja2.in

@@ -64,10 +64,17 @@ command-line =
   {{ parameter_dict['dehydrated-location'] }}/dehydrated
   --config ${dehydrated-config:output}
   --cron
-wrapper-path = ${directory:scripts}/dehydrated
+wrapper-path = ${directory:bin}/dehydrated
 depends =
   ${dehydrated-domains.txt:recipe}
 
+[cron-entry-dehydrated]
+<= cron
+recipe = slapos.cookbook:cron.d
+name = dehydrated-renew
+frequency = 0 0 * * 0
+command = ${dehydrated-wrapper:wrapper-path} --keep-going
+
 [caucase-updater]
 recipe = slapos.cookbook:wrapper
 command-line =
@@ -115,6 +122,7 @@ wait-for-files =
 wrapper-path = ${directory:bin}/kedifa-upload-{{ domain.replace('\.', '-') }}
 depends =
   {{ "${kedifa-generate-auth-" ~ domain ~ ":recipe}" }}
+  {{ "${promise-" ~ domain ~ ":recipe}" }}
 
 [cron-entry-{{ domain }}]
 <= cron
@@ -123,9 +131,54 @@ name = upload-{{ domain }}
 frequency = 0 0 * * 0
 command = {{ "${kedifa-upload-" ~ domain ~ ":wrapper-path}" }}
 
+[dehydrated-sign-{{ domain }}]
+<= base-wrapper
+command-line =
+  {{ parameter_dict['kedifa-location'] }}
+wrapper-path = ${directory:scripts}/kedifa-genauth-{{ domain.replace('\.', '-') }}
+
+[promise-{{ domain }}]
+recipe = slapos.recipe.template:jinja2
+inline =
+  #!{{ bash_bin }}
+  set -e
+  CERT=${directory:dehydrated}/certs/{{ domain }}/fullchain.pem
+  KEY=${directory:dehydrated}/certs/{{ domain }}/privkey.pem
+  export PATH={{ openssl_location }}/bin:$PATH
+  if [ ! -s "$CERT" ]; then
+    echo "Certificate for {{ domain }} doesn't exists!"
+    exit 1
+  fi
+  certsum=$(openssl x509 -in $CERT -pubkey -noout -outform pem | sha256sum)
+  keysum=$(openssl pkey -in $KEY -pubout -outform pem | sha256sum)
+  if [ "$certsum" != "$keysum" ]; then
+    echo "Certificate and key did not match"
+    exit 2
+  fi
+  # Check if certificate will expire in 10 days
+  let datethreshold=60*60*24*10
+  openssl x509 -checkend $datethreshold -noout -in $CERT > /dev/null || RET=1
+  if [ $RET -ne 0 ]; then
+    ENDDATE=$(openssl x509 -enddate -noout -in $CERT | cut -d= -f 2)
+    echo "Certificate for {{ domain }} will expire in less than 10 days. Expiration date: $ENDDATE"
+    exit 3
+  fi
+output = ${directory:promise}/check-certificate-{{ domain }}
+mode = 755
+
 {% do part_list.append("cron-entry-" ~ domain) -%}
 {% endfor %}
 
+[dehydrated-signcert]
+recipe = slapos.recipe.template:jinja2
+url = {{ parameter_dict['template-signcert'] }}
+output = ${directory:scripts}/dehydrated-signcert
+domain-list = {{ dumps(domain_list) }}
+context =
+  key base_directory directory:dehydrated
+  key dehydrated_wrapper dehydrated-wrapper:wrapper-path
+  key domain_list :domain-list
+
 [dehydrated-domains.txt]
 recipe = slapos.recipe.template
 inline =
@@ -152,6 +205,7 @@ log = ${:var}/log
 scripts = ${:etc}/run
 services = ${:etc}/service
 plugins = ${:etc}/plugin
+promise = ${:etc}/promise
 www = ${:srv}/www
 tmp = ${:srv}/tmp
 acme = ${:www}/.well-known/acme-challenge
@@ -173,7 +227,8 @@ parts =
   httpd-listen-promise
   httpd-url-promise
   dehydrated-register
-  dehydrated-wrapper
+  dehydrated-signcert
+  cron-entry-dehydrated
 
 # Complete parts with sections
   {{ part_list | join('\n  ') }}

software/autocert/instance.cfg.in

@@ -32,7 +32,7 @@ context =
   key ipv6 slap-configuration:ipv6
   key slapparameter_dict slap-configuration:configuration
   raw buildout_bin_directory {{ bin_directory }}
-  raw bash_executable_location {{ bash_location }}/bin/dash
+  raw bash_bin {{ bash_location }}/bin/bash
   raw curl_location {{ curl_location }}
   raw openssl_location {{ openssl_location }}
   raw openssl_bin {{ openssl_location }}/bin/openssl
@@ -44,6 +44,7 @@ context =
 dehydrated-location = {{ dehydrated_location }}
 kedifa-location = {{ kedifa_location }}
 template-config = {{ template_dehydrated_config }}
+template-signcert = {{ template_signcert }}
 
 [dynamic-template-autocert]
 <= jinja2-template-base

software/autocert/sign-certificate.sh.in

+#!/bin/sh
+
+# Sign a single certificate if not exists yet
+BASE_DIR={{ base_directory }}
+
+sign_cert() {
+  BASE_DOMAIN=$1
+  DOMAINS=$2
+  if [ -s "$BASE_DIR/certs/$BASE_DOMAIN/fullchain.pem" ]; then
+    exit 0;
+  fi
+  {{ dehydrated_wrapper }} --domain $DOMAINS --lock-suffix $BASE_DOMAIN
+}
+
+{% for domain_string in domain_list -%}
+sign_cert {{ domain_string.split(' ')[0] }} "{{ domain_string }}"
+{% endfor -%}

software/autocert/software.cfg

@@ -62,6 +62,7 @@ context =
     key openssl_location openssl:location
     key template_monitor_cfg monitor2-template:output
     key template_autocert template-autocert:target
+    key template_signcert template-sign-certificate.sh:target
     key template_dehydrated_config template-dehydrated-config:target
 
 [template-autocert]
@@ -71,6 +72,9 @@ output = ${buildout:directory}/instance-autocert.cfg.jinja2
 [template-dehydrated-config]
 <= download-template
 
+[template-sign-certificate.sh]
+<= download-template
+
 [versions]
 caucase = 0.9.15
 kedifa = 0.0.6