Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Carlos Ramos Carreño
slapos
Commits
30f9b711
Commit
30f9b711
authored
Jul 11, 2023
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
autocert: use cron for renew, add promise to check certificate
parent
035c345c
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
86 additions
and
5 deletions
+86
-5
software/autocert/buildout.hash.cfg
software/autocert/buildout.hash.cfg
+6
-2
software/autocert/instance-autocert.cfg.jinja2.in
software/autocert/instance-autocert.cfg.jinja2.in
+57
-2
software/autocert/instance.cfg.in
software/autocert/instance.cfg.in
+2
-1
software/autocert/sign-certificate.sh.in
software/autocert/sign-certificate.sh.in
+17
-0
software/autocert/software.cfg
software/autocert/software.cfg
+4
-0
No files found.
software/autocert/buildout.hash.cfg
View file @
30f9b711
...
...
@@ -15,12 +15,16 @@
[template-instance]
filename = instance.cfg.in
md5sum =
9e584e5273ecf222da40b0f318fd62fd
md5sum =
abcb4312498177b0577202c0094efcba
[template-autocert]
filename = instance-autocert.cfg.jinja2.in
md5sum =
4f914e5bf419009cb627f1314b76db63
md5sum =
a6dc701b75ffb888bf8648ea7dca33e2
[template-dehydrated-config]
filename = config.in
md5sum = a12b0e12658a48658e366f3ed7c2e48e
[template-sign-certificate.sh]
filename = sign-certificate.sh.in
md5sum = 2d655b0f0d2d46557d329038db3240f7
software/autocert/instance-autocert.cfg.jinja2.in
View file @
30f9b711
...
...
@@ -64,10 +64,17 @@ command-line =
{{ parameter_dict['dehydrated-location'] }}/dehydrated
--config ${dehydrated-config:output}
--cron
wrapper-path = ${directory:
scripts
}/dehydrated
wrapper-path = ${directory:
bin
}/dehydrated
depends =
${dehydrated-domains.txt:recipe}
[cron-entry-dehydrated]
<= cron
recipe = slapos.cookbook:cron.d
name = dehydrated-renew
frequency = 0 0 * * 0
command = ${dehydrated-wrapper:wrapper-path} --keep-going
[caucase-updater]
recipe = slapos.cookbook:wrapper
command-line =
...
...
@@ -115,6 +122,7 @@ wait-for-files =
wrapper-path = ${directory:bin}/kedifa-upload-{{ domain.replace('\.', '-') }}
depends =
{{ "${kedifa-generate-auth-" ~ domain ~ ":recipe}" }}
{{ "${promise-" ~ domain ~ ":recipe}" }}
[cron-entry-{{ domain }}]
<= cron
...
...
@@ -123,9 +131,54 @@ name = upload-{{ domain }}
frequency = 0 0 * * 0
command = {{ "${kedifa-upload-" ~ domain ~ ":wrapper-path}" }}
[dehydrated-sign-{{ domain }}]
<= base-wrapper
command-line =
{{ parameter_dict['kedifa-location'] }}
wrapper-path = ${directory:scripts}/kedifa-genauth-{{ domain.replace('\.', '-') }}
[promise-{{ domain }}]
recipe = slapos.recipe.template:jinja2
inline =
#!{{ bash_bin }}
set -e
CERT=${directory:dehydrated}/certs/{{ domain }}/fullchain.pem
KEY=${directory:dehydrated}/certs/{{ domain }}/privkey.pem
export PATH={{ openssl_location }}/bin:$PATH
if [ ! -s "$CERT" ]; then
echo "Certificate for {{ domain }} doesn't exists!"
exit 1
fi
certsum=$(openssl x509 -in $CERT -pubkey -noout -outform pem | sha256sum)
keysum=$(openssl pkey -in $KEY -pubout -outform pem | sha256sum)
if [ "$certsum" != "$keysum" ]; then
echo "Certificate and key did not match"
exit 2
fi
# Check if certificate will expire in 10 days
let datethreshold=60*60*24*10
openssl x509 -checkend $datethreshold -noout -in $CERT > /dev/null || RET=1
if [ $RET -ne 0 ]; then
ENDDATE=$(openssl x509 -enddate -noout -in $CERT | cut -d= -f 2)
echo "Certificate for {{ domain }} will expire in less than 10 days. Expiration date: $ENDDATE"
exit 3
fi
output = ${directory:promise}/check-certificate-{{ domain }}
mode = 755
{% do part_list.append("cron-entry-" ~ domain) -%}
{% endfor %}
[dehydrated-signcert]
recipe = slapos.recipe.template:jinja2
url = {{ parameter_dict['template-signcert'] }}
output = ${directory:scripts}/dehydrated-signcert
domain-list = {{ dumps(domain_list) }}
context =
key base_directory directory:dehydrated
key dehydrated_wrapper dehydrated-wrapper:wrapper-path
key domain_list :domain-list
[dehydrated-domains.txt]
recipe = slapos.recipe.template
inline =
...
...
@@ -152,6 +205,7 @@ log = ${:var}/log
scripts = ${:etc}/run
services = ${:etc}/service
plugins = ${:etc}/plugin
promise = ${:etc}/promise
www = ${:srv}/www
tmp = ${:srv}/tmp
acme = ${:www}/.well-known/acme-challenge
...
...
@@ -173,7 +227,8 @@ parts =
httpd-listen-promise
httpd-url-promise
dehydrated-register
dehydrated-wrapper
dehydrated-signcert
cron-entry-dehydrated
# Complete parts with sections
{{ part_list | join('\n ') }}
...
...
software/autocert/instance.cfg.in
View file @
30f9b711
...
...
@@ -32,7 +32,7 @@ context =
key ipv6 slap-configuration:ipv6
key slapparameter_dict slap-configuration:configuration
raw buildout_bin_directory {{ bin_directory }}
raw bash_
executable_location {{ bash_location }}/bin/d
ash
raw bash_
bin {{ bash_location }}/bin/b
ash
raw curl_location {{ curl_location }}
raw openssl_location {{ openssl_location }}
raw openssl_bin {{ openssl_location }}/bin/openssl
...
...
@@ -44,6 +44,7 @@ context =
dehydrated-location = {{ dehydrated_location }}
kedifa-location = {{ kedifa_location }}
template-config = {{ template_dehydrated_config }}
template-signcert = {{ template_signcert }}
[dynamic-template-autocert]
<= jinja2-template-base
...
...
software/autocert/sign-certificate.sh.in
0 → 100644
View file @
30f9b711
#!/bin/sh
# Sign a single certificate if not exists yet
BASE_DIR
={{
base_directory
}}
sign_cert
()
{
BASE_DOMAIN
=
$1
DOMAINS
=
$2
if
[
-s
"
$BASE_DIR
/certs/
$BASE_DOMAIN
/fullchain.pem"
]
;
then
exit
0
;
fi
{{
dehydrated_wrapper
}}
--domain
$DOMAINS
--lock-suffix
$BASE_DOMAIN
}
{
%
for
domain_string
in
domain_list -%
}
sign_cert
{{
domain_string.split
(
' '
)[
0]
}}
"{{ domain_string }}"
{
% endfor -%
}
software/autocert/software.cfg
View file @
30f9b711
...
...
@@ -62,6 +62,7 @@ context =
key openssl_location openssl:location
key template_monitor_cfg monitor2-template:output
key template_autocert template-autocert:target
key template_signcert template-sign-certificate.sh:target
key template_dehydrated_config template-dehydrated-config:target
[template-autocert]
...
...
@@ -71,6 +72,9 @@ output = ${buildout:directory}/instance-autocert.cfg.jinja2
[template-dehydrated-config]
<= download-template
[template-sign-certificate.sh]
<= download-template
[versions]
caucase = 0.9.15
kedifa = 0.0.6
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment