From 6d93f9094b78e6437212439e0f023fae251454d0 Mon Sep 17 00:00:00 2001 From: Joachim Lusiardi Date: Tue, 12 Apr 2016 07:05:24 +0200 Subject: [PATCH] rework / refactoring / documentation * rename letencrypt.conf to letsencrypt.conf * Move more options to letsencrypt configurations file * Done lot of rework / refactoring / documentation --- Dockerfile | 2 +- letencrypt.conf => letsencrypt.conf | 4 ++ start.py | 59 +++++++++++++++++++++++------ 3 files changed, 53 insertions(+), 12 deletions(-) rename letencrypt.conf => letsencrypt.conf (67%) diff --git a/Dockerfile b/Dockerfile index 6210f10..45b00d8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ RUN pip3 install docker-py ADD haproxy_ssl.conf /haproxy_ssl.conf ADD haproxy.conf /haproxy.conf -ADD letencrypt.conf /letencrypt.conf +ADD letsencrypt.conf /letsencrypt.conf ADD start.py /start.py ADD list_domains.py /list_domains.py diff --git a/letencrypt.conf b/letsencrypt.conf similarity index 67% rename from letencrypt.conf rename to letsencrypt.conf index 00cb3ca..15a970a 100644 --- a/letencrypt.conf +++ b/letsencrypt.conf @@ -6,3 +6,7 @@ work-dir=/data/work config-dir=/data/config email=letsencrypt@lusiardi.de agree-tos=TRUE +expand=TRUE +force-renewal=TRUE +duplicate=TRUE +allow-subset-of-names=TRUE diff --git a/start.py b/start.py index 3642117..872179b 100644 --- a/start.py +++ b/start.py @@ -13,12 +13,13 @@ import list_domains from docker import Client cert_path = '/data/haproxy' -cert_file = '/data/haproxy/cert.pem' +cert_file = cert_path + '/cert.pem' pid_file = '/haproxy.pid' delay = 10 + def hash_cert_file(): - """Creates the sha256 hash of the certificate file for haproxy. If the file + """Creates the sha256 hash of the certificate file for HAProxy. If the file does not exist, an empty string is returned. """ if not os.path.isfile(cert_file): @@ -44,8 +45,8 @@ def get_pid(): def kill_haproxy(): - """Stops the currently running instance of haproxy by issueing a kill signal to its pid.""" - logging.info('killing haproxy') + """Stops the currently running instance of HAProxy by issuing a kill signal to its pid.""" + logging.info('killing HAProxy') try: os.kill(get_pid(), signal.SIGKILL) except OSError: @@ -53,18 +54,23 @@ def kill_haproxy(): def start_haproxy_ssl(): - logging.info('starting haproxy SSL') + """Start HAProxy with SSL activated. Returns True, if HAProxy is running, False otherwise.""" + kill_haproxy() + logging.info('starting HAProxy with SSL') os.system('/usr/sbin/haproxy -f /haproxy_ssl.conf -p ' + pid_file) return is_haproxy_running() def start_haproxy(): - logging.info('starting haproxy NON SSL') + """Start HAProxy without SSL activated. Returns True, if HAProxy is running, False otherwise.""" + kill_haproxy() + logging.info('starting HAProxy without SSL') os.system('/usr/sbin/haproxy -f /haproxy.conf -p ' + pid_file) - return False + return is_haproxy_running() def is_haproxy_running(): + """Check if HAProxy is running by sending a signal to its pid.""" try: os.kill(get_pid(), 0) return True @@ -74,27 +80,58 @@ def is_haproxy_running(): def ssl_possible(): """Check if a certificate is available.""" - if not os.path.isfile(cert_file): return False else: return True +def read_file(filename): + file=open(filename, 'r') + read_data = file.read() + file.close() + return read_data + + +def write_file(filename, content): + file=open(filename, 'w') + file.write(content) + file.close() + + def create_haproxy_cert(): """Combines the freshly created fullchain.pem and privkey.pem into /data/haproxy/cert.pem""" logging.info('updating %s', cert_file) + + # make sure the path exists... if not os.path.exists(cert_path): logging.info('creating cert_path path: %s', cert_path) os.mkdir(cert_path) - os.system( - 'DIR=`ls -td /data/config/live/*/ | head -1`; echo ${DIR}; cat ${DIR}/fullchain.pem ${DIR}/privkey.pem > ' + cert_file) + + # find the youngest directory + youngest_modify_time = 0 + youngest_directory = '' + for root, directories, files in os.walk('/data/config/live'): + for directory in directories: + modify_time = os.stat(directory).st_mtime + if modify_time > youngest_modify_time: + youngest_modify_time = modify_time + youngest_directory = directory + + logging.info('using %s as base dir', youngest_directory) + + # read fullchain.pem and privkey.pem + fullchain = read_file(youngest_directory + '/fullchain.pem') + privkey = read_file(youngest_directory + '/privkey.pem') + write_file(cert_file, fullchain + privkey) def create_cert_data_standalone(domains): domains = " -d ".join(domains) + + # we should use tls-sni-01 if ssl is already running! os.system( - '/letsencrypt/letsencrypt-auto --config letencrypt.conf certonly --expand --force-renewal --duplicate --allow-subset-of-names --standalone-supported-challenges http-01 --http-01-port 54321 -d ' + domains) + '/letsencrypt/letsencrypt-auto --config letsencrypt.conf certonly --standalone-supported-challenges http-01 --http-01-port 54321 -d ' + domains) def cert_watcher():