rework / refactoring / documentation

* rename letencrypt.conf to letsencrypt.conf
* Move more options to letsencrypt configurations file
* Done lot of rework / refactoring / documentation
This commit is contained in:
Joachim Lusiardi 2016-04-12 07:05:24 +02:00
parent b63cbb80cd
commit 6d93f9094b
3 changed files with 53 additions and 12 deletions

View File

@ -13,7 +13,7 @@ RUN pip3 install docker-py
ADD haproxy_ssl.conf /haproxy_ssl.conf ADD haproxy_ssl.conf /haproxy_ssl.conf
ADD haproxy.conf /haproxy.conf ADD haproxy.conf /haproxy.conf
ADD letencrypt.conf /letencrypt.conf ADD letsencrypt.conf /letsencrypt.conf
ADD start.py /start.py ADD start.py /start.py
ADD list_domains.py /list_domains.py ADD list_domains.py /list_domains.py

View File

@ -6,3 +6,7 @@ work-dir=/data/work
config-dir=/data/config config-dir=/data/config
email=letsencrypt@lusiardi.de email=letsencrypt@lusiardi.de
agree-tos=TRUE agree-tos=TRUE
expand=TRUE
force-renewal=TRUE
duplicate=TRUE
allow-subset-of-names=TRUE

View File

@ -13,12 +13,13 @@ import list_domains
from docker import Client from docker import Client
cert_path = '/data/haproxy' cert_path = '/data/haproxy'
cert_file = '/data/haproxy/cert.pem' cert_file = cert_path + '/cert.pem'
pid_file = '/haproxy.pid' pid_file = '/haproxy.pid'
delay = 10 delay = 10
def hash_cert_file(): def hash_cert_file():
"""Creates the sha256 hash of the certificate file for haproxy. If the file """Creates the sha256 hash of the certificate file for HAProxy. If the file
does not exist, an empty string is returned. does not exist, an empty string is returned.
""" """
if not os.path.isfile(cert_file): if not os.path.isfile(cert_file):
@ -44,8 +45,8 @@ def get_pid():
def kill_haproxy(): def kill_haproxy():
"""Stops the currently running instance of haproxy by issueing a kill signal to its pid.""" """Stops the currently running instance of HAProxy by issuing a kill signal to its pid."""
logging.info('killing haproxy') logging.info('killing HAProxy')
try: try:
os.kill(get_pid(), signal.SIGKILL) os.kill(get_pid(), signal.SIGKILL)
except OSError: except OSError:
@ -53,18 +54,23 @@ def kill_haproxy():
def start_haproxy_ssl(): def start_haproxy_ssl():
logging.info('starting haproxy SSL') """Start HAProxy with SSL activated. Returns True, if HAProxy is running, False otherwise."""
kill_haproxy()
logging.info('starting HAProxy with SSL')
os.system('/usr/sbin/haproxy -f /haproxy_ssl.conf -p ' + pid_file) os.system('/usr/sbin/haproxy -f /haproxy_ssl.conf -p ' + pid_file)
return is_haproxy_running() return is_haproxy_running()
def start_haproxy(): def start_haproxy():
logging.info('starting haproxy NON SSL') """Start HAProxy without SSL activated. Returns True, if HAProxy is running, False otherwise."""
kill_haproxy()
logging.info('starting HAProxy without SSL')
os.system('/usr/sbin/haproxy -f /haproxy.conf -p ' + pid_file) os.system('/usr/sbin/haproxy -f /haproxy.conf -p ' + pid_file)
return False return is_haproxy_running()
def is_haproxy_running(): def is_haproxy_running():
"""Check if HAProxy is running by sending a signal to its pid."""
try: try:
os.kill(get_pid(), 0) os.kill(get_pid(), 0)
return True return True
@ -74,27 +80,58 @@ def is_haproxy_running():
def ssl_possible(): def ssl_possible():
"""Check if a certificate is available.""" """Check if a certificate is available."""
if not os.path.isfile(cert_file): if not os.path.isfile(cert_file):
return False return False
else: else:
return True return True
def read_file(filename):
file=open(filename, 'r')
read_data = file.read()
file.close()
return read_data
def write_file(filename, content):
file=open(filename, 'w')
file.write(content)
file.close()
def create_haproxy_cert(): def create_haproxy_cert():
"""Combines the freshly created fullchain.pem and privkey.pem into /data/haproxy/cert.pem""" """Combines the freshly created fullchain.pem and privkey.pem into /data/haproxy/cert.pem"""
logging.info('updating %s', cert_file) logging.info('updating %s', cert_file)
# make sure the path exists...
if not os.path.exists(cert_path): if not os.path.exists(cert_path):
logging.info('creating cert_path path: %s', cert_path) logging.info('creating cert_path path: %s', cert_path)
os.mkdir(cert_path) os.mkdir(cert_path)
os.system(
'DIR=`ls -td /data/config/live/*/ | head -1`; echo ${DIR}; cat ${DIR}/fullchain.pem ${DIR}/privkey.pem > ' + cert_file) # find the youngest directory
youngest_modify_time = 0
youngest_directory = ''
for root, directories, files in os.walk('/data/config/live'):
for directory in directories:
modify_time = os.stat(directory).st_mtime
if modify_time > youngest_modify_time:
youngest_modify_time = modify_time
youngest_directory = directory
logging.info('using %s as base dir', youngest_directory)
# read fullchain.pem and privkey.pem
fullchain = read_file(youngest_directory + '/fullchain.pem')
privkey = read_file(youngest_directory + '/privkey.pem')
write_file(cert_file, fullchain + privkey)
def create_cert_data_standalone(domains): def create_cert_data_standalone(domains):
domains = " -d ".join(domains) domains = " -d ".join(domains)
# we should use tls-sni-01 if ssl is already running!
os.system( os.system(
'/letsencrypt/letsencrypt-auto --config letencrypt.conf certonly --expand --force-renewal --duplicate --allow-subset-of-names --standalone-supported-challenges http-01 --http-01-port 54321 -d ' + domains) '/letsencrypt/letsencrypt-auto --config letsencrypt.conf certonly --standalone-supported-challenges http-01 --http-01-port 54321 -d ' + domains)
def cert_watcher(): def cert_watcher():