From fc925d491afd1f80b27be93c3ec1c3a307d382ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 9 Jun 2024 12:54:47 +0200 Subject: [PATCH] [fix] role:tlswert_acme_inwx --- roles/tlscert_acme_inwx/defaults/main.json | 3 +- roles/tlscert_acme_inwx/files/tls-get | 133 ++++++++++++++++++ roles/tlscert_acme_inwx/info.md | 5 + .../templates/tls-get-conf.json.j2 | 12 ++ 4 files changed, 151 insertions(+), 2 deletions(-) create mode 100755 roles/tlscert_acme_inwx/files/tls-get create mode 100644 roles/tlscert_acme_inwx/templates/tls-get-conf.json.j2 diff --git a/roles/tlscert_acme_inwx/defaults/main.json b/roles/tlscert_acme_inwx/defaults/main.json index 0151289..e660b19 100644 --- a/roles/tlscert_acme_inwx/defaults/main.json +++ b/roles/tlscert_acme_inwx/defaults/main.json @@ -3,7 +3,6 @@ "var_tlscert_acme_inwx_acme_account_key_path": "/etc/letsencrypt/key", "var_tlscert_acme_inwx_inwx_account_username": "REPLACE_ME", "var_tlscert_acme_inwx_inwx_account_password": "REPLACE_ME", - "var_tlscert_acme_inwx_domain_base": "example.org", - "var_tlscert_acme_inwx_domain_path": "foo", + "var_tlscert_acme_inwx_domain": "foo.example.org", "var_tlscert_acme_inwx_ssl_directory": "/etc/ssl" } diff --git a/roles/tlscert_acme_inwx/files/tls-get b/roles/tlscert_acme_inwx/files/tls-get new file mode 100755 index 0000000..4d91b16 --- /dev/null +++ b/roles/tlscert_acme_inwx/files/tls-get @@ -0,0 +1,133 @@ +#!/usr/bin/env python3 + +import sys as _sys +import os as _os +import json as _json +import pathlib as _pathlib +import argparse as _argparse + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "-c", + "--conf-path", + type = str, + dest = "conf_path", + metavar = "", + default = _os.path.join(str(_pathlib.Path.home()), ".tls-get-conf.json"), + ) + argument_parser.add_argument( + dest = "domain", + metavar = "", + help = "the domain for which the TLS certificate shall be generated" + ) + argument_parser.add_argument( + "-t", + "--target-directory", + dest = "target_directory", + type = str, + metavar = "", + default = "/etc/ssl", + ) + argument_parser.add_argument( + "-x", + "--challenge-prefix", + dest = "challenge_prefix", + type = str, + metavar = "", + default = "_acme-challenge", + help = "which subdomain to use for ACME challanges", + ) + argument_parser.add_argument( + "-w", + "--delay", + dest = "delay", + type = float, + default = 60.0, + metavar = "", + help = "seconds to wait at end of certbot auth hook", + ) + argument_parser.add_argument( + "-q", + "--dry-run", + dest = "dry_run", + action = "store_true", + default = False, + help = "whether to only print the command on stdout instead of executing it", + ) + args = argument_parser.parse_args() + + ## vars + conf = _json.loads(file_read(args.conf_path)) + le_dir = "/etc/letsencrypt/live" + + ## exec + command_certbot = " ".join( + [ + "certbot", + "certonly", + ("--email='%s'" % conf["acme_account"]["email"]), + # ("--work-dir='%s'" % conf["misc"]["working_directory"]), + "--preferred-challenges='dns'", + "--non-interactive", + "--agree-tos", + ("--domain='%s'" % args.domain), + "--manual", + ( + "--manual-auth-hook='%s'" + % " ".join( + [ + "/usr/local/bin/inwx", + ("--username=\"%s\"" % conf["inwx_account"]["username"]), + ("--password=\"%s\"" % conf["inwx_account"]["password"]), + "certbot-hook", + ("--delay=%.4f" % args.delay), + ] + ) + ), + ( + "--post-hook='%s'" + % " ".join( + [ + "/usr/local/bin/inwx", + ("--username=\"%s\"" % conf["inwx_account"]["username"]), + ("--password=\"%s\"" % conf["inwx_account"]["password"]), + "delete", + ("--domain=\"%s\"" % (args.challenge_prefix + "." + args.domain)), + ("--type=\"TXT\""), + ] + ) + ), + ] + ) + if (args.dry_run): + _sys.stdout.write(command_certbot + "\n") + else: + _os.system(command_certbot) + subjects = [ + {"source_name": "privkey", "target_directory": "private"}, + {"source_name": "cert", "target_directory": "certs"}, + {"source_name": "chain", "target_directory": "chains"}, + {"source_name": "fullchain", "target_directory": "fullchains"}, + ] + for subject in subjects: + _os.system( + "mkdir --parents %s && cp --dereference %s %s" + % ( + _os.path.join(args.target_directory, subject["target_directory"]), + _os.path.join(le_dir, args.domain, "%s.pem" % subject["source_name"]), + _os.path.join(args.target_directory, subject["target_directory"], "%s.pem" % args.domain), + ) + ) + + +main() diff --git a/roles/tlscert_acme_inwx/info.md b/roles/tlscert_acme_inwx/info.md index 8a8baa7..7407def 100644 --- a/roles/tlscert_acme_inwx/info.md +++ b/roles/tlscert_acme_inwx/info.md @@ -1,3 +1,8 @@ +## Beschreibung + +- richtet die regelmäßige TLS-Zertifikats-Erstellung für eine Domäne und führt eine Erstellung direkt aus + + ## Verweise - [Digital Ocean | How To Acquire a Let's Encrypt Certificate Using Ansible](https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04) diff --git a/roles/tlscert_acme_inwx/templates/tls-get-conf.json.j2 b/roles/tlscert_acme_inwx/templates/tls-get-conf.json.j2 new file mode 100644 index 0000000..24a0bac --- /dev/null +++ b/roles/tlscert_acme_inwx/templates/tls-get-conf.json.j2 @@ -0,0 +1,12 @@ +{ + "acme_account": { + "email": "{{var_tlscert_acme_inwx_acme_account_email}}" + }, + "inwx_account": { + "username": "{{var_tlscert_acme_inwx_inwx_account_username}}", + "password": "{{var_tlscert_acme_inwx_inwx_account_password}}" + }, + "misc": { + "working_directory": "/tmp/acme" + } +}