[home.git] / .bin / le-renew

#!/usr/bin/python
#-*- coding:utf-8 -*-
# pylint: disable=invalid-name

"""Renew Let's Encrypt certs!

To generate a new set of certs:
$ certbot certonly --webroot \\
    --webroot-path /var/www/wh0rd/ -d wh0rd.org -d www.wh0rd.org \\
    --webroot-path /var/www/rss/ -d rss.wh0rd.org
"""

from __future__ import print_function

import argparse
try:
    import configparser
except ImportError:
    import ConfigParser as configparser
import cryptography.hazmat.backends
from cryptography import x509
try:
    from cStringIO import StringIO
except ImportError:
    from io import StringIO
import datetime
import logging
import logging.handlers
import os
import subprocess
import sys


LE_BASE = '/etc/letsencrypt'


def get_parser():
    """Return an ArgumentParser() for this module."""
    parser = argparse.ArgumentParser(description=__doc__,
                                     formatter_class=argparse.RawTextHelpFormatter)
    parser.add_argument('-n', '--dry-run', default=False,
                        action='store_true',
                        help='Do not actually update certs')
    parser.add_argument('--cronjob', default=False,
                        action='store_true',
                        help='Exit non-zero if no certs were changed')
    return parser


def setup_logging(debug=False, syslog=None):
    """Setup the logging module just the way we like it."""
    if syslog is None:
        syslog = not os.isatty(sys.stdin.fileno())

    if syslog:
        handler = logging.handlers.SysLogHandler(address='/dev/log')
    else:
        handler = logging.StreamHandler(stream=sys.stdout)

    fmt = '%(asctime)s: %(levelname)-7s: %(message)s'

    datefmt = '%a, %d %b %Y %H:%M:%S letsencrypt'

    level = logging.DEBUG if debug else logging.INFO

    formatter = logging.Formatter(fmt, datefmt)
    handler.setFormatter(formatter)

    logger = logging.getLogger()
    logger.addHandler(handler)
    logger.setLevel(level)


def load_cert(path):
    """Load the cert at |path|"""
    with open(path, 'rb') as f:
        data = f.read()
        return x509.load_pem_x509_certificate(
            data, cryptography.hazmat.backends.default_backend())


def load_live_cert(domain):
    """Load the live cert for |domain|"""
    path = os.path.join(LE_BASE, 'live', domain, 'cert.pem')
    return load_cert(path)


def load_conf(domain):
    """Load the LE config file for |domain|"""
    path = os.path.join(LE_BASE, 'renewal', domain + '.conf')
    # The config file format is almost enough for the configparser.
    # We need to insert a section header for the first few items.
    fp = StringIO()
    fp.write('[globals]\n')
    fp.write(open(path).read())
    fp.seek(0)

    conf = configparser.RawConfigParser()
    conf.readfp(fp)
    return conf


def process_domain(domain, dry_run=False):
    """Update |domain|'s certs as needed."""
    ret = 0

    logging.info('%s: checking', domain)

    conf = load_conf(domain)
    webroot_path = conf.get('[webroot_map', domain)

    cert_path = os.path.realpath(conf.get('globals', 'cert'))

    cert = load_cert(cert_path)
    delta = cert.not_valid_after - datetime.datetime.utcnow()
    logging.info('%s: expires in %2s days', domain, delta.days)

    cmd = [
        'certbot',
        'certonly', '--webroot',
        '--webroot-path', webroot_path,
        '-d', domain,
    ]
    domains = []
    try:
        san = cert.extensions.get_extension_for_oid(
            x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
        domains = san.value.get_values_for_type(x509.DNSName)
    except x509.ExtensionNotFound:
        pass
    for d in domains:
        cmd += ['-d', d]
    if delta.days < 30:
        logging.info('%s: renewing', domain)
        logging.info('%s: %s', domain, cmd)
        if not dry_run:
            subprocess.check_call(cmd)
            ret = 1
        # Try to revoke the old one.
        cmd = ['certbot', 'revoke', '--cert-path', cert_path]
        logging.info('%s: revoking old cert', domain)
        logging.info('%s: %s', domain, cmd)
        if not dry_run:
            subprocess.check_call(cmd)
    else:
        logging.info('%s: up-to-date!', domain)

    return ret


def main(argv):
    """The main() entry point!"""
    parser = get_parser()
    opts = parser.parse_args(argv)
    setup_logging()

    cnt = 0
    domains = [x[:-5] for x in os.listdir('/etc/letsencrypt/renewal')]
    for domain in domains:
        cnt += process_domain(domain, dry_run=opts.dry_run)

    if opts.cronjob:
        if cnt:
            return 0
        else:
            return 1


if __name__ == '__main__':
    sys.exit(main(sys.argv[1:]))
Commit	Line	Data
6dbeb0d6 MF	1	#!/usr/bin/python
6dbeb0d6 MF	2	#-- coding:utf-8 --
ab74211f MF	3	# pylint: disable=invalid-name
	4
	5	"""Renew Let's Encrypt certs!
	6
	7	To generate a new set of certs:
	8	$ certbot certonly --webroot \\
	9	--webroot-path /var/www/wh0rd/ -d wh0rd.org -d www.wh0rd.org \\
	10	--webroot-path /var/www/rss/ -d rss.wh0rd.org
	11	"""
	12
	13	from __future__ import print_function
	14
	15	import argparse
	16	try:
	17	import configparser
	18	except ImportError:
	19	import ConfigParser as configparser
6dbeb0d6 MF	20	import cryptography.hazmat.backends
6dbeb0d6 MF	21	from cryptography import x509
ab74211f MF	22	try:
	23	from cStringIO import StringIO
	24	except ImportError:
	25	from io import StringIO
	26	import datetime
	27	import logging
	28	import logging.handlers
ab74211f	29	import os
ab74211f MF	30	import subprocess
	31	import sys
	32
	33
	34	LE_BASE = '/etc/letsencrypt'
	35
	36
	37	def get_parser():
	38	"""Return an ArgumentParser() for this module."""
	39	parser = argparse.ArgumentParser(description=__doc__,
	40	formatter_class=argparse.RawTextHelpFormatter)
	41	parser.add_argument('-n', '--dry-run', default=False,
	42	action='store_true',
	43	help='Do not actually update certs')
	44	parser.add_argument('--cronjob', default=False,
	45	action='store_true',
	46	help='Exit non-zero if no certs were changed')
	47	return parser
	48
	49
	50	def setup_logging(debug=False, syslog=None):
	51	"""Setup the logging module just the way we like it."""
	52	if syslog is None:
	53	syslog = not os.isatty(sys.stdin.fileno())
	54
	55	if syslog:
	56	handler = logging.handlers.SysLogHandler(address='/dev/log')
	57	else:
	58	handler = logging.StreamHandler(stream=sys.stdout)
	59
	60	fmt = '%(asctime)s: %(levelname)-7s: %(message)s'
	61
	62	datefmt = '%a, %d %b %Y %H:%M:%S letsencrypt'
	63
	64	level = logging.DEBUG if debug else logging.INFO
	65
	66	formatter = logging.Formatter(fmt, datefmt)
	67	handler.setFormatter(formatter)
	68
	69	logger = logging.getLogger()
	70	logger.addHandler(handler)
	71	logger.setLevel(level)
	72
	73
	74	def load_cert(path):
	75	"""Load the cert at \|path\|"""
6dbeb0d6	76	with open(path, 'rb') as f:
ab74211f	77	data = f.read()
6dbeb0d6 MF	78	return x509.load_pem_x509_certificate(
6dbeb0d6 MF	79	data, cryptography.hazmat.backends.default_backend())
ab74211f MF	80
	81
	82	def load_live_cert(domain):
	83	"""Load the live cert for \|domain\|"""
	84	path = os.path.join(LE_BASE, 'live', domain, 'cert.pem')
	85	return load_cert(path)
	86
	87
	88	def load_conf(domain):
	89	"""Load the LE config file for \|domain\|"""
	90	path = os.path.join(LE_BASE, 'renewal', domain + '.conf')
	91	# The config file format is almost enough for the configparser.
	92	# We need to insert a section header for the first few items.
	93	fp = StringIO()
	94	fp.write('[globals]\n')
	95	fp.write(open(path).read())
	96	fp.seek(0)
	97
	98	conf = configparser.RawConfigParser()
	99	conf.readfp(fp)
	100	return conf
	101
	102
	103	def process_domain(domain, dry_run=False):
	104	"""Update \|domain\|'s certs as needed."""
	105	ret = 0
	106
	107	logging.info('%s: checking', domain)
	108
	109	conf = load_conf(domain)
	110	webroot_path = conf.get('[webroot_map', domain)
	111
	112	cert_path = os.path.realpath(conf.get('globals', 'cert'))
	113
	114	cert = load_cert(cert_path)
6dbeb0d6	115	delta = cert.not_valid_after - datetime.datetime.utcnow()
ab74211f MF	116	logging.info('%s: expires in %2s days', domain, delta.days)
	117
	118	cmd = [
	119	'certbot',
	120	'certonly', '--webroot',
	121	'--webroot-path', webroot_path,
	122	'-d', domain,
	123	]
6dbeb0d6 MF	124	domains = []
	125	try:
	126	san = cert.extensions.get_extension_for_oid(
	127	x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
	128	domains = san.value.get_values_for_type(x509.DNSName)
	129	except x509.ExtensionNotFound:
	130	pass
ab74211f MF	131	for d in domains:
	132	cmd += ['-d', d]
	133	if delta.days < 30:
	134	logging.info('%s: renewing', domain)
	135	logging.info('%s: %s', domain, cmd)
	136	if not dry_run:
	137	subprocess.check_call(cmd)
	138	ret = 1
	139	# Try to revoke the old one.
	140	cmd = ['certbot', 'revoke', '--cert-path', cert_path]
	141	logging.info('%s: revoking old cert', domain)
	142	logging.info('%s: %s', domain, cmd)
	143	if not dry_run:
	144	subprocess.check_call(cmd)
	145	else:
	146	logging.info('%s: up-to-date!', domain)
	147
	148	return ret
	149
	150
	151	def main(argv):
	152	"""The main() entry point!"""
	153	parser = get_parser()
	154	opts = parser.parse_args(argv)
	155	setup_logging()
	156
	157	cnt = 0
	158	domains = [x[:-5] for x in os.listdir('/etc/letsencrypt/renewal')]
	159	for domain in domains:
	160	cnt += process_domain(domain, dry_run=opts.dry_run)
	161
	162	if opts.cronjob:
	163	if cnt:
	164	return 0
	165	else:
	166	return 1
	167
	168
	169	if __name__ == '__main__':
	170	sys.exit(main(sys.argv[1:]))