YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

[mod] certificate: drop unused 'staging' LE mode

Browse source
This commit is contained in:
Alexandre Aubin 2022-01-26 14:28:45 +01:00
parent 9b89f66bba
commit 4b78e8e327
3 changed files with 14 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
share/actionsmap.yml
View file

@ -531,9 +531,6 @@ domain:
--self-signed: --self-signed:
help: Install self-signed certificate instead of Let's Encrypt help: Install self-signed certificate instead of Let's Encrypt
action: store_true action: store_true
--staging:
help: Use the fake/staging Let's Encrypt certification authority. The new certificate won't actually be enabled - it is only intended to test the main steps of the procedure.
action: store_true
### certificate_renew() ### certificate_renew()
cert-renew: cert-renew:
@ -552,9 +549,6 @@ domain:
--no-checks: --no-checks:
help: Does not perform any check that your domain seems correctly configured (DNS, reachability) before attempting to renew. (Not recommended) help: Does not perform any check that your domain seems correctly configured (DNS, reachability) before attempting to renew. (Not recommended)
action: store_true action: store_true
--staging:
help: Use the fake/staging Let's Encrypt certification authority. The new certificate won't actually be enabled - it is only intended to test the main steps of the procedure.
action: store_true
### domain_url_available() ### domain_url_available()
url-available: url-available:
@ -677,9 +671,6 @@ domain:
--self-signed: --self-signed:
help: Install self-signed certificate instead of Let's Encrypt help: Install self-signed certificate instead of Let's Encrypt
action: store_true action: store_true
--staging:
help: Use the fake/staging Let's Encrypt certification authority. The new certificate won't actually be enabled - it is only intended to test the main steps of the procedure.
action: store_true
### certificate_renew() ### certificate_renew()
renew: renew:
@ -698,9 +689,6 @@ domain:
--no-checks: --no-checks:
help: Does not perform any check that your domain seems correctly configured (DNS, reachability) before attempting to renew. (Not recommended) help: Does not perform any check that your domain seems correctly configured (DNS, reachability) before attempting to renew. (Not recommended)
action: store_true action: store_true
--staging:
help: Use the fake/staging Let's Encrypt certification authority. The new certificate won't actually be enabled - it is only intended to test the main steps of the procedure.
action: store_true
############################# #############################

52
src/certificate.py
View file

@ -60,8 +60,6 @@ KEY_SIZE = 3072
VALIDITY_LIMIT = 15 # days VALIDITY_LIMIT = 15 # days
# For tests
STAGING_CERTIFICATION_AUTHORITY = "https://acme-staging-v02.api.letsencrypt.org"
# For prod # For prod
PRODUCTION_CERTIFICATION_AUTHORITY = "https://acme-v02.api.letsencrypt.org" PRODUCTION_CERTIFICATION_AUTHORITY = "https://acme-v02.api.letsencrypt.org"
@ -114,7 +112,7 @@ def certificate_status(domains, full=False):
def certificate_install( def certificate_install(
domain_list, force=False, no_checks=False, self_signed=False, staging=False domain_list, force=False, no_checks=False, self_signed=False
): ):
""" """
Install a Let's Encrypt certificate for given domains (all by default) Install a Let's Encrypt certificate for given domains (all by default)
@ -130,7 +128,7 @@ def certificate_install(
if self_signed: if self_signed:
_certificate_install_selfsigned(domain_list, force) _certificate_install_selfsigned(domain_list, force)
else: else:
_certificate_install_letsencrypt(domain_list, force, no_checks, staging) _certificate_install_letsencrypt(domain_list, force, no_checks)
def _certificate_install_selfsigned(domain_list, force=False): def _certificate_install_selfsigned(domain_list, force=False):
@ -234,7 +232,7 @@ def _certificate_install_selfsigned(domain_list, force=False):
def _certificate_install_letsencrypt( def _certificate_install_letsencrypt(
domains, force=False, no_checks=False, staging=False domains, force=False, no_checks=False
): ):
from yunohost.domain import domain_list, _assert_domain_exists from yunohost.domain import domain_list, _assert_domain_exists
@ -264,11 +262,6 @@ def _certificate_install_letsencrypt(
"certmanager_domain_cert_not_selfsigned", domain=domain "certmanager_domain_cert_not_selfsigned", domain=domain
) )
if staging:
logger.warning(
"Please note that you used the --staging option, and that no new certificate will actually be enabled !"
)
# Actual install steps # Actual install steps
for domain in domains: for domain in domains:
@ -284,12 +277,12 @@ def _certificate_install_letsencrypt(
operation_logger = OperationLogger( operation_logger = OperationLogger(
"letsencrypt_cert_install", "letsencrypt_cert_install",
[("domain", domain)], [("domain", domain)],
args={"force": force, "no_checks": no_checks, "staging": staging}, args={"force": force, "no_checks": no_checks},
) )
operation_logger.start() operation_logger.start()
try: try:
_fetch_and_enable_new_certificate(domain, staging, no_checks=no_checks) _fetch_and_enable_new_certificate(domain, no_checks=no_checks)
except Exception as e: except Exception as e:
msg = f"Certificate installation for {domain} failed !\nException: {e}" msg = f"Certificate installation for {domain} failed !\nException: {e}"
logger.error(msg) logger.error(msg)
@ -305,7 +298,7 @@ def _certificate_install_letsencrypt(
def certificate_renew( def certificate_renew(
domains, force=False, no_checks=False, email=False, staging=False domains, force=False, no_checks=False, email=False
): ):
""" """
Renew Let's Encrypt certificate for given domains (all by default) Renew Let's Encrypt certificate for given domains (all by default)
@ -373,11 +366,6 @@ def certificate_renew(
"certmanager_acme_not_configured_for_domain", domain=domain "certmanager_acme_not_configured_for_domain", domain=domain
) )
if staging:
logger.warning(
"Please note that you used the --staging option, and that no new certificate will actually be enabled !"
)
# Actual renew steps # Actual renew steps
for domain in domains: for domain in domains:
@ -399,14 +387,13 @@ def certificate_renew(
args={ args={
"force": force, "force": force,
"no_checks": no_checks, "no_checks": no_checks,
"staging": staging,
"email": email, "email": email,
}, },
) )
operation_logger.start() operation_logger.start()
try: try:
_fetch_and_enable_new_certificate(domain, staging, no_checks=no_checks) _fetch_and_enable_new_certificate(domain, no_checks=no_checks)
except Exception as e: except Exception as e:
import traceback import traceback
from io import StringIO from io import StringIO
@ -473,7 +460,7 @@ def _check_acme_challenge_configuration(domain):
return "include /etc/nginx/conf.d/acme-challenge.conf.inc" in read_file(domain_conf) return "include /etc/nginx/conf.d/acme-challenge.conf.inc" in read_file(domain_conf)
def _fetch_and_enable_new_certificate(domain, staging=False, no_checks=False): def _fetch_and_enable_new_certificate(domain, no_checks=False):
if not os.path.exists(ACCOUNT_KEY_FILE): if not os.path.exists(ACCOUNT_KEY_FILE):
_generate_account_key() _generate_account_key()
@ -507,11 +494,6 @@ def _fetch_and_enable_new_certificate(domain, staging=False, no_checks=False):
domain_csr_file = f"{TMP_FOLDER}/{domain}.csr" domain_csr_file = f"{TMP_FOLDER}/{domain}.csr"
if staging:
certification_authority = STAGING_CERTIFICATION_AUTHORITY
else:
certification_authority = PRODUCTION_CERTIFICATION_AUTHORITY
try: try:
signed_certificate = sign_certificate( signed_certificate = sign_certificate(
ACCOUNT_KEY_FILE, ACCOUNT_KEY_FILE,
@ -519,7 +501,7 @@ def _fetch_and_enable_new_certificate(domain, staging=False, no_checks=False):
WEBROOT_FOLDER, WEBROOT_FOLDER,
log=logger, log=logger,
disable_check=no_checks, disable_check=no_checks,
CA=certification_authority, CA=PRODUCTION_CERTIFICATION_AUTHORITY,
) )
except ValueError as e: except ValueError as e:
if "urn:acme:error:rateLimited" in str(e): if "urn:acme:error:rateLimited" in str(e):
@ -539,12 +521,7 @@ def _fetch_and_enable_new_certificate(domain, staging=False, no_checks=False):
# Create corresponding directory # Create corresponding directory
date_tag = datetime.utcnow().strftime("%Y%m%d.%H%M%S") date_tag = datetime.utcnow().strftime("%Y%m%d.%H%M%S")
if staging: new_cert_folder = f"{CERT_FOLDER}/{domain}-history/{date_tag}-letsencrypt"
folder_flag = "staging"
else:
folder_flag = "letsencrypt"
new_cert_folder = f"{CERT_FOLDER}/{domain}-history/{date_tag}-{folder_flag}"
os.makedirs(new_cert_folder) os.makedirs(new_cert_folder)
@ -563,9 +540,6 @@ def _fetch_and_enable_new_certificate(domain, staging=False, no_checks=False):
_set_permissions(domain_cert_file, "root", "ssl-cert", 0o640) _set_permissions(domain_cert_file, "root", "ssl-cert", 0o640)
if staging:
return
_enable_certificate(domain, new_cert_folder) _enable_certificate(domain, new_cert_folder)
# Check the status of the certificate is now good # Check the status of the certificate is now good
@ -677,12 +651,6 @@ def _get_status(domain):
"verbose": "Let's Encrypt", "verbose": "Let's Encrypt",
} }
elif cert_issuer.startswith("Fake LE"):
CA_type = {
"code": "fake-lets-encrypt",
"verbose": "Fake Let's Encrypt",
}
else: else:
CA_type = { CA_type = {
"code": "other-unknown", "code": "other-unknown",

8
src/domain.py
View file

@ -528,19 +528,19 @@ def domain_cert_status(domain_list, full=False):
def domain_cert_install( def domain_cert_install(
domain_list, force=False, no_checks=False, self_signed=False, staging=False domain_list, force=False, no_checks=False, self_signed=False
): ):
from yunohost.certificate import certificate_install from yunohost.certificate import certificate_install
return certificate_install(domain_list, force, no_checks, self_signed, staging) return certificate_install(domain_list, force, no_checks, self_signed)
def domain_cert_renew( def domain_cert_renew(
domain_list, force=False, no_checks=False, email=False, staging=False domain_list, force=False, no_checks=False, email=False
): ):
from yunohost.certificate import certificate_renew from yunohost.certificate import certificate_renew
return certificate_renew(domain_list, force, no_checks, email, staging) return certificate_renew(domain_list, force, no_checks, email)
def domain_dns_conf(domain): def domain_dns_conf(domain):