mirror of
https://github.com/YunoHost/yunohost.git
synced 2024-09-03 20:06:10 +02:00
338 lines
13 KiB
Python
338 lines
13 KiB
Python
#!/usr/bin/env python
|
|
# Copyright Daniel Roesler, under MIT license, see LICENSE at github.com/diafygi/acme-tiny
|
|
import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging
|
|
|
|
try:
|
|
from urllib.request import urlopen, Request # Python 3
|
|
except ImportError:
|
|
from urllib2 import urlopen, Request # Python 2
|
|
|
|
DEFAULT_CA = "https://acme-v02.api.letsencrypt.org" # DEPRECATED! USE DEFAULT_DIRECTORY_URL INSTEAD
|
|
DEFAULT_DIRECTORY_URL = "https://acme-v02.api.letsencrypt.org/directory"
|
|
|
|
LOGGER = logging.getLogger(__name__)
|
|
LOGGER.addHandler(logging.StreamHandler())
|
|
LOGGER.setLevel(logging.INFO)
|
|
|
|
|
|
def get_crt(
|
|
account_key,
|
|
csr,
|
|
acme_dir,
|
|
log=LOGGER,
|
|
CA=DEFAULT_CA,
|
|
disable_check=False,
|
|
directory_url=DEFAULT_DIRECTORY_URL,
|
|
contact=None,
|
|
):
|
|
directory, acct_headers, alg, jwk = None, None, None, None # global variables
|
|
|
|
# helper functions - base64 encode for jose spec
|
|
def _b64(b):
|
|
return base64.urlsafe_b64encode(b).decode("utf8").replace("=", "")
|
|
|
|
# helper function - run external commands
|
|
def _cmd(cmd_list, stdin=None, cmd_input=None, err_msg="Command Line Error"):
|
|
proc = subprocess.Popen(
|
|
cmd_list, stdin=stdin, stdout=subprocess.PIPE, stderr=subprocess.PIPE
|
|
)
|
|
out, err = proc.communicate(cmd_input)
|
|
if proc.returncode != 0:
|
|
raise IOError("{}\n{}".format(err_msg, err))
|
|
return out
|
|
|
|
# helper function - make request and automatically parse json response
|
|
def _do_request(url, data=None, err_msg="Error", depth=0):
|
|
try:
|
|
resp = urlopen(
|
|
Request(
|
|
url,
|
|
data=data,
|
|
headers={
|
|
"Content-Type": "application/jose+json",
|
|
"User-Agent": "acme-tiny",
|
|
},
|
|
)
|
|
)
|
|
resp_data, code, headers = (
|
|
resp.read().decode("utf8"),
|
|
resp.getcode(),
|
|
resp.headers,
|
|
)
|
|
except IOError as e:
|
|
resp_data = e.read().decode("utf8") if hasattr(e, "read") else str(e)
|
|
code, headers = getattr(e, "code", None), {}
|
|
try:
|
|
resp_data = json.loads(resp_data) # try to parse json results
|
|
except ValueError:
|
|
pass # ignore json parsing errors
|
|
if (
|
|
depth < 100
|
|
and code == 400
|
|
and resp_data["type"] == "urn:ietf:params:acme:error:badNonce"
|
|
):
|
|
raise IndexError(resp_data) # allow 100 retrys for bad nonces
|
|
if code not in [200, 201, 204]:
|
|
raise ValueError(
|
|
"{}:\nUrl: {}\nData: {}\nResponse Code: {}\nResponse: {}".format(
|
|
err_msg, url, data, code, resp_data
|
|
)
|
|
)
|
|
return resp_data, code, headers
|
|
|
|
# helper function - make signed requests
|
|
def _send_signed_request(url, payload, err_msg, depth=0):
|
|
payload64 = "" if payload is None else _b64(json.dumps(payload).encode("utf8"))
|
|
new_nonce = _do_request(directory["newNonce"])[2]["Replay-Nonce"]
|
|
protected = {"url": url, "alg": alg, "nonce": new_nonce}
|
|
protected.update(
|
|
{"jwk": jwk} if acct_headers is None else {"kid": acct_headers["Location"]}
|
|
)
|
|
protected64 = _b64(json.dumps(protected).encode("utf8"))
|
|
protected_input = "{}.{}".format(protected64, payload64).encode("utf8")
|
|
out = _cmd(
|
|
["openssl", "dgst", "-sha256", "-sign", account_key],
|
|
stdin=subprocess.PIPE,
|
|
cmd_input=protected_input,
|
|
err_msg="OpenSSL Error",
|
|
)
|
|
data = json.dumps(
|
|
{"protected": protected64, "payload": payload64, "signature": _b64(out)}
|
|
)
|
|
try:
|
|
return _do_request(
|
|
url, data=data.encode("utf8"), err_msg=err_msg, depth=depth
|
|
)
|
|
except IndexError: # retry bad nonces (they raise IndexError)
|
|
return _send_signed_request(url, payload, err_msg, depth=(depth + 1))
|
|
|
|
# helper function - poll until complete
|
|
def _poll_until_not(url, pending_statuses, err_msg):
|
|
result, t0 = None, time.time()
|
|
while result is None or result["status"] in pending_statuses:
|
|
assert time.time() - t0 < 3600, "Polling timeout" # 1 hour timeout
|
|
time.sleep(0 if result is None else 2)
|
|
result, _, _ = _send_signed_request(url, None, err_msg)
|
|
return result
|
|
|
|
# parse account key to get public key
|
|
log.info("Parsing account key...")
|
|
out = _cmd(
|
|
["openssl", "rsa", "-in", account_key, "-noout", "-text"],
|
|
err_msg="OpenSSL Error",
|
|
)
|
|
pub_pattern = r"modulus:\n\s+00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)"
|
|
pub_hex, pub_exp = re.search(
|
|
pub_pattern, out.decode("utf8"), re.MULTILINE | re.DOTALL
|
|
).groups()
|
|
pub_exp = "{:x}".format(int(pub_exp))
|
|
pub_exp = "0{}".format(pub_exp) if len(pub_exp) % 2 else pub_exp
|
|
alg = "RS256"
|
|
jwk = {
|
|
"e": _b64(binascii.unhexlify(pub_exp.encode("utf-8"))),
|
|
"kty": "RSA",
|
|
"n": _b64(binascii.unhexlify(re.sub(r"(\s|:)", "", pub_hex).encode("utf-8"))),
|
|
}
|
|
accountkey_json = json.dumps(jwk, sort_keys=True, separators=(",", ":"))
|
|
thumbprint = _b64(hashlib.sha256(accountkey_json.encode("utf8")).digest())
|
|
|
|
# find domains
|
|
log.info("Parsing CSR...")
|
|
out = _cmd(
|
|
["openssl", "req", "-in", csr, "-noout", "-text"],
|
|
err_msg="Error loading {}".format(csr),
|
|
)
|
|
domains = set()
|
|
common_name = re.search(r"Subject:.*? CN\s?=\s?([^\s,;/]+)", out.decode("utf8"))
|
|
if common_name is not None:
|
|
domains.add(common_name.group(1))
|
|
subject_alt_names = re.search(
|
|
r"X509v3 Subject Alternative Name: (?:critical)?\n +([^\n]+)\n",
|
|
out.decode("utf8"),
|
|
re.MULTILINE | re.DOTALL,
|
|
)
|
|
if subject_alt_names is not None:
|
|
for san in subject_alt_names.group(1).split(", "):
|
|
if san.startswith("DNS:"):
|
|
domains.add(san[4:])
|
|
log.info("Found domains: {}".format(", ".join(domains)))
|
|
|
|
# get the ACME directory of urls
|
|
log.info("Getting directory...")
|
|
directory_url = (
|
|
CA + "/directory" if CA != DEFAULT_CA else directory_url
|
|
) # backwards compatibility with deprecated CA kwarg
|
|
directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
|
|
log.info("Directory found!")
|
|
|
|
# create account, update contact details (if any), and set the global key identifier
|
|
log.info("Registering account...")
|
|
reg_payload = {"termsOfServiceAgreed": True}
|
|
account, code, acct_headers = _send_signed_request(
|
|
directory["newAccount"], reg_payload, "Error registering"
|
|
)
|
|
log.info("Registered!" if code == 201 else "Already registered!")
|
|
if contact is not None:
|
|
account, _, _ = _send_signed_request(
|
|
acct_headers["Location"],
|
|
{"contact": contact},
|
|
"Error updating contact details",
|
|
)
|
|
log.info("Updated contact details:\n{}".format("\n".join(account["contact"])))
|
|
|
|
# create a new order
|
|
log.info("Creating new order...")
|
|
order_payload = {"identifiers": [{"type": "dns", "value": d} for d in domains]}
|
|
order, _, order_headers = _send_signed_request(
|
|
directory["newOrder"], order_payload, "Error creating new order"
|
|
)
|
|
log.info("Order created!")
|
|
|
|
# get the authorizations that need to be completed
|
|
for auth_url in order["authorizations"]:
|
|
authorization, _, _ = _send_signed_request(
|
|
auth_url, None, "Error getting challenges"
|
|
)
|
|
domain = authorization["identifier"]["value"]
|
|
log.info("Verifying {}...".format(domain))
|
|
|
|
# find the http-01 challenge and write the challenge file
|
|
challenge = [c for c in authorization["challenges"] if c["type"] == "http-01"][
|
|
0
|
|
]
|
|
token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge["token"])
|
|
keyauthorization = "{}.{}".format(token, thumbprint)
|
|
wellknown_path = os.path.join(acme_dir, token)
|
|
with open(wellknown_path, "w") as wellknown_file:
|
|
wellknown_file.write(keyauthorization)
|
|
|
|
# check that the file is in place
|
|
try:
|
|
wellknown_url = "http://{}/.well-known/acme-challenge/{}".format(
|
|
domain, token
|
|
)
|
|
assert disable_check or _do_request(wellknown_url)[0] == keyauthorization
|
|
except (AssertionError, ValueError) as e:
|
|
raise ValueError(
|
|
"Wrote file to {}, but couldn't download {}: {}".format(
|
|
wellknown_path, wellknown_url, e
|
|
)
|
|
)
|
|
|
|
# say the challenge is done
|
|
_send_signed_request(
|
|
challenge["url"], {}, "Error submitting challenges: {}".format(domain)
|
|
)
|
|
authorization = _poll_until_not(
|
|
auth_url,
|
|
["pending"],
|
|
"Error checking challenge status for {}".format(domain),
|
|
)
|
|
if authorization["status"] != "valid":
|
|
raise ValueError(
|
|
"Challenge did not pass for {}: {}".format(domain, authorization)
|
|
)
|
|
os.remove(wellknown_path)
|
|
log.info("{} verified!".format(domain))
|
|
|
|
# finalize the order with the csr
|
|
log.info("Signing certificate...")
|
|
csr_der = _cmd(
|
|
["openssl", "req", "-in", csr, "-outform", "DER"], err_msg="DER Export Error"
|
|
)
|
|
_send_signed_request(
|
|
order["finalize"], {"csr": _b64(csr_der)}, "Error finalizing order"
|
|
)
|
|
|
|
# poll the order to monitor when it's done
|
|
order = _poll_until_not(
|
|
order_headers["Location"],
|
|
["pending", "processing"],
|
|
"Error checking order status",
|
|
)
|
|
if order["status"] != "valid":
|
|
raise ValueError("Order failed: {}".format(order))
|
|
|
|
# download the certificate
|
|
certificate_pem, _, _ = _send_signed_request(
|
|
order["certificate"], None, "Certificate download failed"
|
|
)
|
|
log.info("Certificate signed!")
|
|
return certificate_pem
|
|
|
|
|
|
def main(argv=None):
|
|
parser = argparse.ArgumentParser(
|
|
formatter_class=argparse.RawDescriptionHelpFormatter,
|
|
description=textwrap.dedent(
|
|
"""\
|
|
This script automates the process of getting a signed TLS certificate from Let's Encrypt using
|
|
the ACME protocol. It will need to be run on your server and have access to your private
|
|
account key, so PLEASE READ THROUGH IT! It's only ~200 lines, so it won't take long.
|
|
|
|
Example Usage:
|
|
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /usr/share/nginx/html/.well-known/acme-challenge/ > signed_chain.crt
|
|
|
|
Example Crontab Renewal (once per month):
|
|
0 0 1 * * python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /usr/share/nginx/html/.well-known/acme-challenge/ > /path/to/signed_chain.crt 2>> /var/log/acme_tiny.log
|
|
"""
|
|
),
|
|
)
|
|
parser.add_argument(
|
|
"--account-key",
|
|
required=True,
|
|
help="path to your Let's Encrypt account private key",
|
|
)
|
|
parser.add_argument(
|
|
"--csr", required=True, help="path to your certificate signing request"
|
|
)
|
|
parser.add_argument(
|
|
"--acme-dir",
|
|
required=True,
|
|
help="path to the .well-known/acme-challenge/ directory",
|
|
)
|
|
parser.add_argument(
|
|
"--quiet",
|
|
action="store_const",
|
|
const=logging.ERROR,
|
|
help="suppress output except for errors",
|
|
)
|
|
parser.add_argument(
|
|
"--disable-check",
|
|
default=False,
|
|
action="store_true",
|
|
help="disable checking if the challenge file is hosted correctly before telling the CA",
|
|
)
|
|
parser.add_argument(
|
|
"--directory-url",
|
|
default=DEFAULT_DIRECTORY_URL,
|
|
help="certificate authority directory url, default is Let's Encrypt",
|
|
)
|
|
parser.add_argument(
|
|
"--ca", default=DEFAULT_CA, help="DEPRECATED! USE --directory-url INSTEAD!"
|
|
)
|
|
parser.add_argument(
|
|
"--contact",
|
|
metavar="CONTACT",
|
|
default=None,
|
|
nargs="*",
|
|
help="Contact details (e.g. mailto:aaa@bbb.com) for your account-key",
|
|
)
|
|
|
|
args = parser.parse_args(argv)
|
|
LOGGER.setLevel(args.quiet or LOGGER.level)
|
|
signed_crt = get_crt(
|
|
args.account_key,
|
|
args.csr,
|
|
args.acme_dir,
|
|
log=LOGGER,
|
|
CA=args.ca,
|
|
disable_check=args.disable_check,
|
|
directory_url=args.directory_url,
|
|
contact=args.contact,
|
|
)
|
|
sys.stdout.write(signed_crt)
|
|
|
|
|
|
if __name__ == "__main__": # pragma: no cover
|
|
main(sys.argv[1:])
|