|
@@ -19,71 +19,28 @@
|
|
|
mail server.
|
|
|
"""
|
|
|
|
|
|
-import logging
|
|
|
import socket
|
|
|
-import os
|
|
|
-import subprocess
|
|
|
|
|
|
-from amulib import helpers
|
|
|
-import OpenSSL
|
|
|
-
|
|
|
-LOGGER = logging.getLogger("acme_tlsa_mail")
|
|
|
+from amulib import service
|
|
|
|
|
|
|
|
|
def run(config=None, acme_dir="/var/lib/acme",
|
|
|
named_key_path="/run/named/session.key"):
|
|
|
+ """
|
|
|
+
|
|
|
+ :param config: configuration for the service
|
|
|
+ :type config: dict
|
|
|
+ :param acme_dir: path to the acme state dir
|
|
|
+ :type acme_dir: str
|
|
|
+ :param named_key_path: path to the named session.key
|
|
|
+ :type named_key_path: str
|
|
|
+ """
|
|
|
hostname = socket.gethostname()
|
|
|
- fqdn = socket.getfqdn()
|
|
|
- if config:
|
|
|
- certificate_path = config["certificate_path"]
|
|
|
- key_path = config["key_path"]
|
|
|
- tlsa = config["tlsa"]
|
|
|
- tlsa_ports = config["tlsa_ports"]
|
|
|
- else:
|
|
|
- certificate_path = "/etc/postfix/%s.crt" % hostname
|
|
|
- key_path = "/etc/postfix/%s.key" % hostname
|
|
|
- tlsa = True
|
|
|
- tlsa_ports = [25, 465, 587]
|
|
|
- try:
|
|
|
- with open(certificate_path, "r") as cert_file:
|
|
|
- cert_text = cert_file.read()
|
|
|
- except IOError:
|
|
|
- LOGGER.error("Error while opening the postfix certificate")
|
|
|
- else:
|
|
|
- current_cert = OpenSSL.crypto.load_certificate(
|
|
|
- OpenSSL.crypto.FILETYPE_PEM, cert_text
|
|
|
- )
|
|
|
- acme_cert_path = os.path.join(acme_dir, "live", fqdn,
|
|
|
- "cert")
|
|
|
- acme_fullchain_path = os.path.join(acme_dir, "live", fqdn,
|
|
|
- "fullchain")
|
|
|
- if helpers.check_renewal(current_cert, acme_cert_path):
|
|
|
- try:
|
|
|
- with open(acme_cert_path, "r") as acme_cert_file:
|
|
|
- acme_cert_text = acme_cert_file.read()
|
|
|
- except IOError:
|
|
|
- LOGGER.error("Error while opening new postfix "
|
|
|
- "certificate file")
|
|
|
- else:
|
|
|
- acme_cert = OpenSSL.crypto.load_certificate(
|
|
|
- OpenSSL.crypto.FILETYPE_PEM, acme_cert_text
|
|
|
- )
|
|
|
- if tlsa:
|
|
|
- for port in tlsa_ports:
|
|
|
- helpers.create_tlsa_records(fqdn, port, acme_cert,
|
|
|
- named_key_path)
|
|
|
- if helpers.copy_file(acme_fullchain_path, certificate_path):
|
|
|
- newkey_path = os.path.join(acme_dir, "live",
|
|
|
- fqdn, "privkey")
|
|
|
- if helpers.copy_file(newkey_path, key_path):
|
|
|
- LOGGER.info("Certificate for postfix successfully "
|
|
|
- "renewed, restarting service.")
|
|
|
- subprocess.call(["/etc/init.d/postfix", "restart"])
|
|
|
- else:
|
|
|
- LOGGER.error("Renewal of cert for postfix failed, "
|
|
|
- "please clean up manually and "
|
|
|
- "check the backup files!")
|
|
|
- else:
|
|
|
- LOGGER.error("Renewal of cert for postfix failed, "
|
|
|
- "please clean up manually and "
|
|
|
- "check the backup files!")
|
|
|
+ if not config:
|
|
|
+ config = {
|
|
|
+ "certificate_path": "/etc/postfix/%s.crt" % hostname,
|
|
|
+ "key_path": "/etc/postfix/%s.key" % hostname,
|
|
|
+ "tlsa": True,
|
|
|
+ "tlsa_ports": [25, 465, 587]
|
|
|
+ }
|
|
|
+ service.run("postfix", config, acme_dir, named_key_path)
|