Browse Source

add configuration parameter to configure the address of the DNS server (closes #1)

Helmut Pozimski 7 years ago
parent
commit
919deaa5ad
9 changed files with 44 additions and 26 deletions
  1. 1 1
      README.md
  2. 5 3
      amulib/apache.py
  3. 2 2
      amulib/dovecot.py
  4. 10 8
      amulib/ejabberd.py
  5. 11 4
      amulib/helpers.py
  6. 4 4
      amulib/main.py
  7. 5 2
      amulib/postfix.py
  8. 5 2
      amulib/service.py
  9. 1 0
      example/config.json

+ 1 - 1
README.md

@@ -36,7 +36,7 @@ This software is published under the GNU GENERAL PUBLIC LICENSE, version 2.
 
 ## CONFIGURATION
 
-The configuration file is a json file which contains a json object with the keys "loglevel", "acme_dir" and "named_key_path". The first one defines the loglevel to use. The second one defines the acme state dir which can be used to obtain the current certificates, the last one the path to the named session key which is needed to write TLSA records via nsupdate. The other keys in the object correspond to the names of the services and their modules. Each service configuration is another json object and the structure of these might differ by service. They are documented in the section for the modules.
+The configuration file is a json file which contains a json object with the keys "loglevel", "acme_dir", "dns_server" and "named_key_path". The first one defines the loglevel to use. The second one defines the acme state dir which can be used to obtain the current certificates, the third one the DNS server to talk to and the last one the path to the named session key which is needed to write TLSA records via nsupdate. The other keys in the object correspond to the names of the services and their modules. Each service configuration is another json object and the structure of these might differ by service. They are documented in the section for the modules.
  
 An example configuration file with all parameters in provided in example/config.json.
 

+ 5 - 3
amulib/apache.py

@@ -32,7 +32,7 @@ LOGGER = logging.getLogger("acme-updater")
 
 
 def run(config=None, acme_dir="/var/lib/acme",
-        named_key_path="/run/named/session.key"):
+        named_key_path="/run/named/session.key", dns_server="localhost"):
     """
     Main method of the apache module, actually replaces the certificates,
     manages the service and writes TLSA records if necessary.
@@ -43,6 +43,8 @@ def run(config=None, acme_dir="/var/lib/acme",
     :type acme_dir: str
     :param named_key_path: path to the named session.key
     :type named_key_path: str
+    :param dns_server: DNS server to use to create TLSA records
+    :type dns_server: str
     """
     cert_renewed = False
     parsed_vhosts = []
@@ -106,7 +108,7 @@ def run(config=None, acme_dir="/var/lib/acme",
                                     if domain not in tlsa_exclude:
                                         helpers.create_tlsa_records(
                                             domain, "443", x509_acme_cert,
-                                        named_key_path)
+                                            named_key_path, dns_server)
                             if helpers.copy_file(acme_cert_path, entry[1]):
                                 acme_key_path = os.path.join(acme_dir,
                                                              "live", entry[0],
@@ -140,4 +142,4 @@ def run(config=None, acme_dir="/var/lib/acme",
             except subprocess.CalledProcessError:
                 LOGGER.error("Apache restart failed!")
             else:
-                LOGGER.info("Apache restarted successfully")
+                LOGGER.info("Apache restarted successfully")

+ 2 - 2
amulib/dovecot.py

@@ -23,7 +23,7 @@ from amulib import service
 
 
 def run(config=None, acme_dir="/var/lib/acme",
-        named_key_path="/run/named/session.key"):
+        named_key_path="/run/named/session.key", dns_server="localhost"):
     """ manages the certificates for dovecot
 
        :param config: configuration for the service
@@ -40,4 +40,4 @@ def run(config=None, acme_dir="/var/lib/acme",
             "tlsa": True,
             "tlsa_ports": [993]
         }
-    service.run("dovecot", config, acme_dir, named_key_path)
+    service.run("dovecot", config, acme_dir, named_key_path, dns_server)

+ 10 - 8
amulib/ejabberd.py

@@ -23,15 +23,17 @@ from amulib import service
 
 
 def run(config=None, acme_dir="/var/lib/acme",
-        named_key_path="/run/named/session.key"):
+        named_key_path="/run/named/session.key", dns_server="localhost"):
     """ manages the certificates for dovecot
 
-       :param config: configuration for the service
-       :type config: dict
-       :param acme_dir: path to the acme state dir
-       :type acme_dir: str
-       :param named_key_path: path to the named session.key
-       :type named_key_path: str
+        :param config: configuration for the service
+        :type config: dict
+        :param acme_dir: path to the acme state dir
+        :type acme_dir: str
+        :param named_key_path: path to the named session.key
+        :type named_key_path: str
+        :param dns_server: DNS server to use to create TLSA records
+        :type dns_server: str
        """
     if not config:
         config = {
@@ -40,4 +42,4 @@ def run(config=None, acme_dir="/var/lib/acme",
             "tlsa": True,
             "tlsa_ports": [5222, 5269]
         }
-    service.run("ejabberd", config, acme_dir, named_key_path)
+    service.run("ejabberd", config, acme_dir, named_key_path, dns_server)

+ 11 - 4
amulib/helpers.py

@@ -231,7 +231,8 @@ def get_tsig_key(named_key_path):
 
 
 def update_tlsa_record(zone, tlsa_port, digest, keyring, keyalgorithm,
-                       subdomain="", ttl=300, protocol="tcp"):
+                       subdomain="", ttl=300, protocol="tcp",
+                       dns_server="localhost"):
     """
     Updates the tlsa record on the DNS server.
 
@@ -251,6 +252,8 @@ def update_tlsa_record(zone, tlsa_port, digest, keyring, keyalgorithm,
     :type ttl: int
     :param protocol: protocol for the TLSA record
     :type protocol: str
+    :param dns_server: DNS server to use to create TLSA records
+    :type dns_server: str
     :returns: response of the operation
     :rtype: dns.message.Message
     """
@@ -262,7 +265,7 @@ def update_tlsa_record(zone, tlsa_port, digest, keyring, keyalgorithm,
     else:
         tlsa_record = "_%s._%s.%s." % (tlsa_port, protocol, zone)
     update.replace(tlsa_record, ttl, "tlsa", tlsa_content)
-    response = dns.query.tcp(update, 'localhost')
+    response = dns.query.tcp(update, dns_server)
     return response
 
 
@@ -283,7 +286,8 @@ def get_log_level(input_level=""):
         return logging.INFO
 
 
-def create_tlsa_records(domain, port, certificate, named_key_path):
+def create_tlsa_records(domain, port, certificate, named_key_path,
+                        dns_server):
     """
     Creates tlsa records for the specified (sub-)domain
 
@@ -295,11 +299,14 @@ def create_tlsa_records(domain, port, certificate, named_key_path):
     :type certificate: OpenSSL.crypto.X509
     :param named_key_path: path to the named session key
     :type named_key_path: str
+    :param dns_server: DNS server to use to create TLSA records
+    :type dns_server: str
     """
     hash_digest = create_tlsa_hash(certificate)
     zone = "%s.%s" % (domain.split(".")[-2], domain.split(".")[-1])
     tsig, keyalgo = get_tsig_key(named_key_path)
-    update_tlsa_record(zone, port, hash_digest, tsig, keyalgo, domain)
+    update_tlsa_record(zone, port, hash_digest, tsig, keyalgo, domain,
+                       dns_server=dns_server)
 
 
 def get_subject_alt_name(certificate):

+ 4 - 4
amulib/main.py

@@ -72,24 +72,24 @@ def main():
     if args.apache:
         if config:
             apache.run(config["apache"], config["acme_dir"],
-                       config["named_key_path"])
+                       config["named_key_path"], config["dns_server"])
         else:
             apache.run()
     if args.postfix:
         if config:
             postfix.run(config["postfix"], config["acme_dir"],
-                        config["named_key_path"])
+                        config["named_key_path"], config["dns_server"])
         else:
             postfix.run()
     if args.dovecot:
         if config:
             dovecot.run(config["dovecot"], config["acme_dir"],
-                        config["named_key_path"])
+                        config["named_key_path"], config["dns_server"])
         else:
             dovecot.run()
     if args.ejabberd:
         if config:
             ejabberd.run(config["ejabberd"], config["acme_dir"],
-                         config["named_key_path"])
+                         config["named_key_path"], config["dns_server"])
         else:
             ejabberd.run()

+ 5 - 2
amulib/postfix.py

@@ -25,7 +25,8 @@ from amulib import service
 
 
 def run(config=None, acme_dir="/var/lib/acme",
-        named_key_path="/run/named/session.key"):
+        named_key_path="/run/named/session.key",
+        dns_server="localhost"):
     """ manages the certificates for postfix
 
     :param config: configuration for the service
@@ -34,6 +35,8 @@ def run(config=None, acme_dir="/var/lib/acme",
     :type acme_dir: str
     :param named_key_path: path to the named session.key
     :type named_key_path: str
+    :param dns_server: DNS server to use to create TLSA records
+    :type dns_server: str
     """
     hostname = socket.gethostname()
     if not config:
@@ -43,4 +46,4 @@ def run(config=None, acme_dir="/var/lib/acme",
             "tlsa": True,
             "tlsa_ports": [25, 465, 587]
         }
-    service.run("postfix", config, acme_dir, named_key_path)
+    service.run("postfix", config, acme_dir, named_key_path, dns_server)

+ 5 - 2
amulib/service.py

@@ -33,7 +33,7 @@ LOGGER = logging.getLogger("acme-updater")
 
 
 def run(service_name, config, acme_dir="/var/lib/acme",
-        named_key_path="/run/named/session.key"):
+        named_key_path="/run/named/session.key", dns_server="localhost"):
     """
 
     :param service_name: name of the service
@@ -44,6 +44,8 @@ def run(service_name, config, acme_dir="/var/lib/acme",
     :type acme_dir: str
     :param named_key_path: path to the named session.key
     :type named_key_path: str
+    :param dns_server: DNS server to use to create TLSA records
+    :type dns_server: str
     """
     certificate_path = config["certificate_path"]
     key_path = config["key_path"]
@@ -80,7 +82,8 @@ def run(service_name, config, acme_dir="/var/lib/acme",
                     for name in cert_alt_names:
                         for port in tlsa_ports:
                             helpers.create_tlsa_records(name, port, acme_cert,
-                                                        named_key_path)
+                                                        named_key_path,
+                                                        dns_server)
                 newkey_path = os.path.join(acme_dir, "live",
                                            fqdn, "privkey")
                 if certificate_path == key_path:

+ 1 - 0
example/config.json

@@ -2,6 +2,7 @@
   "loglevel": "info",
   "acme_dir": "/var/lib/acme",
   "named_key_path": "/run/named/session.key",
+  "dns_server": "localhost",
   "apache": {
     "vhosts_dir": "/etc/apache2/sites-enabled",
     "tlsa": false,