Hoshpak
/
acme-updater


			
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889
							#   This file is part of acme-updater, written by Helmut Pozimski 2016-2017.
#
#   stov is free software: you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation, version 2 of the License.
#
#   stov is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with stov.  If not, see <http://www.gnu.org/licenses/>.


# -*- coding: utf8 -*-

""" Contains the postfix module which manages certificates for the postfix
mail server.
"""

import logging
import socket
import os
import subprocess

from amulib import helpers
import OpenSSL

LOGGER = logging.getLogger("acme_tlsa_mail")


def run(config=None, acme_dir="/var/lib/acme",
        named_key_path="/run/named/session.key"):
    hostname = socket.gethostname()
    fqdn = socket.getfqdn()
    if config:
        certificate_path = config["certificate_path"]
        key_path = config["key_path"]
        tlsa = config["tlsa"]
        tlsa_ports = config["tlsa_ports"]
    else:
        certificate_path = "/etc/postfix/%s.crt" % hostname
        key_path = "/etc/postfix/%s.key" % hostname
        tlsa = True
        tlsa_ports = [25, 465, 587]
    try:
        with open(certificate_path, "r") as cert_file:
            cert_text = cert_file.read()
    except IOError:
        LOGGER.error("Error while opening the postfix certificate")
    else:
        current_cert = OpenSSL.crypto.load_certificate(
            OpenSSL.crypto.FILETYPE_PEM, cert_text
        )
        acme_cert_path = os.path.join(acme_dir, "live", fqdn,
                                      "cert")
        acme_fullchain_path = os.path.join(acme_dir, "live", fqdn,
                                           "fullchain")
        if helpers.check_renewal(current_cert, acme_cert_path):
            try:
                with open(acme_cert_path, "r") as acme_cert_file:
                    acme_cert_text = acme_cert_file.read()
            except IOError:
                LOGGER.error("Error while opening new postfix "
                             "certificate file")
            else:
                acme_cert = OpenSSL.crypto.load_certificate(
                    OpenSSL.crypto.FILETYPE_PEM, acme_cert_text
                )
                if tlsa:
                    for port in tlsa_ports:
                        helpers.create_tlsa_records(fqdn, port, acme_cert,
                                                    named_key_path)
                if helpers.copy_file(acme_fullchain_path, certificate_path):
                    newkey_path = os.path.join(acme_dir, "live",
                                               fqdn, "privkey")
                    if helpers.copy_file(newkey_path, key_path):
                        LOGGER.info("Certificate for postfix successfully "
                                    "renewed, restarting service.")
                        subprocess.call(["/etc/init.d/postfix", "restart"])
                    else:
                        LOGGER.error("Renewal of cert for postfix failed, "
                                     "please clean up manually and "
                                     "check the backup files!")
                else:
                    LOGGER.error("Renewal of cert for postfix failed, "
                                 "please clean up manually and "
                                 "check the backup files!")