1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 |
- # This file is part of acme-updater, written by Helmut Pozimski 2016-2017.
- #
- # stov is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, version 2 of the License.
- #
- # stov is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with stov. If not, see <http://www.gnu.org/licenses/>.
- # -*- coding: utf8 -*-
- """ Contains the postfix module which manages certificates for the postfix
- mail server.
- """
- import logging
- import socket
- import os
- import subprocess
- from amulib import helpers
- import OpenSSL
- LOGGER = logging.getLogger("acme_tlsa_mail")
- def run(config=None, acme_dir="/var/lib/acme",
- named_key_path="/run/named/session.key"):
- hostname = socket.gethostname()
- fqdn = socket.getfqdn()
- if config:
- certificate_path = config["certificate_path"]
- key_path = config["key_path"]
- tlsa = config["tlsa"]
- tlsa_ports = config["tlsa_ports"]
- else:
- certificate_path = "/etc/postfix/%s.crt" % hostname
- key_path = "/etc/postfix/%s.key" % hostname
- tlsa = True
- tlsa_ports = [25, 465, 587]
- try:
- with open(certificate_path, "r") as cert_file:
- cert_text = cert_file.read()
- except IOError:
- LOGGER.error("Error while opening the postfix certificate")
- else:
- current_cert = OpenSSL.crypto.load_certificate(
- OpenSSL.crypto.FILETYPE_PEM, cert_text
- )
- acme_cert_path = os.path.join(acme_dir, "live", fqdn,
- "cert")
- acme_fullchain_path = os.path.join(acme_dir, "live", fqdn,
- "fullchain")
- if helpers.check_renewal(current_cert, acme_cert_path):
- try:
- with open(acme_cert_path, "r") as acme_cert_file:
- acme_cert_text = acme_cert_file.read()
- except IOError:
- LOGGER.error("Error while opening new postfix "
- "certificate file")
- else:
- acme_cert = OpenSSL.crypto.load_certificate(
- OpenSSL.crypto.FILETYPE_PEM, acme_cert_text
- )
- if tlsa:
- for port in tlsa_ports:
- helpers.create_tlsa_records(fqdn, port, acme_cert,
- named_key_path)
- if helpers.copy_file(acme_fullchain_path, certificate_path):
- newkey_path = os.path.join(acme_dir, "live",
- fqdn, "privkey")
- if helpers.copy_file(newkey_path, key_path):
- LOGGER.info("Certificate for postfix successfully "
- "renewed, restarting service.")
- subprocess.call(["/etc/init.d/postfix", "restart"])
- else:
- LOGGER.error("Renewal of cert for postfix failed, "
- "please clean up manually and "
- "check the backup files!")
- else:
- LOGGER.error("Renewal of cert for postfix failed, "
- "please clean up manually and "
- "check the backup files!")
|