acme-updater/amulib/service.py

#   This file is part of acme-updater, written by Helmut Pozimski 2016-2017.
#
#   stov is free software: you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation, version 2 of the License.
#
#   stov is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with stov.  If not, see <http://www.gnu.org/licenses/>.


# -*- coding: utf8 -*-

""" Contains the service module which manages certificates for generic
services that don't need any special configuration. The configuration
needs to at least contain the keys "certificate_path", "key_path",
"tlsa"and "tlsa_ports".
"""

import logging
import socket
import os
import subprocess

from amulib import helpers
import OpenSSL

LOGGER = logging.getLogger("acme_tlsa_mail")


def run(service_name, config, acme_dir="/var/lib/acme",
        named_key_path="/run/named/session.key"):
    """

    :param service_name: name of the service
    :type service_name: str
    :param config: configuration for the service
    :type config: dict
    :param acme_dir: path to the acme state dir
    :type acme_dir: str
    :param named_key_path: path to the named session.key
    :type named_key_path: str
    """
    fqdn = socket.getfqdn()
    certificate_path = config["certificate_path"]
    key_path = config["key_path"]
    tlsa = config["tlsa"]
    tlsa_ports = config["tlsa_ports"]
    try:
        with open(certificate_path, "r") as cert_file:
            cert_text = cert_file.read()
    except IOError:
        LOGGER.error("Error while opening the %s certificate", service_name)
    else:
        current_cert = OpenSSL.crypto.load_certificate(
            OpenSSL.crypto.FILETYPE_PEM, cert_text
        )
        acme_cert_path = os.path.join(acme_dir, "live", fqdn,
                                      "cert")
        acme_fullchain_path = os.path.join(acme_dir, "live", fqdn,
                                           "fullchain")
        if helpers.check_renewal(current_cert, acme_cert_path):
            try:
                with open(acme_cert_path, "r") as acme_cert_file:
                    acme_cert_text = acme_cert_file.read()
            except IOError:
                LOGGER.error("Error while opening new %s "
                             "certificate file", service_name)
            else:
                acme_cert = OpenSSL.crypto.load_certificate(
                    OpenSSL.crypto.FILETYPE_PEM, acme_cert_text
                )
                if tlsa:
                    for port in tlsa_ports:
                        helpers.create_tlsa_records(fqdn, port, acme_cert,
                                                    named_key_path)
                if helpers.copy_file(acme_fullchain_path, certificate_path):
                    newkey_path = os.path.join(acme_dir, "live",
                                               fqdn, "privkey")
                    if helpers.copy_file(newkey_path, key_path):
                        LOGGER.info("Certificate for %s successfully "
                                    "renewed, restarting service.",
                                    service_name)
                        subprocess.call(["/etc/init.d/%s" % service_name,
                                         "restart"])
                    else:
                        LOGGER.error("Renewal of cert for %s failed, "
                                     "please clean up manually and "
                                     "check the backup files!", service_name)
                else:
                    LOGGER.error("Renewal of cert for %s failed, "
                                 "please clean up manually and "
                                 "check the backup files!", service_name)