X-Git-Url: https://git.ralfj.de/lets-encrypt-tiny.git/blobdiff_plain/447af53ef3d1c8f62d09a692236d881bcf7fc312..53d17049bb85096d7f640ca1c8960f3dc6362fc9:/letsencrypt-tiny?ds=sidebyside diff --git a/letsencrypt-tiny b/letsencrypt-tiny index c6b4cc0..eef52e7 100755 --- a/letsencrypt-tiny +++ b/letsencrypt-tiny @@ -1,5 +1,5 @@ #!/usr/bin/env python3 -## Call with "--help" for documentation. +## See for documentation. import argparse, configparser, itertools, stat, os, os.path, sys, subprocess, datetime @@ -21,6 +21,7 @@ def keyfile(name): def make_backup(fname): if os.path.exists(fname): + os.makedirs(config['dirs']['backups'], exist_ok = True) backupname = os.path.basename(fname) + "." + str(datetime.date.today()) i = 0 while True: @@ -58,18 +59,20 @@ def acme(keyfilename, certfilename, domains): # Generating the CSR is done by a shell script exe = os.path.join(os.path.dirname(__file__), 'gencsr') csr = subprocess.check_output([exe, keyfilename] + domains) - assert not os.path.exists(csrfilename) + assert not os.path.exists(csrfilename), "The temporary CSR file {} still exists. It seems something went wrong on a previous request. You may want to remove the file manually.".format(csrfilename) with open(csrfilename, 'wb') as file: file.write(csr) - # call acme-tiny as a script - acme_tiny = os.path.join(config['acme']['acme-tiny'], 'acme_tiny.py') - signed_crt = subprocess.check_output(["python", acme_tiny, "--quiet", "--account-key", accountkey, "--csr", csrfilename, "--acme-dir", config['acme']['challenge-dir']]) - # save new certificate - make_backup(certfilename) - with open(certfilename, 'wb') as f: - f.write(signed_crt) - # clean up - os.remove(csrfilename) + try: + # call acme-tiny as a script + acme_tiny = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'acme-tiny', 'acme_tiny.py') + signed_crt = subprocess.check_output(["python3", acme_tiny, "--quiet", "--account-key", accountkey, "--csr", csrfilename, "--acme-dir", config['acme']['challenge-dir']]) + # save new certificate + make_backup(certfilename) + with open(certfilename, 'wb') as f: + f.write(signed_crt) + finally: + # clean up + os.remove(csrfilename) def openssl_genrsa(keyfilename): with subprocess.Popen(["openssl", "genrsa", str(int(config['DEFAULT']['key-length']))], stdout=subprocess.PIPE, stderr=subprocess.PIPE) as f: @@ -92,6 +95,7 @@ def request_cert(name): acme(keyfile(name), certfile(name), domains) def generate_key(name): + assert not os.path.exists(certfile(name)), "Don't make create a new key for an old cert" print("Generating new private key '{}'".format(name)) openssl_genrsa(keyfile(name)) @@ -120,9 +124,12 @@ def auto_renewal(live, staging): # determine what to do now = datetime.datetime.now() key_age = now - key_mtime(live) - cert_validity = cert_expiry(live) - now need_new_key = key_age >= max_key_age - need_new_cert = cert_validity <= renew_cert_time + if os.path.exists(certfile(live)): + cert_validity = cert_expiry(live) - now + need_new_cert = cert_validity <= renew_cert_time + else: + need_new_cert = True if need_new_cert and key_age + renew_cert_time >= max_key_age: # We are about to request a new certificate, and within , we need a new key: Get the new key now need_new_key = True @@ -202,6 +209,7 @@ if __name__ == "__main__": live = config['files']['live'] if not os.path.exists(keyfile(live)): generate_key(live) + if not os.path.exists(certfile(live)): request_cert(live) if args.hooks: trigger_hook('post-certchange')