X-Git-Url: https://git.ralfj.de/lets-encrypt-tiny.git/blobdiff_plain/c263f7ab1e7c2904cb36a2cad9b73b3bc23e24b8..e10ca3981238d9578b4f8eda803c6db39687caa5:/letsencrypt-tiny?ds=sidebyside diff --git a/letsencrypt-tiny b/letsencrypt-tiny index f849008..321f0c0 100755 --- a/letsencrypt-tiny +++ b/letsencrypt-tiny @@ -21,7 +21,7 @@ def keyfile(name): def csrfile(name): global config - return os.path.join(config['dirs']['csrs'], name + ".csr") + return os.path.join(config['dirs']['keys'], name + ".csr.tmp") def make_backup(fname): if os.path.exists(fname): @@ -30,7 +30,7 @@ def make_backup(fname): while True: backupfile = os.path.join(config['dirs']['backups'], backupname + "." + str(i)) if not os.path.exists(backupfile): - os.rename(src = fname, dst = backupfile) + os.rename(fname, backupfile) break elif i >= 100: print("Somehow it's really hard to find a name for the backup file...") @@ -65,6 +65,8 @@ def acme(name, domains): make_backup(certfile(name)) with open(certfile(name), 'wb') as f: f.write(signed_crt) + # clean up + os.remove(csrfile(name)) def request_cert(name): global config @@ -81,35 +83,30 @@ def generate_key(name): if f.returncode: sys.stderr.write(stderr) raise Exception("Error while generating private key") - # now we have a key, save it - make_backup(keyfile(name)) + # Now we have a key, save it. This should never overwrite anything. + assert not os.path.exists(keyfile(name)) with open(keyfile(name), 'wb') as f: f.write(stdout) -def check_staging(): +def check_staging(live, staging): '''Returns 0 if nothing was done, 1 if a stage key is present but has to be kept, 2 is a stage key was unstaged.''' - live = config['files']['live'] - staging = config['files'].get('staging') - if staging is None or not os.path.exists(keyfile(staging)): + if not os.path.exists(keyfile(staging)): return 0 - staging_time = datetime.timedelta(hours = int(config['timing']['staging-hours'])) + staging_time = datetime.timedelta(hours = int(config['timing'].get('staging-hours', 0))) key_age = datetime.datetime.now() - key_mtime(staging) if key_age < staging_time: return 1 print("Unstaging '{}' to '{}'".format(staging, live)) # unstage the key! make_backup(keyfile(live)) - os.rename(src = keyfile(staging), dst = keyfile(live)) + os.rename(keyfile(staging), keyfile(live)) make_backup(certfile(live)) - os.rename(src = certfile(staging), dst = certfile(live)) + os.rename(certfile(staging), certfile(live)) return 2 -def auto_renewal(): +def auto_renewal(live, staging): '''Returns 0 if nothing was done, 1 if only certs were changed, 2 if certs and keys were changed.''' - live = config['files']['live'] - staging = config['files'].get('staging') - max_key_age = datetime.timedelta(days = int(config['timing']['max-key-age-days'])) renew_cert_time = datetime.timedelta(days = int(config['timing']['renew-cert-before-expiry-days'])) @@ -125,9 +122,9 @@ def auto_renewal(): # Do it if need_new_key: - new_key_name = (live if staging is None else staging) - generate_key(new_key_name) - request_cert(new_key_name) + generate_key(staging) + request_cert(staging) + check_staging(live, staging) # we may want to immediately enable the new key & cert return 2 elif need_new_cert: request_cert(live) @@ -155,28 +152,27 @@ if __name__ == "__main__": global config config = readConfig(args.config) + live = config['files']['live'] + staging = config['files']['staging'] if args.action[0] == 'renew': - live = config['files']['live'] - staging = config['files'].get('staging') - request_cert(live) - if staging is not None and os.path.exists(keyfile(staging)): + if os.path.exists(keyfile(staging)) and os.path.exists(certfile(staging)): request_cert(staging) # trigger the "new cert" hook if args.hooks: trigger_hook('post-certchange') elif args.action[0] == 'cron': # First, check if we need to unstage a staging key - unstaged = check_staging() + unstaged = check_staging(live, staging) if unstaged >= 1: - # A staging eky is present, do *not* check for renewal + # A staging key is present, do *not* check for renewal if unstaged >= 2 and args.hooks: # trigger all the hooks trigger_hook('post-certchange') trigger_hook('post-keychange') else: # Check if we need to renew anything - renewed = auto_renewal() + renewed = auto_renewal(live, staging) if args.hooks: if renewed >= 1: trigger_hook('post-certchange')