diff --git a/files/geant_acme.py b/files/geant_acme.py index 93e6cca4854851082870cff138cbba03ef629242..9acbfd0e2f9f27a36f88ab26d3cf9077fc162104 100755 --- a/files/geant_acme.py +++ b/files/geant_acme.py @@ -119,8 +119,8 @@ def run_certbot(cbot_domain, wild_card=None): msg = decoded_msg[:decoded_msg.rfind('\n')] print(msg) - if msg.find('Certificate not yet due for renewal') != -1: - os_exit() + #if msg.find('Certificate not yet due for renewal') != -1: + # os_exit() return msg @@ -177,7 +177,6 @@ if __name__ == "__main__": domain_item, DEL_STATUS)) os_exit() - # if we are here, everything went fine and we can upload the certificates if WILDCARD: UPLOADER = '/root/bin/upload_wildcards.py -d {}'.format(DOMAIN[0]) diff --git a/files/geant_acme_uploader.py b/files/geant_acme_uploader.py index ca362a9b89be3085e6c8c3302d8bbb6ac2e76295..0fdf3a4186db65a626909b3fee8604ed03804da2 100755 --- a/files/geant_acme_uploader.py +++ b/files/geant_acme_uploader.py @@ -20,6 +20,19 @@ import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning #pylint: disable=E0401 +def redis_download(redis_host, redis_token, key): + """ download a key """ + r_client = redis.StrictRedis( + host=redis_host, password=redis_token, port=6379, db=0) + + try: + redis_value = r_client.get(key).decode('utf-8') + except Exception as err: + redis_value = err + + return redis_value + + def redis_upload(redis_host, redis_token, key, value): """ upload a key """ r_client = redis.StrictRedis( @@ -82,17 +95,25 @@ if __name__ == "__main__": BASEDIR = '/etc/letsencrypt/live' for certname in ['cert.pem', 'chain.pem', 'fullchain.pem']: - with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile: - certdata = certfile.read() - domain_underscored = DOMAIN.replace('.', '_') - # let's rename everything to .crt, which is what we normally use - certname_renamed = certname.replace( - 'cert.pem', 'crt').replace('chain.pem', 'chain_crt') - redis_full_path = '{}:redis_{}_{}'.format( - CLIENT, domain_underscored, certname_renamed) - - print('uploading to Redis: {}'.format(redis_full_path)) - redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata) + if os.access(certname, os.W_OK): + with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile: + certdata_downstream = certfile.read() + domain_underscored = DOMAIN.replace('.', '_') + # let's rename everything to .crt, which is what we normally use + certname_renamed = certname.replace( + 'cert.pem', 'crt').replace('chain.pem', 'chain_crt') + redis_full_path = '{}:redis_{}_{}'.format( + CLIENT, domain_underscored, certname_renamed) + certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path) + + if certdata_downstream != certdata_upstream: + print('uploading to Redis: {}'.format(redis_full_path)) + redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_downstream) + else: + print('key {} did not change: skipping') + else: + print('could not access {}: giving up...'.format(certname)) + os.sys.exit(1) with open(os.path.join(BASEDIR, DOMAIN, 'privkey.pem'), 'r') as keyfile: KEYDATA = keyfile.read() diff --git a/files/upload_wildcards.py b/files/upload_wildcards.py index 473845361ca81d44d4bb0320ab8b03470f2691d9..e9c176896d18eff7d824bca31fe60e49f2fe2f2d 100755 --- a/files/upload_wildcards.py +++ b/files/upload_wildcards.py @@ -19,6 +19,19 @@ import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning #pylint: disable=E0401 +def redis_download(redis_host, redis_token, key): + """ download a key """ + r_client = redis.StrictRedis( + host=redis_host, password=redis_token, port=6379, db=0) + + try: + redis_value = r_client.get(key).decode('utf-8') + except Exception as err: + redis_value = err + + return redis_value + + def redis_upload(redis_host, redis_token, key, value): """ upload a key """ r_client = redis.StrictRedis( @@ -82,15 +95,24 @@ if __name__ == "__main__": os.sys.stdout = os.sys.stderr = open('/var/log/acme/acme.log', 'a', 1) # upload certificates to Redis - for keyname in ['cert.pem', 'chain.pem', 'fullchain.pem']: - with open(os.path.join(BASEDIR, DOMAIN, keyname), 'r') as certfile: - keydata = certfile.read() - domain_underscored = DOMAIN.replace('.', '_') - keyname_underscored = keyname.replace('.', '_') - redis_full_path = 'common:redis_{}_{}'.format( - domain_underscored, keyname_underscored) - print('uploading to Redis: {}'.format(redis_full_path)) - redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, keydata) + for certname in ['cert.pem', 'chain.pem', 'fullchain.pem']: + if os.access(certname, os.W_OK): + with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile: + certdata_downstream = certfile.read() + domain_underscored = DOMAIN.replace('.', '_') + certname_underscored = certname.replace('.', '_') + redis_full_path = 'common:redis_{}_{}'.format( + domain_underscored, certname_underscored) + certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path) + + if certdata_downstream != certdata_upstream: + print('uploading to Redis: {}'.format(redis_full_path)) + redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_downstream) + else: + print('key {} did not change: skipping') + else: + print('could not access {}: giving up...'.format(certname)) + os.sys.exit(1) # upload keys to Vault with open(os.path.join(BASEDIR, DOMAIN, 'privkey.pem'), 'r') as keyfile: