diff --git a/files/geant_acme.py b/files/geant_acme.py
index 93e6cca4854851082870cff138cbba03ef629242..9acbfd0e2f9f27a36f88ab26d3cf9077fc162104 100755
--- a/files/geant_acme.py
+++ b/files/geant_acme.py
@@ -119,8 +119,8 @@ def run_certbot(cbot_domain, wild_card=None):
msg = decoded_msg[:decoded_msg.rfind('\n')]
print(msg)
- if msg.find('Certificate not yet due for renewal') != -1:
- os_exit()
+ #if msg.find('Certificate not yet due for renewal') != -1:
+ # os_exit()
return msg
@@ -177,7 +177,6 @@ if __name__ == "__main__":
domain_item, DEL_STATUS))
os_exit()
-
# if we are here, everything went fine and we can upload the certificates
if WILDCARD:
UPLOADER = '/root/bin/upload_wildcards.py -d {}'.format(DOMAIN[0])
diff --git a/files/geant_acme_uploader.py b/files/geant_acme_uploader.py
index ca362a9b89be3085e6c8c3302d8bbb6ac2e76295..0fdf3a4186db65a626909b3fee8604ed03804da2 100755
--- a/files/geant_acme_uploader.py
+++ b/files/geant_acme_uploader.py
@@ -20,6 +20,19 @@ import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning #pylint: disable=E0401
+def redis_download(redis_host, redis_token, key):
+ """ download a key """
+ r_client = redis.StrictRedis(
+ host=redis_host, password=redis_token, port=6379, db=0)
+
+ try:
+ redis_value = r_client.get(key).decode('utf-8')
+ except Exception as err:
+ redis_value = err
+
+ return redis_value
+
+
def redis_upload(redis_host, redis_token, key, value):
""" upload a key """
r_client = redis.StrictRedis(
@@ -82,17 +95,25 @@ if __name__ == "__main__":
BASEDIR = '/etc/letsencrypt/live'
for certname in ['cert.pem', 'chain.pem', 'fullchain.pem']:
- with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile:
- certdata = certfile.read()
- domain_underscored = DOMAIN.replace('.', '_')
- # let's rename everything to .crt, which is what we normally use
- certname_renamed = certname.replace(
- 'cert.pem', 'crt').replace('chain.pem', 'chain_crt')
- redis_full_path = '{}:redis_{}_{}'.format(
- CLIENT, domain_underscored, certname_renamed)
-
- print('uploading to Redis: {}'.format(redis_full_path))
- redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata)
+ if os.access(certname, os.W_OK):
+ with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile:
+ certdata_downstream = certfile.read()
+ domain_underscored = DOMAIN.replace('.', '_')
+ # let's rename everything to .crt, which is what we normally use
+ certname_renamed = certname.replace(
+ 'cert.pem', 'crt').replace('chain.pem', 'chain_crt')
+ redis_full_path = '{}:redis_{}_{}'.format(
+ CLIENT, domain_underscored, certname_renamed)
+ certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path)
+
+ if certdata_downstream != certdata_upstream:
+ print('uploading to Redis: {}'.format(redis_full_path))
+ redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_downstream)
+ else:
+ print('key {} did not change: skipping')
+ else:
+ print('could not access {}: giving up...'.format(certname))
+ os.sys.exit(1)
with open(os.path.join(BASEDIR, DOMAIN, 'privkey.pem'), 'r') as keyfile:
KEYDATA = keyfile.read()
diff --git a/files/upload_wildcards.py b/files/upload_wildcards.py
index 473845361ca81d44d4bb0320ab8b03470f2691d9..e9c176896d18eff7d824bca31fe60e49f2fe2f2d 100755
--- a/files/upload_wildcards.py
+++ b/files/upload_wildcards.py
@@ -19,6 +19,19 @@ import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning #pylint: disable=E0401
+def redis_download(redis_host, redis_token, key):
+ """ download a key """
+ r_client = redis.StrictRedis(
+ host=redis_host, password=redis_token, port=6379, db=0)
+
+ try:
+ redis_value = r_client.get(key).decode('utf-8')
+ except Exception as err:
+ redis_value = err
+
+ return redis_value
+
+
def redis_upload(redis_host, redis_token, key, value):
""" upload a key """
r_client = redis.StrictRedis(
@@ -82,15 +95,24 @@ if __name__ == "__main__":
os.sys.stdout = os.sys.stderr = open('/var/log/acme/acme.log', 'a', 1)
# upload certificates to Redis
- for keyname in ['cert.pem', 'chain.pem', 'fullchain.pem']:
- with open(os.path.join(BASEDIR, DOMAIN, keyname), 'r') as certfile:
- keydata = certfile.read()
- domain_underscored = DOMAIN.replace('.', '_')
- keyname_underscored = keyname.replace('.', '_')
- redis_full_path = 'common:redis_{}_{}'.format(
- domain_underscored, keyname_underscored)
- print('uploading to Redis: {}'.format(redis_full_path))
- redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, keydata)
+ for certname in ['cert.pem', 'chain.pem', 'fullchain.pem']:
+ if os.access(certname, os.W_OK):
+ with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile:
+ certdata_downstream = certfile.read()
+ domain_underscored = DOMAIN.replace('.', '_')
+ certname_underscored = certname.replace('.', '_')
+ redis_full_path = 'common:redis_{}_{}'.format(
+ domain_underscored, certname_underscored)
+ certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path)
+
+ if certdata_downstream != certdata_upstream:
+ print('uploading to Redis: {}'.format(redis_full_path))
+ redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_downstream)
+ else:
+ print('key {} did not change: skipping')
+ else:
+ print('could not access {}: giving up...'.format(certname))
+ os.sys.exit(1)
# upload keys to Vault
with open(os.path.join(BASEDIR, DOMAIN, 'privkey.pem'), 'r') as keyfile: