compare local key with upstream key

ab75f287 · Max Adamo · caa4999f · ab75f287 · ab75f287 · ab75f287
Unverified Commit ab75f287 authored 6 years ago by Max Adamo
--- a/files/geant_acme.py
+++ b/files/geant_acme.py
@@ -119,8 +119,8 @@ def run_certbot(cbot_domain, wild_card=None):
        msg = decoded_msg[:decoded_msg.rfind('\n')]
    print(msg)
-    if msg.find('Certificate not yet due for renewal') != -1:
+    #if msg.find('Certificate not yet due for renewal') != -1:
-        os_exit()
+    #    os_exit()
    return msg
@@ -177,7 +177,6 @@ if __name__ == "__main__":
                    domain_item, DEL_STATUS))
                os_exit()
    # if we are here, everything went fine and we can upload the certificates
    if WILDCARD:
        UPLOADER = '/root/bin/upload_wildcards.py -d {}'.format(DOMAIN[0])

--- a/files/geant_acme_uploader.py
+++ b/files/geant_acme_uploader.py
@@ -20,6 +20,19 @@ import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning #pylint: disable=E0401
+def redis_download(redis_host, redis_token, key):
+    """ download a key """
+    r_client = redis.StrictRedis(
+        host=redis_host, password=redis_token, port=6379, db=0)
+    try:
+        redis_value = r_client.get(key).decode('utf-8')
+    except Exception as err:
+        redis_value = err
+    return redis_value
 def redis_upload(redis_host, redis_token, key, value):
    """ upload a key """
    r_client = redis.StrictRedis(
@@ -82,17 +95,25 @@ if __name__ == "__main__":
    BASEDIR = '/etc/letsencrypt/live'
    for certname in ['cert.pem', 'chain.pem', 'fullchain.pem']:
-        with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile:
+        if os.access(certname, os.W_OK):
-            certdata = certfile.read()
+            with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile:
-            domain_underscored = DOMAIN.replace('.', '_')
+                certdata_downstream = certfile.read()
-            # let's rename everything to .crt, which is what we normally use
+                domain_underscored = DOMAIN.replace('.', '_')
-            certname_renamed = certname.replace(
+                # let's rename everything to .crt, which is what we normally use
-                'cert.pem', 'crt').replace('chain.pem', 'chain_crt')
+                certname_renamed = certname.replace(
-            redis_full_path = '{}:redis_{}_{}'.format(
+                    'cert.pem', 'crt').replace('chain.pem', 'chain_crt')
-                CLIENT, domain_underscored, certname_renamed)
+                redis_full_path = '{}:redis_{}_{}'.format(
+                    CLIENT, domain_underscored, certname_renamed)
-            print('uploading to Redis: {}'.format(redis_full_path))
+                certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path)
-            redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata)
+                if certdata_downstream != certdata_upstream:
+                    print('uploading to Redis: {}'.format(redis_full_path))
+                    redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_downstream)
+                else:
+                    print('key {} did not change: skipping')
+        else:
+            print('could not access {}: giving up...'.format(certname))
+            os.sys.exit(1)
    with open(os.path.join(BASEDIR, DOMAIN, 'privkey.pem'), 'r') as keyfile:
        KEYDATA = keyfile.read()

--- a/files/upload_wildcards.py
+++ b/files/upload_wildcards.py
@@ -19,6 +19,19 @@ import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning #pylint: disable=E0401
+def redis_download(redis_host, redis_token, key):
+    """ download a key """
+    r_client = redis.StrictRedis(
+        host=redis_host, password=redis_token, port=6379, db=0)
+    try:
+        redis_value = r_client.get(key).decode('utf-8')
+    except Exception as err:
+        redis_value = err
+    return redis_value
 def redis_upload(redis_host, redis_token, key, value):
    """ upload a key """
    r_client = redis.StrictRedis(
@@ -82,15 +95,24 @@ if __name__ == "__main__":
    os.sys.stdout = os.sys.stderr = open('/var/log/acme/acme.log', 'a', 1)
    # upload certificates to Redis
-    for keyname in ['cert.pem', 'chain.pem', 'fullchain.pem']:
+    for certname in ['cert.pem', 'chain.pem', 'fullchain.pem']:
-        with open(os.path.join(BASEDIR, DOMAIN, keyname), 'r') as certfile:
+        if os.access(certname, os.W_OK):
-            keydata = certfile.read()
+            with open(os.path.join(BASEDIR, DOMAIN, certname), 'r') as certfile:
-            domain_underscored = DOMAIN.replace('.', '_')
+                certdata_downstream = certfile.read()
-            keyname_underscored = keyname.replace('.', '_')
+                domain_underscored = DOMAIN.replace('.', '_')
-            redis_full_path = 'common:redis_{}_{}'.format(
+                certname_underscored = certname.replace('.', '_')
-                domain_underscored, keyname_underscored)
+                redis_full_path = 'common:redis_{}_{}'.format(
-            print('uploading to Redis: {}'.format(redis_full_path))
+                    domain_underscored, certname_underscored)
-            redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, keydata)
+                certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path)
+                if certdata_downstream != certdata_upstream:
+                    print('uploading to Redis: {}'.format(redis_full_path))
+                    redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_downstream)
+                else:
+                    print('key {} did not change: skipping')
+        else:
+            print('could not access {}: giving up...'.format(certname))
+            os.sys.exit(1)
    # upload keys to Vault
    with open(os.path.join(BASEDIR, DOMAIN, 'privkey.pem'), 'r') as keyfile: