luke/ssl-update
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixes

Browse Source 
* change service for nextcloud
* support upgrade from DSA to ECDSA keytypes
* fix chmod, hopefully for real this time
This commit is contained in:
LuKe Tidd 2023-02-06 11:29:18 -05:00
parent 4826cea9c8
commit 13145d4a75
1 changed files with 29 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
ssl-update.py
View File

@ -42,10 +42,9 @@ systemd_services = {
'git': 'gitea', 'git': 'gitea',
'plex': 'plexmediaserver', 'plex': 'plexmediaserver',
'read': 'kavita', 'read': 'kavita',
'nextcloud': 'php-fpm',
} }
cert_files = ['privkey1.pem', 'fullchain1.pem', 'chain1.pem', 'cert1.pem']
router = 'danknasty' router = 'danknasty'
router_user = 'luke131' router_user = 'luke131'
router_key = '/root/.ssh/id_autofirewall' router_key = '/root/.ssh/id_autofirewall'
@ -211,25 +210,32 @@ def main(args):
cmd = ['/usr/bin/certbot', 'certonly', '--manual', '-d', fqdn] cmd = ['/usr/bin/certbot', 'certonly', '--manual', '-d', fqdn]
log.info(f'certbot cmd: "{" ".join(cmd)}"') log.info(f'certbot cmd: "{" ".join(cmd)}"')
cb = pexpect.spawnu(' '.join(cmd)) cb = pexpect.spawnu(' '.join(cmd))
res = cb.expect( cb.logfile = sys.stderr
['Create a file containing just this data:\r\n\r\n([^\r]+)\r', while True:
('You have an existing certificate that has exactly the '
"same domains or certificate name you requested and isn't "
'close to expiry'), pexpect.TIMEOUT, pexpect.EOF],
timeout=20)
if res > 1:
sys.exit('Timed out')
if res == 1:
log.info('Current cert is not yet expired')
res = cb.expect_exact(['cancel):', pexpect.TIMEOUT, pexpect.EOF])
if res > 0:
sys.exit('Timed out in setup with existing cert')
cb.sendline('2')
res = cb.expect( res = cb.expect(
['Create a file containing just this data:\r\n\r\n([^\r]+)\r', ['Create a file containing just this data:\r\n\r\n([^\r]+)\r',
pexpect.TIMEOUT, pexpect.EOF], timeout=20) ('You have an existing certificate that has exactly the '
if res > 1: "same domains or certificate name you requested and isn't "
'close to expiry'),'\(U\)pdate key type\/\(K\)eep existing key type:',
pexpect.TIMEOUT, pexpect.EOF], timeout=20)
if res > 2:
sys.exit('Timed out') sys.exit('Timed out')
if res == 2:
cb.sendline('U')
continue
if res == 1:
log.info('Current cert is not yet expired')
res = cb.expect_exact(['cancel):', pexpect.TIMEOUT, pexpect.EOF])
if res > 0:
sys.exit('Timed out in setup with existing cert')
cb.sendline('2')
res = cb.expect(
['Create a file containing just this data:\r\n\r\n([^\r]+)\r',
pexpect.TIMEOUT, pexpect.EOF], timeout=20)
if res > 1:
sys.exit('Timed out')
if res == 0:
break
data = cb.match.group(1) data = cb.match.group(1)
log.info(f'secret data: {data}') log.info(f'secret data: {data}')
@ -311,10 +317,12 @@ def main(args):
os.chown(live, uid, gid) os.chown(live, uid, gid)
log.info(f'live keypath chmodded') log.info(f'live keypath chmodded')
os.chown(archive, uid, gid) os.chown(archive, uid, gid)
log.info(f'archive keypath chmodded') log.info(f'archive keypath chmodded')
for cert_file in cert_files: for dirpath, dirnames, filenames in os.walk(archive):
os.chown(archive / pathlib.Path(cert_file), uid, gid) os.chown(dirpath, uid, gid)
log.info(f'{cert_file} chowned to service user') for filename in filenames:
os.chown(os.path.join(dirpath, filename), uid, gid)
log.info(f'chmodded new keys from certbot') log.info(f'chmodded new keys from certbot')
restart(service) restart(service)