luke/ssl-update
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixes

Browse Source 
* change service for nextcloud
* support upgrade from DSA to ECDSA keytypes
* fix chmod, hopefully for real this time
This commit is contained in:
LuKe Tidd 2023-02-06 11:29:18 -05:00
parent 4826cea9c8
commit 13145d4a75
1 changed files with 29 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
ssl-update.py
View File

@ -42,10 +42,9 @@ systemd_services = {
'git': 'gitea',
'plex': 'plexmediaserver',
'read': 'kavita',
'nextcloud': 'php-fpm',
}
cert_files = ['privkey1.pem', 'fullchain1.pem', 'chain1.pem', 'cert1.pem']
router = 'danknasty'
router_user = 'luke131'
router_key = '/root/.ssh/id_autofirewall'
@ -211,14 +210,19 @@ def main(args):
cmd = ['/usr/bin/certbot', 'certonly', '--manual', '-d', fqdn]
log.info(f'certbot cmd: "{" ".join(cmd)}"')
cb = pexpect.spawnu(' '.join(cmd))
cb.logfile = sys.stderr
while True:
res = cb.expect(
['Create a file containing just this data:\r\n\r\n([^\r]+)\r',
('You have an existing certificate that has exactly the '
"same domains or certificate name you requested and isn't "
'close to expiry'), pexpect.TIMEOUT, pexpect.EOF],
timeout=20)
if res > 1:
'close to expiry'),'\(U\)pdate key type\/\(K\)eep existing key type:',
pexpect.TIMEOUT, pexpect.EOF], timeout=20)
if res > 2:
sys.exit('Timed out')
if res == 2:
cb.sendline('U')
continue
if res == 1:
log.info('Current cert is not yet expired')
res = cb.expect_exact(['cancel):', pexpect.TIMEOUT, pexpect.EOF])
@ -230,6 +234,8 @@ def main(args):
pexpect.TIMEOUT, pexpect.EOF], timeout=20)
if res > 1:
sys.exit('Timed out')
if res == 0:
break
data = cb.match.group(1)
log.info(f'secret data: {data}')
@ -311,10 +317,12 @@ def main(args):
os.chown(live, uid, gid)
log.info(f'live keypath chmodded')
os.chown(archive, uid, gid)
log.info(f'archive keypath chmodded')
for cert_file in cert_files:
os.chown(archive / pathlib.Path(cert_file), uid, gid)
log.info(f'{cert_file} chowned to service user')
for dirpath, dirnames, filenames in os.walk(archive):
os.chown(dirpath, uid, gid)
for filename in filenames:
os.chown(os.path.join(dirpath, filename), uid, gid)
log.info(f'chmodded new keys from certbot')
restart(service)