bundles/letsencrypt: generate a dummy certificate, if no certificate already exists

2021-02-20 13:52:20 +01:00 · 2021-02-20 13:52:20 +01:00 · 228786f6aa
parent 014b6029c5
commit 228786f6aa
3 changed files with 45 additions and 5 deletions
--- a/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate
+++ b/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate
@ -0,0 +1,29 @@
+#!/bin/sh
+
+domain=$1
+just_check=$2
+
+cert_path="/var/lib/dehydrated/certs/$domain"
+
+already_exists=false
+if [ -f "$cert_path/privkey.pem" -a -f "$cert_path/fullchain.pem" ]
+then
+    already_exists=true
+fi
+
+if [ "$just_check" = true ]
+then
+    if [ "$already_exists" = true ]
+    then
+        exit 0
+    else
+        exit 1
+    fi
+fi
+
+if [ "$already_exists" != true ]
+then
+    openssl req -x509 -newkey rsa:4096 -nodes -days 3650 -subj "/CN=$domain" -keyout "$cert_path/privkey.pem" -out "$cert_path/fullchain.pem"
+    chmod 0600 "$cert_path/privkey.pem"
+    cp "$pubkey" "$cert_path/chain.pem"
+fi
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@ -9,15 +9,23 @@ actions = {
        'command': 'dehydrated --cron --accept-terms --challenge http-01',
        'triggered': True,
        'needs': {
-            'pkg_apt:dehydrated',
-            'pkg_apt:nginx',
-        },
-        'needed_by': {
            'svc_systemd:nginx',
        },
    },
 }

+for domain, _ in node.metadata.get('letsencrypt/domains').items():
+    actions['letsencrypt_ensure-some-certificate_{}'.format(domain)] = {
+        'command': '/etc/dehydrated/letsencrypt-ensure-some-certificate {}'.format(domain),
+        'unless': '/etc/dehydrated/letsencrypt-ensure-some-certificate {} true'.format(domain),
+        'needs': {
+            'file:/etc/dehydrated/letsencrypt-ensure-some-certificate',
+        },
+        'needed_by': {
+            'svc_systemd:nginx',
+        },
+    }
+
 files = {
    '/etc/dehydrated/domains.txt': {
        'content_type': 'mako',
@ -34,4 +42,7 @@ files = {
        'content_type': 'mako',
        'mode': '0755',
    },
+    '/etc/dehydrated/letsencrypt-ensure-some-certificate': {
+        'mode': '0755',
+    },
 }
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@ -89,4 +89,4 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
        directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {}))

    if node.metadata['nginx']['use_ssl_for_all_connections']:
-        files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_update_certificates')
+        files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))