From 228786f6aa05e95da081cc44d348ff12dba0290b Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sat, 20 Feb 2021 13:52:20 +0100
Subject: [PATCH] bundles/letsencrypt: generate a dummy certificate, if no
 certificate already exists

---
 .../files/letsencrypt-ensure-some-certificate | 29 +++++++++++++++++++
 bundles/letsencrypt/items.py                  | 19 +++++++++---
 bundles/nginx/items.py                        |  2 +-
 3 files changed, 45 insertions(+), 5 deletions(-)
 create mode 100644 bundles/letsencrypt/files/letsencrypt-ensure-some-certificate

diff --git a/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate b/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate
new file mode 100644
index 0000000..afb324e
--- /dev/null
+++ b/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+domain=$1
+just_check=$2
+
+cert_path="/var/lib/dehydrated/certs/$domain"
+
+already_exists=false
+if [ -f "$cert_path/privkey.pem" -a -f "$cert_path/fullchain.pem" ]
+then
+    already_exists=true
+fi
+
+if [ "$just_check" = true ]
+then
+    if [ "$already_exists" = true ]
+    then
+        exit 0
+    else
+        exit 1
+    fi
+fi
+
+if [ "$already_exists" != true ]
+then
+    openssl req -x509 -newkey rsa:4096 -nodes -days 3650 -subj "/CN=$domain" -keyout "$cert_path/privkey.pem" -out "$cert_path/fullchain.pem"
+    chmod 0600 "$cert_path/privkey.pem"
+    cp "$pubkey" "$cert_path/chain.pem"
+fi
diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py
index ba124ad..4f5a64e 100644
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@@ -9,15 +9,23 @@ actions = {
         'command': 'dehydrated --cron --accept-terms --challenge http-01',
         'triggered': True,
         'needs': {
-            'pkg_apt:dehydrated',
-            'pkg_apt:nginx',
-        },
-        'needed_by': {
             'svc_systemd:nginx',
         },
     },
 }
 
+for domain, _ in node.metadata.get('letsencrypt/domains').items():
+    actions['letsencrypt_ensure-some-certificate_{}'.format(domain)] = {
+        'command': '/etc/dehydrated/letsencrypt-ensure-some-certificate {}'.format(domain),
+        'unless': '/etc/dehydrated/letsencrypt-ensure-some-certificate {} true'.format(domain),
+        'needs': {
+            'file:/etc/dehydrated/letsencrypt-ensure-some-certificate',
+        },
+        'needed_by': {
+            'svc_systemd:nginx',
+        },
+    }
+
 files = {
     '/etc/dehydrated/domains.txt': {
         'content_type': 'mako',
@@ -34,4 +42,7 @@ files = {
         'content_type': 'mako',
         'mode': '0755',
     },
+    '/etc/dehydrated/letsencrypt-ensure-some-certificate': {
+        'mode': '0755',
+    },
 }
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index c6d9d01..558eeb5 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -89,4 +89,4 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
         directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {}))
 
     if node.metadata['nginx']['use_ssl_for_all_connections']:
-        files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_update_certificates')
+        files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))