Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Adrien Dorsaz
acme-dns-tiny
Commits
3cee4cc8
Commit
3cee4cc8
authored
Sep 28, 2016
by
Adrien Dorsaz
Browse files
Merge comment and log.info lines.
Set try count to begin with 1 and do 10 tries.
parent
e199e3d4
Changes
1
Hide whitespace changes
Inline
Side-by-side
acme_dns_tiny.py
View file @
3cee4cc8
...
...
@@ -55,6 +55,7 @@ def get_crt(config, log=LOGGER):
# helper function to get url from Link HTTP headers
def
_get_url_link
(
headers
,
rel
):
log
.
info
(
"Looking for {0} in headers: {1}"
.
format
(
rel
,
headers
))
linkheaders
=
[
link
.
strip
()
for
link
in
dict
(
headers
)[
"Link"
].
split
(
','
)]
url
=
[
re
.
match
(
r
'<(?P<url>.*)>.*;rel=('
+
re
.
escape
(
rel
)
+
r
'|("([a-z][a-z0-9\.\-]*\s+)*'
+
re
.
escape
(
rel
)
+
r
'[\s"]))'
,
link
).
groupdict
()
for
link
in
linkheaders
][
0
][
"url"
]
...
...
@@ -66,8 +67,7 @@ def get_crt(config, log=LOGGER):
acme_config
=
json
.
loads
(
directory
.
read
().
decode
(
"utf8"
))
current_terms
=
acme_config
.
get
(
"meta"
,
{}).
get
(
"terms-of-service"
)
# create DNS keyring and resolver
log
.
info
(
"Prepare DNS tools..."
)
log
.
info
(
"Prepare DNS keyring and resolver."
)
keyring
=
dns
.
tsigkeyring
.
from_text
({
config
[
"TSIGKeyring"
][
"KeyName"
]:
config
[
"TSIGKeyring"
][
"KeyValue"
]})
nameserver
=
[]
try
:
...
...
@@ -86,8 +86,7 @@ def get_crt(config, log=LOGGER):
resolver
.
nameservers
=
nameserver
resolver
.
retry_servfail
=
True
# parse account key to get public key
log
.
info
(
"Parsing account key..."
)
log
.
info
(
"Parsing account key looking for public key."
)
accountkey
=
_openssl
(
"rsa"
,
[
"-in"
,
config
[
"acmednstiny"
][
"AccountKeyFile"
],
"-noout"
,
"-text"
])
pub_hex
,
pub_exp
=
re
.
search
(
r
"modulus:\n\s+00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)"
,
...
...
@@ -105,8 +104,7 @@ def get_crt(config, log=LOGGER):
accountkey_json
=
json
.
dumps
(
header
[
"jwk"
],
sort_keys
=
True
,
separators
=
(
","
,
":"
))
thumbprint
=
_b64
(
hashlib
.
sha256
(
accountkey_json
.
encode
(
"utf8"
)).
digest
())
# find domains
log
.
info
(
"Parsing CSR..."
)
log
.
info
(
"Parsing CSR looking for domains."
)
csr
=
_openssl
(
"req"
,
[
"-in"
,
config
[
"acmednstiny"
][
"CSRFile"
],
"-noout"
,
"-text"
]).
decode
(
"utf8"
)
domains
=
set
([])
common_name
=
re
.
search
(
r
"Subject:.*? CN=([^\s,;/]+)"
,
csr
)
...
...
@@ -163,7 +161,7 @@ def get_crt(config, log=LOGGER):
# verify each domain
for
domain
in
domains
:
log
.
info
(
"Verifying {0}
...
"
.
format
(
domain
))
log
.
info
(
"Verifying
domain:
{0}"
.
format
(
domain
))
# get new challenge
code
,
result
,
headers
=
_send_signed_request
(
acme_config
[
"new-authz"
],
{
...
...
@@ -173,8 +171,7 @@ def get_crt(config, log=LOGGER):
if
code
!=
201
:
raise
ValueError
(
"Error requesting challenges: {0} {1}"
.
format
(
code
,
result
))
# make and install DNS resource record
log
.
info
(
"Create DNS RR..."
)
log
.
info
(
"Create and install DNS TXT challenge resource."
)
challenge
=
[
c
for
c
in
json
.
loads
(
result
.
decode
(
"utf8"
))[
"challenges"
]
if
c
[
"type"
]
==
"dns-01"
][
0
]
token
=
re
.
sub
(
r
"[^A-Za-z0-9_\-]"
,
"_"
,
challenge
[
"token"
])
keyauthorization
=
"{0}.{1}"
.
format
(
token
,
thumbprint
)
...
...
@@ -184,13 +181,12 @@ def get_crt(config, log=LOGGER):
try
:
_update_dns
(
dnsrr_set
,
"add"
)
except
dns
.
exception
.
DNSException
as
dnsexception
:
raise
ValueError
(
"Error updating DNS: {0} : {1}"
.
format
(
type
(
dnsexception
).
__name__
,
str
(
dnsexception
)))
raise
ValueError
(
"Error updating DNS
records
: {0} : {1}"
.
format
(
type
(
dnsexception
).
__name__
,
str
(
dnsexception
)))
# notify challenge are met
log
.
info
(
"Wait {0} then start self challenge checks."
.
format
(
config
[
"acmednstiny"
].
getint
(
"CheckChallengeDelay"
)))
time
.
sleep
(
config
[
"acmednstiny"
].
getint
(
"CheckChallengeDelay"
))
log
.
info
(
"Self challenge check..."
)
challenge_verified
=
False
number_check_fail
=
0
number_check_fail
=
1
while
challenge_verified
is
False
:
try
:
log
.
info
(
'Try {0}: Check ressource with value "{1}" exits on nameservers: {2}'
.
format
(
number_check_fail
+
1
,
keydigest64
,
resolver
.
nameservers
))
...
...
@@ -207,7 +203,7 @@ def get_crt(config, log=LOGGER):
if
challenge_verified
is
False
:
number_check_fail
=
number_check_fail
+
1
time
.
sleep
(
2
)
log
.
info
(
"Ask
C
A server to perform check
..
."
)
log
.
info
(
"Ask A
CME
server to perform check
s
."
)
code
,
result
,
headers
=
_send_signed_request
(
challenge
[
"uri"
],
{
"resource"
:
"challenge"
,
"keyAuthorization"
:
keyauthorization
,
...
...
@@ -215,7 +211,7 @@ def get_crt(config, log=LOGGER):
if
code
!=
202
:
raise
ValueError
(
"Error triggering challenge: {0} {1}"
.
format
(
code
,
result
))
# wait for
challenge to be verified
log
.
info
(
"Waiting
challenge to be verified
."
)
try
:
while
True
:
try
:
...
...
@@ -227,7 +223,7 @@ def get_crt(config, log=LOGGER):
if
challenge_status
[
"status"
]
==
"pending"
:
time
.
sleep
(
2
)
elif
challenge_status
[
"status"
]
==
"valid"
:
log
.
info
(
"{0} verified!"
.
format
(
domain
))
log
.
info
(
"
Domain
{0} verified!"
.
format
(
domain
))
break
else
:
raise
ValueError
(
"{0} challenge did not pass: {1}"
.
format
(
...
...
@@ -235,8 +231,7 @@ def get_crt(config, log=LOGGER):
finally
:
_update_dns
(
dnsrr_set
,
"delete"
)
# get the new certificate
log
.
info
(
"Signing certificate..."
)
log
.
info
(
"Ask to sign certificate."
)
csr_der
=
_openssl
(
"req"
,
[
"-in"
,
config
[
"acmednstiny"
][
"CSRFile"
],
"-outform"
,
"DER"
])
code
,
result
,
headers
=
_send_signed_request
(
acme_config
[
"new-cert"
],
{
"resource"
:
"new-cert"
,
...
...
@@ -256,8 +251,7 @@ def get_crt(config, log=LOGGER):
certificate_parent_url
,
code
,
result
))
certificate_parent
=
"
\n
"
.
join
(
textwrap
.
wrap
(
base64
.
b64encode
(
result
).
decode
(
"utf8"
),
64
))
# return signed certificate!
log
.
info
(
"Certificate signed!"
)
log
.
info
(
"Certificate signed and received."
)
return
"""-----BEGIN CERTIFICATE-----
\n
{0}
\n
-----END CERTIFICATE-----
\n
-----BEGIN CERTIFICATE-----
\n
{1}
\n
-----END CERTIFICATE-----
\n
"""
.
format
(
certificate
,
certificate_parent
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment