jobs - move certbot hooks to python

benchonaut · Oct 11, 2021 · 00d91dc · 00d91dc
1 parent 650ad7e
commit 00d91dc
Showing 7 changed files with 53 additions and 15 deletions.
diff --git a/autoconf/prepare.sh b/autoconf/prepare.sh
@@ -16,7 +16,7 @@ chmod ugo+x /opt/bunkerized-nginx/entrypoint/* /opt/bunkerized-nginx/scripts/*
 chmod ugo+x /opt/bunkerized-nginx/gen/main.py
 chmod ugo+x /opt/bunkerized-nginx/jobs/main.py
 chmod ugo+x /opt/bunkerized-nginx/jobs/reload.py
-chmod ugo+x /opt/bunkerized-nginx/jobs/certbot-*.sh
+chmod ugo+x /opt/bunkerized-nginx/jobs/certbot-*.py
 chmod 770 /opt/bunkerized-nginx
 chmod 440 /opt/bunkerized-nginx/settings.json
 

diff --git a/helpers/install.sh b/helpers/install.sh
@@ -845,7 +845,7 @@ do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/*
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/gen/main.py
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/main.py
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/reload.py
-do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/certbot-*.sh
+do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/certbot-*.py
 # Set permissions for /usr/local/bin/bunkerized-nginx
 do_and_check_cmd chown root:root /usr/local/bin/bunkerized-nginx
 do_and_check_cmd chmod 750 /usr/local/bin/bunkerized-nginx

diff --git a/jobs/CertbotNew.py b/jobs/CertbotNew.py
@@ -6,7 +6,7 @@ class CertbotNew(Job) :
 
 	def __init__(self, redis_host=None, copy_cache=False, domain="", email="", staging=False) :
 		name = "certbot-new"
-		data = ["certbot", "certonly", "--manual", "--preferred-challenges=http", "--manual-auth-hook", "/opt/bunkerized-nginx/jobs/certbot-auth.sh", "--manual-cleanup-hook", "/opt/bunkerized-nginx/jobs/certbot-cleanup.sh", "-n", "-d", domain, "--email", email, "--agree-tos"]
+		data = ["certbot", "certonly", "--manual", "--preferred-challenges=http", "--manual-auth-hook", "/opt/bunkerized-nginx/jobs/certbot-auth.py", "--manual-cleanup-hook", "/opt/bunkerized-nginx/jobs/certbot-cleanup.py", "-n", "-d", domain, "--email", email, "--agree-tos"]
 		if staging :
 			data.append("--staging")
 		type = "exec"

diff --git a/jobs/certbot-auth.py b/jobs/certbot-auth.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+import os, socket, sys, stat
+
+VALIDATION = os.getenv("CERTBOT_VALIDATION", None)
+TOKEN = os.getenv("CERTBOT_TOKEN", None)
+if VALIDATION == None or TOKEN = None :
+	sys.exit(1)
+
+try :
+	with open("/opt/bunkerized-nginx/acme-challenge/.well-known/acme-challenge/" + TOKEN, "w") as f :
+		f.write(VALIDATION)
+except :
+	sys.exit(2)
+
+try :
+	if os.path.exists("/tmp/autoconf.sock") and stat.S_ISSOCK(os.stat("/tmp/autoconf.sock").st_mode) :
+		sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+		sock.connect("/tmp/autoconf.sock")
+		sock.sendall(b"lock")
+		data = sock.recv(512)
+		if data != b"ok" :
+			raise Exception("can't lock")
+		sock.sendall(b"acme")
+		data = sock.recv(512)
+		if data != b"ok" :
+			raise Exception("can't acme")
+		sock.sendall(b"unlock")
+		data = sock.recv(512)
+		if data != b"ok" :
+			raise Exception("can't unlock")
+		sock.sendall(b"close")
+except :
+	sys.exit(3)
+
+sys.exit(0)
diff --git a/jobs/certbot-auth.sh b/jobs/certbot-auth.sh
diff --git a/jobs/certbot-cleanup.py b/jobs/certbot-cleanup.py
@@ -0,0 +1,14 @@
+#!/usr/bin/python3
+
+import os, sys
+
+TOKEN = os.getenv("CERTBOT_TOKEN", None)
+if TOKEN == None :
+	sys.exit(1)
+
+try :
+	os.remove("/opt/bunkerized-nginx/acme-challenge/.well-known/acme-challenge/" + TOKEN)
+except :
+	sys.exit(2)
+
+sys.exit(0)
diff --git a/jobs/certbot-cleanup.sh b/jobs/certbot-cleanup.sh