diff --git a/bench/cli.py b/bench/cli.py index e6ad9984..c314d90a 100755 --- a/bench/cli.py +++ b/bench/cli.py @@ -48,7 +48,7 @@ def check_uid(): def cmd_requires_root(): if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', - 'print', 'firewall', 'ssh-port', 'role', 'fail2ban'): + 'print', 'firewall', 'ssh-port', 'role', 'fail2ban', 'wildcard-ssl'): return True if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production', 'install'): diff --git a/bench/commands/setup.py b/bench/commands/setup.py index 1fe014e8..d3aec204 100755 --- a/bench/commands/setup.py +++ b/bench/commands/setup.py @@ -128,6 +128,15 @@ def setup_letsencrypt(site, custom_domain, non_interactive): setup_letsencrypt(site, custom_domain, bench_path='.', interactive=not non_interactive) +@click.command('wildcard-ssl') +@click.argument('domain') +@click.option('--email') +def setup_wildcard_ssl(domain, email): + ''' Setup wildcard ssl certificate ''' + from bench.config.lets_encrypt import setup_wildcard_ssl + setup_wildcard_ssl(domain, email, bench_path='.') + + @click.command('procfile') def setup_procfile(): "Setup Procfile for bench start" @@ -279,6 +288,7 @@ setup.add_command(reload_nginx) setup.add_command(setup_supervisor) setup.add_command(setup_redis) setup.add_command(setup_letsencrypt) +setup.add_command(setup_wildcard_ssl) setup.add_command(setup_production) setup.add_command(setup_auto_update) setup.add_command(setup_backups) diff --git a/bench/config/lets_encrypt.py b/bench/config/lets_encrypt.py index c6dceb16..3cdfef71 100755 --- a/bench/config/lets_encrypt.py +++ b/bench/config/lets_encrypt.py @@ -1,5 +1,5 @@ import bench, os, click, errno -from bench.utils import exec_cmd, CommandFailedError +from bench.utils import exec_cmd, CommandFailedError, update_common_site_config from bench.config.site_config import update_site_config, remove_domain, get_domains from bench.config.nginx import make_nginx_conf from bench.config.production_setup import service @@ -116,3 +116,45 @@ def renew_certs(): service('nginx', 'stop') exec_cmd("{path} renew".format(path=get_certbot_path())) service('nginx', 'start') + + +def setup_wildcard_ssl(domain, email, bench_path): + + def _get_domain_name(domain): + if domain.split('.')[0] != '*': + domain = '*.{0}'.format(domain) + return domain + + if not get_config(bench_path).get("dns_multitenant"): + print("You cannot setup SSL without DNS Multitenancy") + return + + get_certbot() + domain = _get_domain_name(domain) + + email_param = '' + if email: + email_param = '--email {0}'.format(email) + + try: + exec_cmd("{path} certonly --manual --preferred-challenges=dns {email_param} \ + --server https://acme-v02.api.letsencrypt.org/directory \ + --agree-tos -d {domain}".format(path=get_certbot_path(), domain=domain, + email_param=email_param)) + + except CommandFailedError: + print("There was a problem trying to setup SSL") + return + + ssl_path = "/etc/letsencrypt/live/{domain}/".format(domain=domain) + ssl_config = { + "wildcard": { + "domain": domain, + "ssl_certificate": os.path.join(ssl_path, "fullchain.pem"), + "ssl_certificate_key": os.path.join(ssl_path, "privkey.pem") + } + } + + update_common_site_config(ssl_config) + make_nginx_conf(bench_path) + service('nginx', 'restart')