Merge pull request #686 from saurabh6790/setup_wildcard_ssl

Setup Wildcard SSL

bench/cli.py

@@ -48,7 +48,7 @@ def check_uid():
 
 def cmd_requires_root():
 	if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts',
-		'print', 'firewall', 'ssh-port', 'role', 'fail2ban'):
+		'print', 'firewall', 'ssh-port', 'role', 'fail2ban', 'wildcard-ssl'):
 		return True
 	if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production',
 		'install'):

bench/commands/setup.py

@@ -128,6 +128,15 @@ def setup_letsencrypt(site, custom_domain, non_interactive):
 	setup_letsencrypt(site, custom_domain, bench_path='.', interactive=not non_interactive)
 
 
+@click.command('wildcard-ssl')
+@click.argument('domain')
+@click.option('--email')
+def setup_wildcard_ssl(domain, email):
+	''' Setup wildcard ssl certificate '''
+	from bench.config.lets_encrypt import setup_wildcard_ssl
+	setup_wildcard_ssl(domain, email, bench_path='.')
+
+
 @click.command('procfile')
 def setup_procfile():
 	"Setup Procfile for bench start"
@@ -279,6 +288,7 @@ setup.add_command(reload_nginx)
 setup.add_command(setup_supervisor)
 setup.add_command(setup_redis)
 setup.add_command(setup_letsencrypt)
+setup.add_command(setup_wildcard_ssl)
 setup.add_command(setup_production)
 setup.add_command(setup_auto_update)
 setup.add_command(setup_backups)

bench/config/lets_encrypt.py

@@ -1,5 +1,5 @@
 import bench, os, click, errno
-from bench.utils import exec_cmd, CommandFailedError
+from bench.utils import exec_cmd, CommandFailedError, update_common_site_config
 from bench.config.site_config import update_site_config, remove_domain, get_domains
 from bench.config.nginx import make_nginx_conf
 from bench.config.production_setup import service
@@ -116,3 +116,45 @@ def renew_certs():
 	service('nginx', 'stop')
 	exec_cmd("{path} renew".format(path=get_certbot_path()))
 	service('nginx', 'start')
+
+
+def setup_wildcard_ssl(domain, email, bench_path):
+
+	def _get_domain_name(domain):
+		if domain.split('.')[0] != '*':
+			domain = '*.{0}'.format(domain)
+		return domain
+
+	if not get_config(bench_path).get("dns_multitenant"):
+		print("You cannot setup SSL without DNS Multitenancy")
+		return
+
+	get_certbot()
+	domain = _get_domain_name(domain)
+
+	email_param = ''
+	if email:
+		email_param = '--email {0}'.format(email)
+
+	try:
+		exec_cmd("{path} certonly --manual --preferred-challenges=dns {email_param} \
+			 --server https://acme-v02.api.letsencrypt.org/directory \
+			 --agree-tos -d {domain}".format(path=get_certbot_path(), domain=domain,
+			 email_param=email_param))
+
+	except CommandFailedError:
+		print("There was a problem trying to setup SSL")
+		return
+
+	ssl_path = "/etc/letsencrypt/live/{domain}/".format(domain=domain)
+	ssl_config = {
+		"wildcard": {
+			"domain": domain,
+			"ssl_certificate": os.path.join(ssl_path, "fullchain.pem"),
+			"ssl_certificate_key": os.path.join(ssl_path, "privkey.pem") 
+		}
+	}
+
+	update_common_site_config(ssl_config)
+	make_nginx_conf(bench_path)
+	service('nginx', 'restart')