mirror of
https://github.com/frappe/bench.git
synced 2025-01-24 23:48:24 +00:00
Added command for adding Let's Encrypt SSL to site
This commit is contained in:
parent
608aad0d25
commit
ea07745bbb
@ -47,9 +47,10 @@ def check_uid():
|
|||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
def cmd_requires_root():
|
def cmd_requires_root():
|
||||||
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers'):
|
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt'):
|
||||||
return True
|
return True
|
||||||
if len(sys.argv) > 2 and sys.argv[1] in ('patch',):
|
#Changed > to >=, unsure if will cause the apolcaypse
|
||||||
|
if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt'):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
def change_dir():
|
def change_dir():
|
||||||
|
@ -30,7 +30,7 @@ bench_command.add_command(switch_to_v5)
|
|||||||
|
|
||||||
|
|
||||||
from bench.commands.utils import (start, restart, set_nginx_port, set_ssl_certificate, set_ssl_certificate_key, set_url_root,
|
from bench.commands.utils import (start, restart, set_nginx_port, set_ssl_certificate, set_ssl_certificate_key, set_url_root,
|
||||||
set_mariadb_host, set_default_site, download_translations, shell, backup_site, backup_all_sites, release)
|
set_mariadb_host, set_default_site, download_translations, shell, backup_site, backup_all_sites, release, renew_lets_encrypt)
|
||||||
bench_command.add_command(start)
|
bench_command.add_command(start)
|
||||||
bench_command.add_command(restart)
|
bench_command.add_command(restart)
|
||||||
bench_command.add_command(set_nginx_port)
|
bench_command.add_command(set_nginx_port)
|
||||||
@ -44,7 +44,7 @@ bench_command.add_command(shell)
|
|||||||
bench_command.add_command(backup_site)
|
bench_command.add_command(backup_site)
|
||||||
bench_command.add_command(backup_all_sites)
|
bench_command.add_command(backup_all_sites)
|
||||||
bench_command.add_command(release)
|
bench_command.add_command(release)
|
||||||
|
bench_command.add_command(renew_lets_encrypt)
|
||||||
|
|
||||||
from bench.commands.setup import setup
|
from bench.commands.setup import setup
|
||||||
bench_command.add_command(setup)
|
bench_command.add_command(setup)
|
||||||
|
@ -63,6 +63,14 @@ def setup_env():
|
|||||||
setup_env()
|
setup_env()
|
||||||
|
|
||||||
|
|
||||||
|
@click.command('lets-encrypt')
|
||||||
|
@click.argument('site')
|
||||||
|
def setup_letsencrypt(site):
|
||||||
|
"Setup lets-encrypt for site"
|
||||||
|
from bench.config.lets_encrypt import setup_letsencrypt
|
||||||
|
setup_letsencrypt(site, bench_path='.')
|
||||||
|
|
||||||
|
|
||||||
@click.command('procfile')
|
@click.command('procfile')
|
||||||
def setup_procfile():
|
def setup_procfile():
|
||||||
"Setup Procfile for bench start"
|
"Setup Procfile for bench start"
|
||||||
@ -88,6 +96,7 @@ setup.add_command(setup_sudoers)
|
|||||||
setup.add_command(setup_nginx)
|
setup.add_command(setup_nginx)
|
||||||
setup.add_command(setup_supervisor)
|
setup.add_command(setup_supervisor)
|
||||||
setup.add_command(setup_redis)
|
setup.add_command(setup_redis)
|
||||||
|
setup.add_command(setup_letsencrypt)
|
||||||
setup.add_command(setup_production)
|
setup.add_command(setup_production)
|
||||||
setup.add_command(setup_auto_update)
|
setup.add_command(setup_auto_update)
|
||||||
setup.add_command(setup_backups)
|
setup.add_command(setup_backups)
|
||||||
|
@ -76,6 +76,11 @@ def download_translations():
|
|||||||
from bench.utils import download_translations_p
|
from bench.utils import download_translations_p
|
||||||
download_translations_p()
|
download_translations_p()
|
||||||
|
|
||||||
|
@click.command('renew-lets-encrypt')
|
||||||
|
def renew_lets_encrypt():
|
||||||
|
"Renew Let's Encrypt certificate"
|
||||||
|
from bench.config.lets_encrypt import renew_certs
|
||||||
|
renew_certs()
|
||||||
|
|
||||||
@click.command()
|
@click.command()
|
||||||
def shell(bench='.'):
|
def shell(bench='.'):
|
||||||
|
95
bench/config/lets_encrypt.py
Executable file
95
bench/config/lets_encrypt.py
Executable file
@ -0,0 +1,95 @@
|
|||||||
|
import bench, os, click, errno, urllib
|
||||||
|
from bench.utils import exec_cmd, update_site_config, CommandFailedError
|
||||||
|
from bench.config.common_site_config import update_config as update_common_config
|
||||||
|
from bench.config.nginx import make_nginx_conf
|
||||||
|
from bench.config.production_setup import service
|
||||||
|
from bench.config.common_site_config import get_config
|
||||||
|
from crontab import CronTab
|
||||||
|
|
||||||
|
def setup_letsencrypt(site, bench_path):
|
||||||
|
|
||||||
|
site_path = os.path.join(bench_path, "sites", site, "site_config.json")
|
||||||
|
if not os.path.exists(os.path.dirname(site_path)):
|
||||||
|
print "No site named "+site
|
||||||
|
return
|
||||||
|
|
||||||
|
click.confirm('Running this will stop the nginx service temporarily causing your sites to go offline\n'
|
||||||
|
'Do you want to continue?',
|
||||||
|
abort=True)
|
||||||
|
|
||||||
|
if not get_config(bench_path).get("dns_multitenant"):
|
||||||
|
print "You cannot setup SSL without DNS Multitenancy"
|
||||||
|
return
|
||||||
|
|
||||||
|
create_config(site)
|
||||||
|
run_certbot_and_setup_ssl(site, bench_path)
|
||||||
|
setup_crontab()
|
||||||
|
|
||||||
|
|
||||||
|
def create_config(site):
|
||||||
|
config = bench.env.get_template('letsencrypt.cfg').render(domain=site)
|
||||||
|
config_path = '/etc/letsencrypt/configs/{site}.cfg'.format(site=site)
|
||||||
|
create_dir_if_missing(config_path)
|
||||||
|
|
||||||
|
with open(config_path, 'w') as f:
|
||||||
|
f.write(config)
|
||||||
|
|
||||||
|
|
||||||
|
def run_certbot_and_setup_ssl(site, bench_path):
|
||||||
|
service('nginx', 'stop')
|
||||||
|
get_certbot()
|
||||||
|
|
||||||
|
try:
|
||||||
|
exec_cmd("{path} --config /etc/letsencrypt/configs/{site}.cfg certonly".format(path=get_certbot_path(), site=site))
|
||||||
|
except CommandFailedError:
|
||||||
|
service('nginx', 'start')
|
||||||
|
print "There was a problem trying to setup SSL for your site"
|
||||||
|
return
|
||||||
|
|
||||||
|
ssl_path = "/etc/letsencrypt/live/{site}/".format(site=site)
|
||||||
|
|
||||||
|
ssl_config = { "ssl_certificate": os.path.join(ssl_path, "fullchain.pem"),
|
||||||
|
"ssl_certificate_key": os.path.join(ssl_path, "privkey.pem") }
|
||||||
|
|
||||||
|
update_site_config(site, ssl_config, bench=bench_path)
|
||||||
|
make_nginx_conf(bench_path)
|
||||||
|
|
||||||
|
service('nginx', 'start')
|
||||||
|
|
||||||
|
|
||||||
|
def setup_crontab():
|
||||||
|
job_command = 'sudo service nginx stop && /opt/certbot-auto renew && sudo service nginx start'
|
||||||
|
user_crontab = CronTab(user=True)
|
||||||
|
if job_command not in str(user_crontab):
|
||||||
|
job = user_crontab.new(command=job_command, comment="Renew lets-encrypt every month")
|
||||||
|
job.month.every(1)
|
||||||
|
job.enable()
|
||||||
|
user_crontab.write()
|
||||||
|
|
||||||
|
|
||||||
|
def create_dir_if_missing(path):
|
||||||
|
if not os.path.exists(os.path.dirname(path)):
|
||||||
|
os.makedirs(os.path.dirname(path))
|
||||||
|
|
||||||
|
|
||||||
|
def get_certbot():
|
||||||
|
certbot_path = get_certbot_path()
|
||||||
|
create_dir_if_missing(certbot_path)
|
||||||
|
|
||||||
|
if not os.path.isfile(certbot_path):
|
||||||
|
urllib.urlretrieve ("https://dl.eff.org/certbot-auto", certbot_path)
|
||||||
|
os.chmod(certbot_path, 0744)
|
||||||
|
|
||||||
|
|
||||||
|
def get_certbot_path():
|
||||||
|
return "/opt/certbot-auto"
|
||||||
|
|
||||||
|
|
||||||
|
def renew_certs():
|
||||||
|
click.confirm('Running this will stop the nginx service temporarily causing your sites to go offline\n'
|
||||||
|
'Do you want to continue?',
|
||||||
|
abort=True)
|
||||||
|
|
||||||
|
service('nginx', 'start')
|
||||||
|
exec_cmd("{path} renew".format(path=get_certbot_path()))
|
||||||
|
service('nginx', 'stop')
|
0
bench/config/procfile.py
Normal file → Executable file
0
bench/config/procfile.py
Normal file → Executable file
8
bench/config/production_setup.py
Normal file → Executable file
8
bench/config/production_setup.py
Normal file → Executable file
@ -27,14 +27,14 @@ def setup_production(user, bench='.'):
|
|||||||
if os.environ.get('NO_SERVICE_RESTART'):
|
if os.environ.get('NO_SERVICE_RESTART'):
|
||||||
return
|
return
|
||||||
|
|
||||||
restart_service('nginx')
|
service('nginx', 'restart')
|
||||||
|
|
||||||
|
|
||||||
def restart_service(service):
|
def service(service, option):
|
||||||
if os.path.basename(get_program(['systemctl']) or '') == 'systemctl' and is_running_systemd():
|
if os.path.basename(get_program(['systemctl']) or '') == 'systemctl' and is_running_systemd():
|
||||||
exec_cmd("{service_manager} restart {service}".format(service_manager='systemctl', service=service))
|
exec_cmd("{service_manager} {option} {service}".format(service_manager='systemctl', option=option, service=service))
|
||||||
elif os.path.basename(get_program(['service']) or '') == 'service':
|
elif os.path.basename(get_program(['service']) or '') == 'service':
|
||||||
exec_cmd("{service_manager} {service} restart ".format(service_manager='service', service=service))
|
exec_cmd("{service_manager} {service} {option} ".format(service_manager='service', service=service, option=option))
|
||||||
else:
|
else:
|
||||||
# look for 'service_manager' and 'service_manager_command' in environment
|
# look for 'service_manager' and 'service_manager_command' in environment
|
||||||
service_manager = os.environ.get("BENCH_SERVICE_MANAGER")
|
service_manager = os.environ.get("BENCH_SERVICE_MANAGER")
|
||||||
|
20
bench/config/templates/letsencrypt.cfg
Executable file
20
bench/config/templates/letsencrypt.cfg
Executable file
@ -0,0 +1,20 @@
|
|||||||
|
# This is an example of the kind of things you can do in a configuration file.
|
||||||
|
# All flags used by the client can be configured here. Run Certbot with
|
||||||
|
# "--help" to learn more about the available options.
|
||||||
|
|
||||||
|
# Use a 4096 bit RSA key instead of 2048
|
||||||
|
rsa-key-size = 4096
|
||||||
|
|
||||||
|
# Uncomment and update to register with the specified e-mail address
|
||||||
|
#email = email@domain.com
|
||||||
|
|
||||||
|
# Uncomment and update to generate certificates for the specified
|
||||||
|
# domains.
|
||||||
|
domains = {{ domain }}
|
||||||
|
|
||||||
|
# Uncomment to use a text interface instead of ncurses
|
||||||
|
text = True
|
||||||
|
|
||||||
|
# Uncomment to use the standalone authenticator on port 443
|
||||||
|
authenticator = standalone
|
||||||
|
standalone-supported-challenges = tls-sni-01
|
@ -3,5 +3,6 @@ jinja2
|
|||||||
virtualenv
|
virtualenv
|
||||||
requests
|
requests
|
||||||
honcho
|
honcho
|
||||||
|
python-crontab
|
||||||
semantic_version
|
semantic_version
|
||||||
GitPython==0.3.2.rc1
|
GitPython==0.3.2.rc1
|
||||||
|
Loading…
x
Reference in New Issue
Block a user