-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinitialise-certbot.py
executable file
·89 lines (69 loc) · 2.64 KB
/
initialise-certbot.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/env python3
import os
import subprocess
from collections import defaultdict
# enumerates domains to initialise certbot
os.chdir("/etc/nginx/conf.d")
domains = dict()
LETSENCRYPT_CERT_PATH = "/etc/letsencrypt/live/%s/fullchain.pem"
def get_letsencrypt_domains(content):
# get server name
for line in content.splitlines():
line = line.strip()
if line.startswith("server_name"):
domain = line.split()[1].strip(";")
# check certbot is used for this domain
if LETSENCRYPT_CERT_PATH % domain in content:
yield domain
# find all domains, map to conf file
for fp in os.listdir():
if not fp.endswith(".conf"):
continue
with open(fp) as f:
for domain in get_letsencrypt_domains(f.read()):
domains[domain] = fp
# remove domains that are already configured. Note there could be multiple per
# file
for domain, conffile in domains.copy().items():
keyfile = LETSENCRYPT_CERT_PATH % domain
if os.path.exists(keyfile):
print("\033[33m%s\033[0m" % "\nSkipping existing %s..." % domain)
del domains[domain]
continue
# invert to list by file
conffiles = defaultdict(set)
for domain, conffile in domains.items():
conffiles[conffile].add(domain)
for conffile, domains in conffiles.items():
# we use certonly to manage our own files instead of allowing certbot to
# edit them (so version control is easier)
# As such, before a certificate is obtained for the first time, a reference
# to a non-existent certificate will be in the requisite configuration
# file. As the certbot-nginx plugin needs to reload nginx, this will fail
# unless the config file is disabled temporarily.
# This prevents a chicken-and-egg situation; isolate all uninitialised configs.
for fp in conffiles.keys():
os.rename(fp, fp + ".disabled")
for domain in domains:
keyfile = LETSENCRYPT_CERT_PATH % domain
print("\033[32m%s\033[0m" % "\nInitialising %s..." % domain)
subprocess.check_call(
[
"certbot",
"certonly",
"-n",
"--agree-tos",
"--register-unsafely-without-email",
"--nginx",
"--domain",
domain,
]
)
# re-enable
for fp in conffiles.keys():
os.rename(fp + ".disabled", fp)
# check the configuration
subprocess.check_call(["nginx", "-t"])
# reload nginx, even though certbot would have done it -- it's necessary due to
# the temporary config disabling we did.
subprocess.check_call(["systemctl", "reload", "nginx"])