diff --git a/README.rst b/README.rst index 5dd27ea..4788821 100644 --- a/README.rst +++ b/README.rst @@ -27,7 +27,7 @@ useful to you in the following cases: .. _Greenhost's: https://greenhost.net This plugin does not configure HAProxy for you, because HAProxy configurations -can can vary a great deal. Please read the installation instructions on how to +can vary a great deal. Please read the installation instructions on how to configure HAProxy for use with the plugin. If you have a good idea on how we can implement automatic HAProxy configuration, you are welcome to create a merge request or an issue. diff --git a/certbot-deploy-hook b/certbot-deploy-hook new file mode 100755 index 0000000..0796707 --- /dev/null +++ b/certbot-deploy-hook @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 + +import os +import re +import sys + +# Certbot sets an environment variable RENEWED_LINEAGE, which points to the +# path of the renewed certificate. We use that path to determine and find +# the files for the currently renewed certificated +lineage=os.environ.get('RENEWED_LINEAGE') + +# If nothing renewed, exit +if not lineage: + sys.exit() + +# From the linage, we strip the 'domain name', which is the last part +# of the path. +result = re.match(r'.*/live/(.+)$', lineage) + +# If we can not recognize the path, we exit with 1 +if not result: + sys.exit(1) + +# Extract the domain name +domain = result.group(1) + +# Define a path for HAproxy where you want to write the .pem file. +deploy_path="/opt/certbot/haproxy_fullchains/" + domain + ".pem" + +# The source files can be found in below paths, constructed with the lineage +# path +source_key = lineage + "/privkey.pem" +source_chain = lineage + "/fullchain.pem" + +# HAproxy requires to combine the key and chain in one .pem file +with open(deploy_path, "w") as deploy, \ + open(source_key, "r") as key, \ + open(source_chain, "r") as chain: + deploy.write(key.read()) + deploy.write(chain.read()) + +# Here you can add your service reload command. Which will be executed after +# every renewal, which is fine if you only have a few domains. + +os.system('sudo /bin/systemctl restart haproxy') + +# Alternative is to add the reload to the --post-hook. In that case it is only +# run once after all renewals. That would be the use-case if you have a large +# number of different certificates served by HAproxy. diff --git a/certbot_haproxy/authenticator.py b/certbot_haproxy/authenticator.py index 68e2288..e10dd0a 100644 --- a/certbot_haproxy/authenticator.py +++ b/certbot_haproxy/authenticator.py @@ -52,7 +52,7 @@ from acme import challenges from certbot import interfaces -from certbot.plugins import standalone +from certbot._internal.plugins import standalone logger = logging.getLogger(__name__) # pylint:disable=invalid-name diff --git a/certbot_haproxy/constants.py b/certbot_haproxy/constants.py index e3d4505..4ee5437 100644 --- a/certbot_haproxy/constants.py +++ b/certbot_haproxy/constants.py @@ -10,6 +10,7 @@ - Ubuntu Vivid (15.04) - Ubuntu Wily (15.10) - Ubuntu Xenial (16.04) + - CentOS (7) You can define new lists below following the instructions hereafter, please consider making a pull-request when you do so, so others may benefit of your @@ -57,8 +58,8 @@ from certbot_haproxy.util import MemoiseNoArgs RE_HAPROXY_DOMAIN_ACL = re.compile( - r'\s*acl (?P[0-9a-z_\-.]+) ' - r'hdr\(host\) -i ' + r'\s*acl\s+(?P[0-9a-z_\-.]+)\s+' + r'(?:hdr\(host\)|req\.ssl_sni)\s+-i\s+' r'(?P' # Start group "domain" r'(?:[0-9-a-z](?:[a-z0-9-]{0,61}[a-z0-9]\.)+)' # (sub-)domain parts r'(?:[0-9-a-z](?:[a-z0-9-]{0,61}[a-z0-9]))' # TLD part @@ -87,6 +88,17 @@ crt_directory='/opt/certbot/haproxy_fullchains', ) +CLI_DEFAULTS_RHEL_BASED_SYSTEMD_OS = dict( + service_manager='systemctl', + version_cmd=['/usr/sbin/haproxy', '-v'], + restart_cmd=['sudo', 'systemctl', 'restart', 'haproxy'], + # Needs the config file as an argument: + conftest_cmd=['/usr/sbin/haproxy', '-c', '-f'], + haproxy_config='/etc/haproxy/haproxy.cfg', + # Needs to be writeable by the user that will run certbot + crt_directory='/opt/certbot/haproxy_fullchains', +) + CLI_DEFAULTS = { "debian": { '_min_version': '7', @@ -109,6 +121,10 @@ '18.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS, '18.10': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS, '19.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS + }, + "centos": { + '_min_version': '7', + '7': CLI_DEFAULTS_RHEL_BASED_SYSTEMD_OS } } diff --git a/certbot_haproxy/util.py b/certbot_haproxy/util.py index 2d388ed..78095fc 100644 --- a/certbot_haproxy/util.py +++ b/certbot_haproxy/util.py @@ -49,7 +49,7 @@ def create_self_signed_cert(bits=2048, **kwargs): cert = crypto.X509() attributes = { - 'countryName': u"FU", + 'countryName': u"UK", 'stateOrProvinceName': u"Oceania", 'localityName': u"London", 'organizationName': u"Ministry of Truth",