OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1062 Commits
13 Branches
0 Tags
45 MiB
Tree: 642df6ba50
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '642df6ba50'
${ noResults }
server-tools/letsencrypt/models/letsencrypt.py

168 lines
6.0 KiB
Raw Normal View History

[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
[IMP] exclude library call from coveralls
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
[ADD] letsencrypt
9 years ago
[UPD] chain cert
9 years ago
[ADD] letsencrypt
9 years ago
Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes
9 years ago
  1. # -*- coding: utf-8 -*-
  2. # © 2016 Therp BV <http://therp.nl>
  3. # © 2016 Antonio Espinosa <antonio.espinosa@tecnativa.com>
  4. # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
  5. import os
  6. import logging
  7. import urllib2
  8. import urlparse
  9. import subprocess
  10. import tempfile
  11. from openerp import _, api, models, exceptions
  12. from openerp.tools import config
  15. DEFAULT_KEY_LENGTH = 4096
  16. _logger = logging.getLogger(__name__)
  19. def get_data_dir():
  20. return os.path.join(config.options.get('data_dir'), 'letsencrypt')
  23. def get_challenge_dir():
  24. return os.path.join(get_data_dir(), 'acme-challenge')
  27. class Letsencrypt(models.AbstractModel):
  28. _name = 'letsencrypt'
  29. _description = 'Abstract model providing functions for letsencrypt'
  31. @api.model
  32. def call_cmdline(self, cmdline, loglevel=logging.INFO,
  33. raise_on_result=True):
  34. process = subprocess.Popen(
  35. cmdline, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  36. stdout, stderr = process.communicate()
  37. if stderr:
  38. _logger.log(loglevel, stderr)
  39. if stdout:
  40. _logger.log(loglevel, stdout)
  42. if process.returncode:
  43. raise exceptions.Warning(
  44. _('Error calling %s: %d') % (cmdline[0], process.returncode),
  45. ' '.join(cmdline),
  46. )
  48. return process.returncode
  50. @api.model
  51. def generate_account_key(self):
  52. data_dir = get_data_dir()
  53. if not os.path.isdir(data_dir):
  54. os.makedirs(data_dir)
  55. account_key = os.path.join(data_dir, 'account.key')
  56. if not os.path.isfile(account_key):
  57. _logger.info('generating rsa account key')
  58. self.call_cmdline([
  59. 'openssl', 'genrsa', '-out', account_key,
  60. str(DEFAULT_KEY_LENGTH),
  61. ])
  62. assert os.path.isfile(account_key), 'failed to create rsa key'
  63. return account_key
  65. @api.model
  66. def generate_domain_key(self, domain):
  67. domain_key = os.path.join(get_data_dir(), '%s.key' % domain)
  68. if not os.path.isfile(domain_key):
  69. _logger.info('generating rsa domain key for %s', domain)
  70. self.call_cmdline([
  71. 'openssl', 'genrsa', '-out', domain_key,
  72. str(DEFAULT_KEY_LENGTH),
  73. ])
  74. return domain_key
  76. @api.model
  77. def validate_domain(self, domain):
  78. local_domains = ['localhost', 'localhost.localdomain']
  80. def _ip_is_private(address):
  81. import IPy
  82. try:
  83. ip = IPy.IP(address)
  84. except:
  85. return False
  86. return ip.iptype() == 'PRIVATE'
  88. if domain in local_domains or _ip_is_private(domain):
  89. raise exceptions.Warning(
  90. _("Let's encrypt doesn't work with private addresses "
  91. "or local domains!"))
  93. @api.model
  94. def generate_csr(self, domain):
  95. domains = [domain]
  96. i = 0
  97. while self.env['ir.config_parameter'].get_param(
  98. 'letsencrypt.altname.%d' % i):
  99. domains.append(
  100. self.env['ir.config_parameter']
  101. .get_param('letsencrypt.altname.%d' % i)
  102. )
  103. i += 1
  104. _logger.info('generating csr for %s', domain)
  105. if len(domains) > 1:
  106. _logger.info('with alternative subjects %s', ','.join(domains[1:]))
  107. config = self.env['ir.config_parameter'].get_param(
  108. 'letsencrypt.openssl.cnf', '/etc/ssl/openssl.cnf')
  109. csr = os.path.join(get_data_dir(), '%s.csr' % domain)
  110. with tempfile.NamedTemporaryFile() as cfg:
  111. cfg.write(open(config).read())
  112. if len(domains) > 1:
  113. cfg.write(
  114. '\n[SAN]\nsubjectAltName=' +
  115. ','.join(map(lambda x: 'DNS:%s' % x, domains)) + '\n')
  116. cfg.file.flush()
  117. cmdline = [
  118. 'openssl', 'req', '-new',
  119. self.env['ir.config_parameter'].get_param(
  120. 'letsencrypt.openssl.digest', '-sha256'),
  121. '-key', self.generate_domain_key(domain),
  122. '-subj', '/CN=%s' % domain, '-config', cfg.name,
  123. '-out', csr,
  124. ]
  125. if len(domains) > 1:
  126. cmdline.extend([
  127. '-reqexts', 'SAN',
  128. ])
  129. self.call_cmdline(cmdline)
  130. return csr
  132. @api.model
  133. def cron(self):
  134. domain = urlparse.urlparse(
  135. self.env['ir.config_parameter'].get_param(
  136. 'web.base.url', 'localhost')).netloc
  137. self.validate_domain(domain)
  138. account_key = self.generate_account_key()
  139. csr = self.generate_csr(domain)
  140. acme_challenge = get_challenge_dir()
  141. if not os.path.isdir(acme_challenge):
  142. os.makedirs(acme_challenge)
  143. if self.env.context.get('letsencrypt_dry_run'):
  144. crt_text = 'I\'m a test text'
  145. else: # pragma: no cover
  146. from acme_tiny import get_crt, DEFAULT_CA
  147. crt_text = get_crt(
  148. account_key, csr, acme_challenge, log=_logger, CA=DEFAULT_CA)
  149. with open(os.path.join(get_data_dir(), '%s.crt' % domain), 'w')\
  150. as crt:
  151. crt.write(crt_text)
  152. chain_cert = urllib2.urlopen(
  153. self.env['ir.config_parameter'].get_param(
  154. 'letsencrypt.chain_certificate_address',
  155. 'https://letsencrypt.org/certs/'
  156. 'lets-encrypt-x3-cross-signed.pem')
  157. )
  158. crt.write(chain_cert.read())
  159. chain_cert.close()
  160. _logger.info('wrote %s', crt.name)
  161. reload_cmd = self.env['ir.config_parameter'].get_param(
  162. 'letsencrypt.reload_command', False)
  163. if reload_cmd:
  164. _logger.info('reloading webserver...')
  165. self.call_cmdline(['sh', '-c', reload_cmd])
  166. else:
  167. _logger.info('no command defined for reloading webserver, please '
  168. 'do it manually in order to apply new certificate')