OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1217 Commits
13 Branches
0 Tags
45 MiB
Tree: 8630506cd8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8630506cd8'
${ noResults }
server-tools/letsencrypt/models/letsencrypt.py

171 lines
6.0 KiB
Raw Normal View History

[ADD] letsencrypt (#425) * [ADD] letsencrypt (#347) * [ADD] letsencrypt * [ADD] write bogus restart script for tests * [IMP] exclude library call from coveralls * [IMP] try moving the library import into nocover branch * [ADD] explain how to redirect the well known uri to the odoo instance * [ADD] example for apache * [FIX] cronjob should be noupdate * [FIX] community review * [FIX] flake8 * [DEL] unused imports * [UPD] chain cert * Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes * [ADD] eggs necessary for letsencrypt * [IMP] readme * [ADD] ipv6 localhosts * [ADD] restrict reload command * Revert "[ADD] eggs necessary for letsencrypt" This reverts commit 642df6ba50c319dff3c2e546034c14329c2443e0. * [ADD] eggs necessary for letsencrypt Conflicts: requirements.txt * Migrate letsencrypt to v9 * Add AGPL target link to ReadMe in letsencrypt
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # © 2016 Therp BV <http://therp.nl>
  3. # © 2016 Antonio Espinosa <antonio.espinosa@tecnativa.com>
  4. # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
  5. import os
  6. import logging
  7. import urllib2
  8. import urlparse
  9. import subprocess
  10. import tempfile
  11. from openerp import _, api, models, exceptions
  12. from openerp.tools import config
  15. DEFAULT_KEY_LENGTH = 4096
  16. _logger = logging.getLogger(__name__)
  19. def get_data_dir():
  20. return os.path.join(config.options.get('data_dir'), 'letsencrypt')
  23. def get_challenge_dir():
  24. return os.path.join(get_data_dir(), 'acme-challenge')
  27. class Letsencrypt(models.AbstractModel):
  28. _name = 'letsencrypt'
  29. _description = 'Abstract model providing functions for letsencrypt'
  31. @api.model
  32. def call_cmdline(self, cmdline, loglevel=logging.INFO,
  33. raise_on_result=True):
  34. process = subprocess.Popen(
  35. cmdline, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  36. stdout, stderr = process.communicate()
  37. if stderr:
  38. _logger.log(loglevel, stderr)
  39. if stdout:
  40. _logger.log(loglevel, stdout)
  42. if process.returncode:
  43. raise exceptions.Warning(
  44. _('Error calling %s: %d') % (cmdline[0], process.returncode),
  45. ' '.join(cmdline),
  46. )
  48. return process.returncode
  50. @api.model
  51. def generate_account_key(self):
  52. data_dir = get_data_dir()
  53. if not os.path.isdir(data_dir):
  54. os.makedirs(data_dir)
  55. account_key = os.path.join(data_dir, 'account.key')
  56. if not os.path.isfile(account_key):
  57. _logger.info('generating rsa account key')
  58. self.call_cmdline([
  59. 'openssl', 'genrsa', '-out', account_key,
  60. str(DEFAULT_KEY_LENGTH),
  61. ])
  62. assert os.path.isfile(account_key), 'failed to create rsa key'
  63. return account_key
  65. @api.model
  66. def generate_domain_key(self, domain):
  67. domain_key = os.path.join(get_data_dir(), '%s.key' % domain)
  68. if not os.path.isfile(domain_key):
  69. _logger.info('generating rsa domain key for %s', domain)
  70. self.call_cmdline([
  71. 'openssl', 'genrsa', '-out', domain_key,
  72. str(DEFAULT_KEY_LENGTH),
  73. ])
  74. return domain_key
  76. @api.model
  77. def validate_domain(self, domain):
  78. local_domains = [
  79. 'localhost', 'localhost.localdomain', 'localhost6',
  80. 'localhost6.localdomain6'
  81. ]
  83. def _ip_is_private(address):
  84. import IPy
  85. try:
  86. ip = IPy.IP(address)
  87. except:
  88. return False
  89. return ip.iptype() == 'PRIVATE'
  91. if domain in local_domains or _ip_is_private(domain):
  92. raise exceptions.Warning(
  93. _("Let's encrypt doesn't work with private addresses "
  94. "or local domains!"))
  96. @api.model
  97. def generate_csr(self, domain):
  98. domains = [domain]
  99. i = 0
  100. while self.env['ir.config_parameter'].get_param(
  101. 'letsencrypt.altname.%d' % i):
  102. domains.append(
  103. self.env['ir.config_parameter']
  104. .get_param('letsencrypt.altname.%d' % i)
  105. )
  106. i += 1
  107. _logger.info('generating csr for %s', domain)
  108. if len(domains) > 1:
  109. _logger.info('with alternative subjects %s', ','.join(domains[1:]))
  110. config = self.env['ir.config_parameter'].get_param(
  111. 'letsencrypt.openssl.cnf', '/etc/ssl/openssl.cnf')
  112. csr = os.path.join(get_data_dir(), '%s.csr' % domain)
  113. with tempfile.NamedTemporaryFile() as cfg:
  114. cfg.write(open(config).read())
  115. if len(domains) > 1:
  116. cfg.write(
  117. '\n[SAN]\nsubjectAltName=' +
  118. ','.join(map(lambda x: 'DNS:%s' % x, domains)) + '\n')
  119. cfg.file.flush()
  120. cmdline = [
  121. 'openssl', 'req', '-new',
  122. self.env['ir.config_parameter'].get_param(
  123. 'letsencrypt.openssl.digest', '-sha256'),
  124. '-key', self.generate_domain_key(domain),
  125. '-subj', '/CN=%s' % domain, '-config', cfg.name,
  126. '-out', csr,
  127. ]
  128. if len(domains) > 1:
  129. cmdline.extend([
  130. '-reqexts', 'SAN',
  131. ])
  132. self.call_cmdline(cmdline)
  133. return csr
  135. @api.model
  136. def cron(self):
  137. domain = urlparse.urlparse(
  138. self.env['ir.config_parameter'].get_param(
  139. 'web.base.url', 'localhost')).netloc
  140. self.validate_domain(domain)
  141. account_key = self.generate_account_key()
  142. csr = self.generate_csr(domain)
  143. acme_challenge = get_challenge_dir()
  144. if not os.path.isdir(acme_challenge):
  145. os.makedirs(acme_challenge)
  146. if self.env.context.get('letsencrypt_dry_run'):
  147. crt_text = 'I\'m a test text'
  148. else: # pragma: no cover
  149. from acme_tiny import get_crt, DEFAULT_CA
  150. crt_text = get_crt(
  151. account_key, csr, acme_challenge, log=_logger, CA=DEFAULT_CA)
  152. with open(os.path.join(get_data_dir(), '%s.crt' % domain), 'w')\
  153. as crt:
  154. crt.write(crt_text)
  155. chain_cert = urllib2.urlopen(
  156. self.env['ir.config_parameter'].get_param(
  157. 'letsencrypt.chain_certificate_address',
  158. 'https://letsencrypt.org/certs/'
  159. 'lets-encrypt-x3-cross-signed.pem')
  160. )
  161. crt.write(chain_cert.read())
  162. chain_cert.close()
  163. _logger.info('wrote %s', crt.name)
  164. reload_cmd = self.env['ir.config_parameter'].get_param(
  165. 'letsencrypt.reload_command', False)
  166. if reload_cmd:
  167. _logger.info('reloading webserver...')
  168. self.call_cmdline(['sh', '-c', reload_cmd])
  169. else:
  170. _logger.info('no command defined for reloading webserver, please '
  171. 'do it manually in order to apply new certificate')