[ADD] letsencrypt (#425)

* [ADD] letsencrypt (#347) * [ADD] letsencrypt * [ADD] write bogus restart script for tests * [IMP] exclude library call from coveralls * [IMP] try moving the library import into nocover branch * [ADD] explain how to redirect the well known uri to the odoo instance * [ADD] example for apache * [FIX] cronjob should be noupdate * [FIX] community review * [FIX] flake8 * [DEL] unused imports * [UPD] chain cert * Multi-database support and other fixes (#2) [ADD] multi-database support and other fixes * [ADD] eggs necessary for letsencrypt * [IMP] readme * [ADD] ipv6 localhosts * [ADD] restrict reload command * Revert "[ADD] eggs necessary for letsencrypt" This reverts commit 642df6ba50. * [ADD] eggs necessary for letsencrypt Conflicts: requirements.txt * Migrate letsencrypt to v9 * Add AGPL target link to ReadMe in letsencrypt
9 years ago · 3e30d0ee2e
14 changed files with 454 additions and 0 deletions
--- a/letsencrypt/README.rst
+++ b/letsencrypt/README.rst
@ -0,0 +1,166 @@
 .. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
   :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
   :alt: License: AGPL-3
 =============================================
 Request SSL certificates from letsencrypt.org
 =============================================
 This module was written to have your Odoo installation request SSL certificates
 from https://letsencrypt.org automatically.
 Installation
 ============
 After installation, this module generates a private key for your account at
 letsencrypt.org automatically in ``$data_dir/letsencrypt/account.key``. If you
 want or need to use your own account key, replace the file.
 For certificate requests to work, your site needs to be accessible via plain
 HTTP, see below for configuration examples in case you force your clients to
 the SSL version.
 After installation, trigger the cronjob `Update letsencrypt certificates` and
 watch your log for messages.
 This addon depends on the ``openssl`` binary and the ``acme_tiny`` and ``IPy``
 python modules.
 For installing the OpenSSL binary you can use your distro package manager.
 For Debian and Ubuntu, that would be:
    sudo apt-get install openssl
 For installing the ACME-Tiny python module, use the PIP package manager:
    sudo pip install acme-tiny
 For installing the IPy python module, use the PIP package manager:
    sudo pip install IPy
 Configuration
 =============
 This addons requests a certificate for the domain named in the configuration
 parameter ``web.base.url`` - if this comes back as ``localhost`` or the like,
 the module doesn't request anything.
 If you want your certificate to contain multiple alternative names, just add
 them as configuration parameters ``letsencrypt.altname.N`` with ``N`` starting
 from ``0``. The amount of domains that can be added are subject to `rate
 limiting <https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769>`_.
 Note that all those domains must be publicly reachable on port 80 via HTTP, and
 they must have an entry for ``.well-known/acme-challenge`` pointing to your odoo
 instance.
 Usage
 =====
 The module sets up a cronjob that requests and renews certificates automatically.
 After the first run, you'll find a file called ``domain.crt`` in
 ``$datadir/letsencrypt``, configure your SSL proxy to use this file as certificate.
 .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
    :alt: Try me on Runbot
    :target: https://runbot.odoo-community.org/runbot/149/8.0
 For further information, please visit:
 * https://www.odoo.com/forum/help-1
 In depth configuration
 ======================
 This module uses ``openssl`` to generate CSRs suitable to be submitted to
 letsencrypt.org. In order to do this, it copies ``/etc/ssl/openssl.cnf`` to a
 temporary and adapts it according to its needs (currently, that's just adding a
 ``[SAN]`` section if necessary). If you want the module to use another configuration
 template, set config parameter ``letsencrypt.openssl.cnf``.
 After refreshing the certificate, the module attempts to run the content of
 ``letsencrypt.reload_command``, which is by default ``sudo service nginx reload``.
 Change this to match your server's configuration.
 You'll also need a matching sudo configuration, like::
    your_odoo_user ALL = NOPASSWD: /usr/sbin/service nginx reload
 Further, if you force users to https, you'll need something like for nginx::
    if ($scheme = "http") {
        set $redirect_https 1;
    }
    if ($request_uri ~ ^/.well-known/acme-challenge/) {
        set $redirect_https 0;
    }
    if ($redirect_https) {
        rewrite ^   https://$server_name$request_uri? permanent;
    }
 and this for apache::
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} "!^/.well-known/"
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
 In case you need to redirect other nginx sites to your Odoo instance, declare
 an upstream for your odoo instance and do something like::
    location /.well-known {
        proxy_pass    http://yourodooupstream;
    }
 If you're using a multi-database installation (with or without dbfilter option)
 where /web/databse/selector returns a list of more than one database, then
 you need to add ``letsencrypt`` addon to wide load addons list
 (by default, only ``web`` addon), setting ``--load`` option.
 For example, ``--load=web,letsencrypt``
 Bug Tracker
 ===========
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-tools/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed feedback
 `here <https://github.com/OCA/server-tools/issues/new?body=module:%20letsencrypt%0Aversion:%209.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 Credits
 =======
 Contributors
 ------------
 * Holger Brunn <hbrunn@therp.nl>
 * Antonio Espinosa <antonio.espinosa@tecnativa.com>
 * Dave Lasley <dave@laslabs.com>
 ACME implementation
 -------------------
 * https://github.com/diafygi/acme-tiny/blob/master/acme_tiny.py
 Icon
 ----
 * https://helloworld.letsencrypt.org
 Maintainer
 ----------
 .. image:: https://odoo-community.org/logo.png
   :alt: Odoo Community Association
   :target: https://odoo-community.org
 This module is maintained by the OCA.
 OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.
 To contribute to this module, please visit https://odoo-community.org.
--- a/letsencrypt/init.py
+++ b/letsencrypt/init.py
@ -0,0 +1,6 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 from . import models
 from . import controllers
 from .hooks import post_init_hook
--- a/letsencrypt/openerp.py
+++ b/letsencrypt/openerp.py
@ -0,0 +1,31 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 {
    "name": "Let's encrypt",
    "version": "9.0.1.0.0",
    "author": "Therp BV,"
              "Tecnativa,"
              "Odoo Community Association (OCA)",
    "license": "AGPL-3",
    "category": "Hidden/Dependency",
    "summary": "Request SSL certificates from letsencrypt.org",
    "depends": [
        'base',
    ],
    "data": [
        "data/ir_config_parameter.xml",
        "data/ir_cron.xml",
    ],
    "post_init_hook": 'post_init_hook',
    "installable": True,
    "external_dependencies": {
        'bin': [
            'openssl',
        ],
        'python': [
            'acme_tiny',
            'IPy',
        ],
    },
 }
--- a/letsencrypt/controllers/init.py
+++ b/letsencrypt/controllers/init.py
@ -0,0 +1,4 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 from . import main
--- a/letsencrypt/controllers/main.py
+++ b/letsencrypt/controllers/main.py
@ -0,0 +1,19 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # © 2016 Antonio Espinosa <antonio.espinosa@tecnativa.com>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 import os
 from openerp import http
 from openerp.http import request
 from ..models.letsencrypt import get_challenge_dir
 class Letsencrypt(http.Controller):
    @http.route('/.well-known/acme-challenge/<filename>', auth='none')
    def acme_challenge(self, filename):
        try:
            with file(os.path.join(get_challenge_dir(), filename)) as key:
                return key.read()
        except IOError:
            pass
        return request.not_found()
--- a/letsencrypt/data/ir_config_parameter.xml
+++ b/letsencrypt/data/ir_config_parameter.xml
@ -0,0 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <openerp>
    <data noupdate="1">
        <record id="config_parameter_reload" model="ir.config_parameter" forcecreate="True">
            <field name="key">letsencrypt.reload_command</field>
            <field name="value">sudo /usr/sbin/service nginx reload</field>
            <field name="group_ids" eval="[(6, False, [ref('base.group_system')])]" />
        </record>
    </data>
 </openerp>
--- a/letsencrypt/data/ir_cron.xml
+++ b/letsencrypt/data/ir_cron.xml
@ -0,0 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <openerp>
    <data noupdate="1">
        <record id="cronjob" model="ir.cron">
            <field name="name">Update letsencrypt certificates</field>
            <field name="interval_type">weeks</field>
            <field name="interval_number">11</field>
            <field name="numbercall">-1</field>
            <field name="model">letsencrypt</field>
            <field name="function">cron</field>
            <field name="nextcall">2016-01-01</field>
        </record>
    </data>
 </openerp>
--- a/letsencrypt/hooks.py
+++ b/letsencrypt/hooks.py
@ -0,0 +1,9 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 from openerp import SUPERUSER_ID, api
 def post_init_hook(cr, pool):
    env = api.Environment(cr, SUPERUSER_ID, {})
    env['letsencrypt'].generate_account_key()
--- a/letsencrypt/models/init.py
+++ b/letsencrypt/models/init.py
@ -0,0 +1,4 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 from . import letsencrypt
--- a/letsencrypt/models/letsencrypt.py
+++ b/letsencrypt/models/letsencrypt.py
@ -0,0 +1,171 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # © 2016 Antonio Espinosa <antonio.espinosa@tecnativa.com>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 import os
 import logging
 import urllib2
 import urlparse
 import subprocess
 import tempfile
 from openerp import _, api, models, exceptions
 from openerp.tools import config
 DEFAULT_KEY_LENGTH = 4096
 _logger = logging.getLogger(__name__)
 def get_data_dir():
    return os.path.join(config.options.get('data_dir'), 'letsencrypt')
 def get_challenge_dir():
    return os.path.join(get_data_dir(), 'acme-challenge')
 class Letsencrypt(models.AbstractModel):
    _name = 'letsencrypt'
    _description = 'Abstract model providing functions for letsencrypt'
    @api.model
    def call_cmdline(self, cmdline, loglevel=logging.INFO,
                     raise_on_result=True):
        process = subprocess.Popen(
            cmdline, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        stdout, stderr = process.communicate()
        if stderr:
            _logger.log(loglevel, stderr)
        if stdout:
            _logger.log(loglevel, stdout)
        if process.returncode:
            raise exceptions.Warning(
                _('Error calling %s: %d') % (cmdline[0], process.returncode),
                ' '.join(cmdline),
            )
        return process.returncode
    @api.model
    def generate_account_key(self):
        data_dir = get_data_dir()
        if not os.path.isdir(data_dir):
            os.makedirs(data_dir)
        account_key = os.path.join(data_dir, 'account.key')
        if not os.path.isfile(account_key):
            _logger.info('generating rsa account key')
            self.call_cmdline([
                'openssl', 'genrsa', '-out', account_key,
                str(DEFAULT_KEY_LENGTH),
            ])
        assert os.path.isfile(account_key), 'failed to create rsa key'
        return account_key
    @api.model
    def generate_domain_key(self, domain):
        domain_key = os.path.join(get_data_dir(), '%s.key' % domain)
        if not os.path.isfile(domain_key):
            _logger.info('generating rsa domain key for %s', domain)
            self.call_cmdline([
                'openssl', 'genrsa', '-out', domain_key,
                str(DEFAULT_KEY_LENGTH),
            ])
        return domain_key
    @api.model
    def validate_domain(self, domain):
        local_domains = [
            'localhost', 'localhost.localdomain', 'localhost6',
            'localhost6.localdomain6'
        ]
        def _ip_is_private(address):
            import IPy
            try:
                ip = IPy.IP(address)
            except:
                return False
            return ip.iptype() == 'PRIVATE'
        if domain in local_domains or _ip_is_private(domain):
            raise exceptions.Warning(
                _("Let's encrypt doesn't work with private addresses "
                  "or local domains!"))
    @api.model
    def generate_csr(self, domain):
        domains = [domain]
        i = 0
        while self.env['ir.config_parameter'].get_param(
                'letsencrypt.altname.%d' % i):
            domains.append(
                self.env['ir.config_parameter']
                .get_param('letsencrypt.altname.%d' % i)
            )
            i += 1
        _logger.info('generating csr for %s', domain)
        if len(domains) > 1:
            _logger.info('with alternative subjects %s', ','.join(domains[1:]))
        config = self.env['ir.config_parameter'].get_param(
            'letsencrypt.openssl.cnf', '/etc/ssl/openssl.cnf')
        csr = os.path.join(get_data_dir(), '%s.csr' % domain)
        with tempfile.NamedTemporaryFile() as cfg:
            cfg.write(open(config).read())
            if len(domains) > 1:
                cfg.write(
                    '\n[SAN]\nsubjectAltName=' +
                    ','.join(map(lambda x: 'DNS:%s' % x, domains)) + '\n')
            cfg.file.flush()
            cmdline = [
                'openssl', 'req', '-new',
                self.env['ir.config_parameter'].get_param(
                    'letsencrypt.openssl.digest', '-sha256'),
                '-key', self.generate_domain_key(domain),
                '-subj', '/CN=%s' % domain, '-config', cfg.name,
                '-out', csr,
            ]
            if len(domains) > 1:
                cmdline.extend([
                    '-reqexts', 'SAN',
                ])
            self.call_cmdline(cmdline)
        return csr
    @api.model
    def cron(self):
        domain = urlparse.urlparse(
            self.env['ir.config_parameter'].get_param(
                'web.base.url', 'localhost')).netloc
        self.validate_domain(domain)
        account_key = self.generate_account_key()
        csr = self.generate_csr(domain)
        acme_challenge = get_challenge_dir()
        if not os.path.isdir(acme_challenge):
            os.makedirs(acme_challenge)
        if self.env.context.get('letsencrypt_dry_run'):
            crt_text = 'I\'m a test text'
        else:  # pragma: no cover
            from acme_tiny import get_crt, DEFAULT_CA
            crt_text = get_crt(
                account_key, csr, acme_challenge, log=_logger, CA=DEFAULT_CA)
        with open(os.path.join(get_data_dir(), '%s.crt' % domain), 'w')\
                as crt:
            crt.write(crt_text)
            chain_cert = urllib2.urlopen(
                self.env['ir.config_parameter'].get_param(
                    'letsencrypt.chain_certificate_address',
                    'https://letsencrypt.org/certs/'
                    'lets-encrypt-x3-cross-signed.pem')
            )
            crt.write(chain_cert.read())
            chain_cert.close()
            _logger.info('wrote %s', crt.name)
        reload_cmd = self.env['ir.config_parameter'].get_param(
            'letsencrypt.reload_command', False)
        if reload_cmd:
            _logger.info('reloading webserver...')
            self.call_cmdline(['sh', '-c', reload_cmd])
        else:
            _logger.info('no command defined for reloading webserver, please '
                         'do it manually in order to apply new certificate')
--- a/letsencrypt/static/description/icon.png
+++ b/letsencrypt/static/description/icon.png
--- a/letsencrypt/tests/init.py
+++ b/letsencrypt/tests/init.py
@ -0,0 +1,4 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 from . import test_letsencrypt
--- a/letsencrypt/tests/test_letsencrypt.py
+++ b/letsencrypt/tests/test_letsencrypt.py
@ -0,0 +1,14 @@
 # -*- coding: utf-8 -*-
 # © 2016 Therp BV <http://therp.nl>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 from openerp.tests.common import TransactionCase
 class TestLetsencrypt(TransactionCase):
    def test_letsencrypt(self):
        from ..hooks import post_init_hook
        post_init_hook(self.cr, None)
        self.env.ref('letsencrypt.config_parameter_reload').write({
            'value': '',
        })
        self.env['letsencrypt'].with_context(letsencrypt_dry_run=True).cron()
--- a/requirements.txt
+++ b/requirements.txt
@ -1,2 +1,4 @@
 python-ldap
 unidecode
 acme_tiny
 IPy