diff --git a/roles/tlscert_acme_inwx/files/tls-renew b/roles/tlscert_acme_inwx/files/tls-renew new file mode 100755 index 0000000..4ca7893 --- /dev/null +++ b/roles/tlscert_acme_inwx/files/tls-renew @@ -0,0 +1,103 @@ +#!/usr/bin/env python3 + +import os as _os +import json as _json +import argparse as _argparse + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "-c", + "--conf-path", + type = str, + dest = "conf_path", + metavar = "", + default = "./tls-renew-conf.json", + ) + argument_parser.add_argument( + type = str, + dest = "domain_base", + metavar = "", + ) + argument_parser.add_argument( + type = str, + dest = "domain_path", + metavar = "", + ) + argument_parser.add_argument( + "-t", + "--target-directory", + dest = "target_directory", + type = str, + metavar = "", + default = "/etc/ssl", + ) + argument_parser.add_argument( + "-x", + "--challenge-prefix", + dest = "challenge_prefix", + type = str, + metavar = "", + default = "_acme-challenge", + help = "which subdomain to use for ACME challanges", + ) + argument_parser.add_argument( + "-w", + "--delay", + dest = "delay", + type = float, + default = 60.0, + metavar = "", + help = "seconds to wait at end of certbot auth hook", + ) + args = argument_parser.parse_args() + + + ## vars + conf = _json.loads(file_read(args.conf_path)) + domain = (args.domain_base + args.domain.path) + + ## exec + command_hook_parts = [ + ("/usr/local/bin/inwx"), + ("--username='%s'" % conf["inwx_account"]["username"]), + ("--password='%s'" % conf["inwx_account"]["password"]), + ("--challenge-prefix='%s'" % args.challenge_prefix), + ("--delay=%.4f" % args.delay), + ("save"), + (args.domain_base), + ("_acme-challenge.%s" % args.domain.path), + ("TXT"), + ("'\${CERTBOT_VALIDATION}'"), + ] + command_hook = " ".join(command_hook_parts) + + command_certbot_parts = [ + ("certbot"), + ("--email='%s'" % conf["acme_account"]["email"]), + ("--work-dir='%s'" % conf["misc"]["working_directory"]), + ("--preferred-challenges='dns'"), + ("--non-interactive"), + ("--key-path='%s'" % _os.path.join(args.target_directory, "private", "%s.pem" % domain)), + ("--cert-path='%s'" % _os.path.join(args.target_directory, "certs", "%s.pem" % domain)), + ("--chain-path='%s'" % _os.path.join(args.target_directory, "chains", "%s.pem" % domain)), + ("--fullchain-path='%s'" % _os.path.join(args.target_directory, "fullchains", "%s.pem" % domain)), + ("--domain='%s'" % domain), + ("--manual-auth-hook='%s'" % command_hook), + ("renew"), + ] + command_certbot = " ".join(command_certbot_parts) + + _os.system(command_certbot) + + +main() diff --git a/roles/tlscert_acme_inwx/templates/tls-renew-conf.json.j2 b/roles/tlscert_acme_inwx/templates/tls-renew-conf.json.j2 new file mode 100644 index 0000000..4ffa03e --- /dev/null +++ b/roles/tlscert_acme_inwx/templates/tls-renew-conf.json.j2 @@ -0,0 +1,12 @@ +{ + "acme_account": { + "email": "{{var_tlscert_acme_inwx_acme_account_email}}" + }, + "inwx_account: { + "username": "{{var_tlscert_acme_inwx_inwx_account_username}}", + "password": "{{var_tlscert_acme_inwx_inwx_account_password}}" + }, + "misc": { + "working_directory": "/tmp/acme" + } +}