def wizard_challenges(global_config):
create_s3_challenge_bucket = False
s3_challenge_bucket = None
terminal.print_header("Lets-Encrypt Challenge Validation Settings")
terminal.write_str("""\
This tool will handle validation of your domains automatically. There are two possible validation methods: HTTP
and DNS.""")
print()
terminal.write_str("""\
HTTP validation is only available for CloudFront sites. It requires an S3 bucket to store the challenge
responses in. This bucket needs to be publicly accessible. Your CloudFront Distribution(s) will be reconfigured
to use this bucket as an origin for challenge responses.""")
terminal.write_str(
"If you do not configure a bucket for this you will only be able to use DNS validation."
)
print()
terminal.write_str("""\
DNS validation requires your domain to be managed with Route53. This validation method is always available and
requires no additional configuration.""")
terminal.write_str(
terminal.Colors.WARNING +
"Note: DNS validation is currently only supported by the staging server."
+ terminal.Colors.ENDC)
print()
terminal.write_str(
"Each domain you want to manage can be configured to validate using either of these methods."
)
print()
use_http_challenges = terminal.get_yn(
"Do you want to configure HTTP validation", True)
if use_http_challenges:
create_s3_challenge_bucket = terminal.get_yn(
"Do you want to create a bucket for these challenges(Choose No to select an existing bucket)",
True)
if create_s3_challenge_bucket:
s3_challenge_bucket = "lambda-letsencrypt-challenges-{}".format(
global_config['namespace'])
else:
s3_challenge_bucket = choose_s3_bucket()
else:
# only dns challenge support is available
pass
global_config['use_http_challenges'] = use_http_challenges
global_config['create_s3_challenge_bucket'] = create_s3_challenge_bucket
global_config['s3_challenge_bucket'] = s3_challenge_bucket
def wizard_iam(global_config):
terminal.print_header("IAM Configuration")
terminal.write_str("""\
An IAM role must be created for this lambda function giving it access to CloudFront, Route53, S3,
SNS(notifications), IAM(certificates), and CloudWatch(logs/alarms).""")
print()
terminal.write_str(
"If you do not let the wizard create this role you will be asked to select an existing role to use."
)
create_iam_role = terminal.get_yn(
"Do you want to automatically create this role", True)
if not create_iam_role:
role_list = iam.list_roles()
options = []
for i, role in enumerate(role_list):
options.append({'selector': i, 'prompt': role, 'return': role})
iam_role_name = terminal.get_selection("Select the IAM Role:",
options,
prompt_after="Which IAM Role?",
allow_empty=False)
else:
iam_role_name = "lambda-letsencrypt-{}".format(
global_config['namespace'])
global_config['create_iam_role'] = create_iam_role
global_config['iam_role_name'] = iam_role_name
def wizard_s3_cfg_bucket(global_config):
terminal.print_header("S3 Configuration Bucket")
terminal.write_str("""\
An S3 Bucket is required to store configuration. If you already have a bucket you want to use for this choose no
and select it from the list. Otherwise let the wizard create one for you."""
)
create_s3_cfg_bucket = terminal.get_yn("Create a bucket for configuration",
True)
if create_s3_cfg_bucket:
s3_cfg_bucket = "lambda-letsencrypt-config-{}".format(
global_config['namespace'])
else:
s3_cfg_bucket = choose_s3_bucket()
global_config['create_s3_cfg_bucket'] = create_s3_cfg_bucket
global_config['s3_cfg_bucket'] = s3_cfg_bucket
def wizard_trigger(global_config):
terminal.print_header("Lets-Encrypt certificate check trigger")
terminal.write_str("""\
To set up certificate and later update it, it is necessary to invoke
generated AWS Lambda function regularly. Lambda function will make sure
certificate is issued (might take 2-3 invocations), will check its expiry,
will update it before it expires.""")
print()
terminal.write_str("""\
Trigger is created as a AWS CloudWatch Event rule with target
pointing to Lambda function.""")
print()
terminal.write_str("""\
If you skip set up of this trigger, you will need to either invoke
function yourself or set up trigger which does it.""")
print()
create_cloudwatch_rule = terminal.get_yn("Set up AWS Lambda trigger?",
default=True)
global_config['create_cloudwatch_rule'] = create_cloudwatch_rule
def wizard():
terminal.print_header("Lambda Lets-Encrypt Wizard")
terminal.write_str("""\
This wizard will guide you through the process of setting up your existing
CloudFront Distributions to use SSL certificates provided by Lets-Encrypt
and automatically issued/maintained by an AWS Lambda function.
These certificates are free of charge, and valid for 90 days. This wizard
will also set up a Lambda function that is responsible for issuing and
renewing these certificates automatically as they near their expiration
date.
The cost of the AWS services used to make this work are typically less
than a penny per month. For full pricing details please refer to the
docs.
""")
print()
print(terminal.Colors.WARNING + "WARNING: ")
terminal.write_str("""\
Manual configuration is required at this time to configure the Lambda
function to run on a daily basis to keep your certificate updated. If
you do not follow the steps provided at the end of this wizard your
Lambda function will *NOT* run.
""")
print(terminal.Colors.ENDC)
global_config = {}
wizard_namespace(global_config)
wizard_region(global_config)
wizard_sns(global_config)
wizard_iam(global_config)
wizard_s3_cfg_bucket(global_config)
wizard_challenges(global_config)
wizard_cf(global_config)
wizard_elb(global_config)
wizard_trigger(global_config)
cfg_menu = [{
'selector': 0,
'prompt': 'Namespace',
'return': wizard_namespace
}, {
'selector': 1,
'prompt': 'AWS Region',
'return': wizard_region
}, {
'selector': 2,
'prompt': 'SNS',
'return': wizard_sns
}, {
'selector': 3,
'prompt': 'IAM',
'return': wizard_iam
}, {
'selector': 4,
'prompt': 'S3 Config',
'return': wizard_s3_cfg_bucket
}, {
'selector': 5,
'prompt': 'Challenges',
'return': wizard_challenges
}, {
'selector': 6,
'prompt': 'CloudFront',
'return': wizard_cf
}, {
'selector': 7,
'prompt': 'Elastic Load Balancers',
'return': wizard_cf
}, {
'selector': 8,
'prompt': 'Lambda function trigger',
'return': wizard_trigger
}, {
'selector': 9,
'prompt': 'Done',
'return': None
}]
finished = False
while not finished:
wizard_summary(global_config)
finished = terminal.get_yn("Are these settings correct", True)
if not finished:
selection = terminal.get_selection(
"Which section do you want to change",
cfg_menu,
prompt_after="Which section to modify?",
allow_empty=False)
if selection:
selection(global_config)
wizard_save_config(global_config)
def wizard_cf(global_config):
terminal.print_header("CloudFront Configuration")
global_config['cf_sites'] = []
global_config['cf_domains'] = []
# Get the list of all Cloudfront Distributions
cf_dist_list = cloudfront.list_distributions()
cf_dist_opts = []
for i, d in enumerate(cf_dist_list):
cf_dist_opts.append({
'selector':
i,
'prompt':
"{} - {} ({}) ".format(d['Id'], d['Comment'],
", ".join(d['Aliases'])),
'return':
d
})
terminal.write_str("""\
Now we'll detect your existing CloudFront Distributions and allow you
to configure them to use SSL. Domain names will be automatically
detected from the 'Aliases/CNAMEs' configuration section of each
Distribution.""")
print()
terminal.write_str("""\
You will configure each Distribution fully before being presented with
the list of Distributions again. You can configure as many Distributions
as you like.""")
while True:
print()
dist = terminal.get_selection(
"Select a CloudFront Distribution to configure with Lets-Encrypt(leave blank to finish)",
cf_dist_opts,
prompt_after="Which CloudFront Distribution?",
allow_empty=True)
if dist is None:
break
cnames = dist['Aliases']
terminal.write_str(
"The following domain names exist for the selected CloudFront Distribution:"
)
terminal.write_str(" " + ", ".join(cnames))
terminal.write_str("""\
Each domain in this list will be validated with Lets-Encrypt and added to the certificate assigned to this
Distribution.""")
print()
for dns_name in cnames:
domain = {'DOMAIN': dns_name, 'VALIDATION_METHODS': []}
print("Choose validation methods for the domain '{}'".format(
dns_name))
route53_id = route53.get_zone_id(dns_name)
if route53_id:
terminal.write_str(terminal.Colors.OKGREEN +
"Route53 zone detected!" +
terminal.Colors.ENDC)
validate_via_dns = terminal.get_yn("Validate using DNS",
default=False)
if validate_via_dns:
domain['ROUTE53_ZONE_ID'] = route53_id
domain['VALIDATION_METHODS'].append('dns-01')
else:
terminal.write_str(
terminal.Colors.WARNING +
"No Route53 zone detected, DNS validation not possible." +
terminal.Colors.ENDC)
validate_via_http = terminal.get_yn("Validate using HTTP",
default=True)
if validate_via_http:
domain['CLOUDFRONT_ID'] = dist['Id']
domain['VALIDATION_METHODS'].append('http-01')
global_config['cf_domains'].append(domain)
site = {'CLOUDFRONT_ID': dist['Id'], 'DOMAINS': cnames}
global_config['cf_sites'].append(site)