Exemple #1
0
def run(config, plugins):  # pylint: disable=too-many-branches,too-many-locals
    """Obtain a certificate and install."""
    # TODO: Make run as close to auth + install as possible
    # Possible difficulties: config.csr was hacked into auth
    try:
        installer, authenticator = plug_sel.choose_configurator_plugins(
            config, plugins, "run")
    except errors.PluginSelectionError as e:
        return e.message

    domains = _find_domains(config, installer)

    # TODO: Handle errors from _init_le_client?
    le_client = _init_le_client(config, authenticator, installer)

    lineage, action = _auth_from_domains(le_client, config, domains)

    le_client.deploy_certificate(domains, lineage.privkey, lineage.cert,
                                 lineage.chain, lineage.fullchain)

    le_client.enhance_config(domains, config)

    if len(lineage.available_versions("cert")) == 1:
        display_ops.success_installation(domains)
    else:
        display_ops.success_renewal(domains, action)

    _suggest_donation_if_appropriate(config, action)
Exemple #2
0
def run(config, plugins):  # pylint: disable=too-many-branches,too-many-locals
    """Obtain a certificate and install."""
    # TODO: Make run as close to auth + install as possible
    # Possible difficulties: config.csr was hacked into auth
    try:
        installer, authenticator = plug_sel.choose_configurator_plugins(config, plugins, "run")
    except errors.PluginSelectionError as e:
        return e.message

    domains = _find_domains(config, installer)

    # TODO: Handle errors from _init_le_client?
    le_client = _init_le_client(config, authenticator, installer)

    lineage, action = _auth_from_domains(le_client, config, domains)

    le_client.deploy_certificate(
        domains, lineage.privkey, lineage.cert,
        lineage.chain, lineage.fullchain)

    le_client.enhance_config(domains, config)

    if len(lineage.available_versions("cert")) == 1:
        display_ops.success_installation(domains)
    else:
        display_ops.success_renewal(domains, action)

    _suggest_donation_if_appropriate(config, action)
Exemple #3
0
def run(args, config, plugins):  # pylint: disable=too-many-branches,too-many-locals
    """Obtain a certificate and install."""
    # Begin authenticator and installer setup
    if args.configurator is not None and (args.installer is not None or
                                          args.authenticator is not None):
        return ("Either --configurator or --authenticator/--installer"
                "pair, but not both, is allowed")

    if args.authenticator is not None or args.installer is not None:
        installer = display_ops.pick_installer(
            config, args.installer, plugins)
        authenticator = display_ops.pick_authenticator(
            config, args.authenticator, plugins)
    else:
        # TODO: this assumes that user doesn't want to pick authenticator
        #       and installer separately...
        authenticator = installer = display_ops.pick_configurator(
            config, args.configurator, plugins)

    if installer is None or authenticator is None:
        return "Configurator could not be determined"
    # End authenticator and installer setup

    domains = _find_domains(args, installer)

    # TODO: Handle errors from _init_le_client?
    le_client = _init_le_client(args, config, authenticator, installer)

    lineage = _auth_from_domains(le_client, config, domains, plugins)

    le_client.deploy_certificate(
        domains, lineage.privkey, lineage.cert,
        lineage.chain, lineage.fullchain)
    le_client.enhance_config(domains, args.redirect)

    if len(lineage.available_versions("cert")) == 1:
        display_ops.success_installation(domains)
    else:
        display_ops.success_renewal(domains)
Exemple #4
0
def run(args, config, plugins):  # pylint: disable=too-many-branches,too-many-locals
    """Obtain a certificate and install."""
    # Begin authenticator and installer setup
    if args.configurator is not None and (args.installer is not None or
                                          args.authenticator is not None):
        return ("Either --configurator or --authenticator/--installer"
                "pair, but not both, is allowed")

    if args.authenticator is not None or args.installer is not None:
        installer = display_ops.pick_installer(
            config, args.installer, plugins)
        authenticator = display_ops.pick_authenticator(
            config, args.authenticator, plugins)
    else:
        # TODO: this assumes that user doesn't want to pick authenticator
        #       and installer separately...
        authenticator = installer = display_ops.pick_configurator(
            config, args.configurator, plugins)

    if installer is None or authenticator is None:
        return "Configurator could not be determined"
    # End authenticator and installer setup

    domains = _find_domains(args, installer)

    # TODO: Handle errors from _init_le_client?
    le_client = _init_le_client(args, config, authenticator, installer)

    lineage = _auth_from_domains(le_client, config, domains, plugins)

    # TODO: We also need to pass the fullchain (for Nginx)
    le_client.deploy_certificate(
        domains, lineage.privkey, lineage.cert, lineage.chain)
    le_client.enhance_config(domains, args.redirect)

    if len(lineage.available_versions("cert")) == 1:
        display_ops.success_installation(domains)
    else:
        display_ops.success_renewal(domains)
Exemple #5
0
    domains = _find_domains(args, installer)

    # TODO: Handle errors from _init_le_client?
    le_client = _init_le_client(args, config, authenticator, installer)

    lineage = _auth_from_domains(le_client, config, domains, plugins)

    le_client.deploy_certificate(domains, lineage.privkey, lineage.cert,
                                 lineage.chain, lineage.fullchain)
    le_client.enhance_config(domains, args.redirect)

    if len(lineage.available_versions("cert")) == 1:
        display_ops.success_installation(domains)
    else:
        display_ops.success_renewal(domains)


def auth(args, config, plugins):
    """Authenticate & obtain cert, but do not install it."""

    if args.domains is not None and args.csr is not None:
        # TODO: --csr could have a priority, when --domains is
        # supplied, check if CSR matches given domains?
        return "--domains and --csr are mutually exclusive"

    try:
        # installers are used in auth mode to determine domain names
        installer, authenticator = choose_configurator_plugins(
            args, config, plugins, "auth")
    except PluginSelectionError, e:
Exemple #6
0
    # TODO: Handle errors from _init_le_client?
    le_client = _init_le_client(args, config, authenticator, installer)

    lineage = _auth_from_domains(le_client, config, domains)

    le_client.deploy_certificate(
        domains, lineage.privkey, lineage.cert,
        lineage.chain, lineage.fullchain)

    le_client.enhance_config(domains, config)

    if len(lineage.available_versions("cert")) == 1:
        display_ops.success_installation(domains)
    else:
        display_ops.success_renewal(domains)


def obtain_cert(args, config, plugins):
    """Authenticate & obtain cert, but do not install it."""

    if args.domains is not None and args.csr is not None:
        # TODO: --csr could have a priority, when --domains is
        # supplied, check if CSR matches given domains?
        return "--domains and --csr are mutually exclusive"

    try:
        # installers are used in auth mode to determine domain names
        installer, authenticator = choose_configurator_plugins(args, config, plugins, "certonly")
    except errors.PluginSelectionError, e:
        return e.message
Exemple #7
0
 def _call(cls, names):
     from letsencrypt.display.ops import success_renewal
     success_renewal(names)
Exemple #8
0
    def _call(cls, names):
        from letsencrypt.display.ops import success_renewal

        success_renewal(names, "renew")
Exemple #9
0
def run(args, config, plugins):  # pylint: disable=too-many-branches,too-many-locals
    """Obtain a certificate and install."""
    if args.configurator is not None and (args.installer is not None or
                                          args.authenticator is not None):
        return ("Either --configurator or --authenticator/--installer"
                "pair, but not both, is allowed")

    if args.authenticator is not None or args.installer is not None:
        installer = display_ops.pick_installer(
            config, args.installer, plugins)
        authenticator = display_ops.pick_authenticator(
            config, args.authenticator, plugins)
    else:
        # TODO: this assumes that user doesn't want to pick authenticator
        #       and installer separately...
        authenticator = installer = display_ops.pick_configurator(
            config, args.configurator, plugins)

    if installer is None or authenticator is None:
        return "Configurator could not be determined"

    domains = _find_domains(args, installer)

    treat_as_renewal = False

    # Considering the possibility that the requested certificate is
    # related to an existing certificate.  (config.duplicate, which
    # is set with --duplicate, skips all of this logic and forces any
    # kind of certificate to be obtained with treat_as_renewal = False.)
    if not config.duplicate:
        identical_names_cert, subset_names_cert = _find_duplicative_certs(
            domains, config, configuration.RenewerConfiguration(config))
        # I am not sure whether that correctly reads the systemwide
        # configuration file.
        question = None
        if identical_names_cert is not None:
            question = (
                "You have an existing certificate that contains exactly the "
                "same domains you requested (ref: {0})\n\nDo you want to "
                "renew and replace this certificate with a newly-issued one?"
            ).format(identical_names_cert.configfile.filename)
        elif subset_names_cert is not None:
            question = (
                "You have an existing certificate that contains a portion of "
                "the domains you requested (ref: {0})\n\nIt contains these "
                "names: {1}\n\nYou requested these names for the new "
                "certificate: {2}.\n\nDo you want to replace this existing "
                "certificate with the new certificate?"
            ).format(subset_names_cert.configfile.filename,
                     ", ".join(subset_names_cert.names()),
                     ", ".join(domains))
        if question is None:
            # We aren't in a duplicative-names situation at all, so we don't
            # have to tell or ask the user anything about this.
            pass
        elif zope.component.getUtility(interfaces.IDisplay).yesno(
                question, "Replace", "Cancel"):
            treat_as_renewal = True
        else:
            reporter_util = zope.component.getUtility(interfaces.IReporter)
            reporter_util.add_message(
                "To obtain a new certificate that {0} an existing certificate "
                "in its domain-name coverage, you must use the --duplicate "
                "option.\n\nFor example:\n\n{1} --duplicate {2}".format(
                    "duplicates" if identical_names_cert is not None else
                    "overlaps with", sys.argv[0], " ".join(sys.argv[1:])),
                reporter_util.HIGH_PRIORITY)
            return 1

    # Attempting to obtain the certificate
    # TODO: Handle errors from _init_le_client?
    le_client = _init_le_client(args, config, authenticator, installer)
    if treat_as_renewal:
        lineage = identical_names_cert if identical_names_cert is not None else subset_names_cert
        # TODO: Use existing privkey instead of generating a new one
        new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
        # TODO: Check whether it worked!
        lineage.save_successor(
            lineage.latest_common_version(), OpenSSL.crypto.dump_certificate(
                OpenSSL.crypto.FILETYPE_PEM, new_certr.body),
            new_key.pem, crypto_util.dump_pyopenssl_chain(new_chain))

        lineage.update_all_links_to(lineage.latest_common_version())
        # TODO: Check return value of save_successor
        # TODO: Also update lineage renewal config with any relevant
        #       configuration values from this attempt?
        le_client.deploy_certificate(
            domains, lineage.privkey, lineage.cert, lineage.chain)
        display_ops.success_renewal(domains)
    else:
        # TREAT AS NEW REQUEST
        lineage = le_client.obtain_and_enroll_certificate(
            domains, authenticator, installer, plugins)
        if not lineage:
            return "Certificate could not be obtained"
        # TODO: This treats the key as changed even when it wasn't
        # TODO: We also need to pass the fullchain (for Nginx)
        le_client.deploy_certificate(
            domains, lineage.privkey, lineage.cert, lineage.chain)
        le_client.enhance_config(domains, args.redirect)
        display_ops.success_installation(domains)
Exemple #10
0
def run(args, config, plugins):  # pylint: disable=too-many-branches,too-many-locals
    """Obtain a certificate and install."""
    if args.configurator is not None and (args.installer is not None
                                          or args.authenticator is not None):
        return ("Either --configurator or --authenticator/--installer"
                "pair, but not both, is allowed")

    if args.authenticator is not None or args.installer is not None:
        installer = display_ops.pick_installer(config, args.installer, plugins)
        authenticator = display_ops.pick_authenticator(config,
                                                       args.authenticator,
                                                       plugins)
    else:
        # TODO: this assumes that user doesn't want to pick authenticator
        #       and installer separately...
        authenticator = installer = display_ops.pick_configurator(
            config, args.configurator, plugins)

    if installer is None or authenticator is None:
        return "Configurator could not be determined"

    domains = _find_domains(args, installer)

    treat_as_renewal = False

    # Considering the possibility that the requested certificate is
    # related to an existing certificate.  (config.duplicate, which
    # is set with --duplicate, skips all of this logic and forces any
    # kind of certificate to be obtained with treat_as_renewal = False.)
    if not config.duplicate:
        identical_names_cert, subset_names_cert = _find_duplicative_certs(
            domains, config, configuration.RenewerConfiguration(config))
        # I am not sure whether that correctly reads the systemwide
        # configuration file.
        question = None
        if identical_names_cert is not None:
            question = (
                "You have an existing certificate that contains exactly the "
                "same domains you requested (ref: {0})\n\nDo you want to "
                "renew and replace this certificate with a newly-issued one?"
            ).format(identical_names_cert.configfile.filename)
        elif subset_names_cert is not None:
            question = (
                "You have an existing certificate that contains a portion of "
                "the domains you requested (ref: {0})\n\nIt contains these "
                "names: {1}\n\nYou requested these names for the new "
                "certificate: {2}.\n\nDo you want to replace this existing "
                "certificate with the new certificate?").format(
                    subset_names_cert.configfile.filename,
                    ", ".join(subset_names_cert.names()), ", ".join(domains))
        if question is None:
            # We aren't in a duplicative-names situation at all, so we don't
            # have to tell or ask the user anything about this.
            pass
        elif zope.component.getUtility(interfaces.IDisplay).yesno(
                question, "Replace", "Cancel"):
            treat_as_renewal = True
        else:
            reporter_util = zope.component.getUtility(interfaces.IReporter)
            reporter_util.add_message(
                "To obtain a new certificate that {0} an existing certificate "
                "in its domain-name coverage, you must use the --duplicate "
                "option.\n\nFor example:\n\n{1} --duplicate {2}".format(
                    "duplicates" if identical_names_cert is not None else
                    "overlaps with", sys.argv[0], " ".join(sys.argv[1:])),
                reporter_util.HIGH_PRIORITY)
            return 1

    # Attempting to obtain the certificate
    # TODO: Handle errors from _init_le_client?
    le_client = _init_le_client(args, config, authenticator, installer)
    if treat_as_renewal:
        lineage = identical_names_cert if identical_names_cert is not None else subset_names_cert
        # TODO: Use existing privkey instead of generating a new one
        new_certr, new_chain, new_key, _ = le_client.obtain_certificate(
            domains)
        # TODO: Check whether it worked!
        lineage.save_successor(
            lineage.latest_common_version(),
            OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,
                                            new_certr.body), new_key.pem,
            crypto_util.dump_pyopenssl_chain(new_chain))

        lineage.update_all_links_to(lineage.latest_common_version())
        # TODO: Check return value of save_successor
        # TODO: Also update lineage renewal config with any relevant
        #       configuration values from this attempt?
        le_client.deploy_certificate(domains, lineage.privkey, lineage.cert,
                                     lineage.chain)
        display_ops.success_renewal(domains)
    else:
        # TREAT AS NEW REQUEST
        lineage = le_client.obtain_and_enroll_certificate(
            domains, authenticator, installer, plugins)
        if not lineage:
            return "Certificate could not be obtained"
        # TODO: This treats the key as changed even when it wasn't
        # TODO: We also need to pass the fullchain (for Nginx)
        le_client.deploy_certificate(domains, lineage.privkey, lineage.cert,
                                     lineage.chain)
        le_client.enhance_config(domains, args.redirect)
        display_ops.success_installation(domains)