def create_marathon_acme(storage_dir, acme_directory, acme_email,
marathon_addrs, mlb_addrs, group, reactor):
"""
Create a marathon-acme instance.
:param storage_dir:
Path to the storage directory for certificates and the client key.
:param acme_directory: Address for the ACME directory to use.
:param acme_email:
Email address to use when registering with the ACME service.
:param marathon_addr:
Address for the Marathon instance to find app domains that require
certificates.
:param mlb_addrs:
List of addresses for marathon-lb instances to reload when a new
certificate is issued.
:param group:
The marathon-lb group (``HAPROXY_GROUP``) to consider when finding
app domains.
:param reactor: The reactor to use.
"""
storage_path, certs_path = init_storage_dir(storage_dir)
acme_url = URL.fromText(_to_unicode(acme_directory))
key = maybe_key(storage_path)
return MarathonAcme(MarathonClient(marathon_addrs, reactor=reactor), group,
DirectoryStore(certs_path),
MarathonLbClient(mlb_addrs, reactor=reactor),
create_txacme_client_creator(reactor, acme_url, key),
reactor, acme_email)
def __init__(
self,
acme_key=None,
staging=True,
pem_path=pem_path,
clock=reactor,
responder=None,
):
if responder is None:
responder = HTTP01ResponderWithProxy()
# Keep an easy reference to this responder
self._responder = responder
if acme_key is None:
_ensure_dirs(pem_path)
acme_key = load_or_create_client_key(pem_path)
if staging:
acme_url = txacme.urls.LETSENCRYPT_STAGING_DIRECTORY
else:
acme_url = txacme.urls.LETSENCRYPT_DIRECTORY
# Keep track of factories used with this AcmeService
self._factories = set()
super(AcmeService, self).__init__(
clock=clock,
client_creator=partial(
Client.from_url, reactor=clock, url=acme_url, key=acme_key
),
cert_store=DirectoryStore(pem_path),
responders=[responder],
)
def action(secret):
password = secret
if driver_name == 'gandi':
responders = [
GandiV5Responder(api_key=password, zone_name=zone_name)
]
elif driver_name == 'cloudflare':
responders = [
CloudflareV4Responder(email=user_name,
api_key=password,
zone_name=zone_name)
]
else:
responders = [
LibcloudDNSResponder.create(reactor, driver_name, user_name,
password, zone_name)
]
acme_key = maybe_key(acme_path)
cert_store = DirectoryStore(acme_path)
if staging:
le_url = LETSENCRYPT_STAGING_DIRECTORY
else:
le_url = LETSENCRYPT_DIRECTORY
client_creator = partial(Client.from_url,
reactor=reactor,
url=le_url,
key=acme_key,
alg=RS256)
clock = reactor
service = AcmeIssuingService(cert_store, client_creator, clock,
responders)
service.startService()
forever = Deferred()
return forever
def getCertStore(self):
"""
Return the certificate store for these tests.
"""
# FIXME
# rever to trial mktemp.
tmpdir = tempfile.mkdtemp()
subdir = os.path.join(tmpdir, self._testMethodName)
os.mkdir(subdir)
self.addCleanup(shutil.rmtree, tmpdir)
return DirectoryStore(FilePath(tmpdir))
def action(secret):
password = secret
responders = [
LibcloudDNSResponder.create(reactor, driver_name, user_name,
password, zone_name)
]
acme_key = maybe_key(acme_path)
cert_store = DirectoryStore(acme_path)
client_creator = partial(Client.from_url,
reactor=reactor,
url=LETSENCRYPT_DIRECTORY,
key=acme_key,
alg=RS256)
clock = reactor
service = AcmeIssuingService(cert_store, client_creator, clock,
responders)
service.startService()
forever = Deferred()
return forever
def _parse(reactor, directory, pemdir, *args, **kwargs):
"""
Parse a txacme endpoint description.
:param reactor: The Twisted reactor.
:param directory: ``twisted.python.url.URL`` for the ACME directory to use
for issuing certs.
:param str pemdir: The path to the certificate directory to use.
"""
def colon_join(items):
return ':'.join([item.replace(':', '\\:') for item in items])
sub = colon_join(list(args) + ['='.join(item) for item in kwargs.items()])
pem_path = FilePath(pemdir).asTextMode()
acme_key = load_or_create_client_key(pem_path)
return AutoTLSEndpoint(
reactor=reactor,
directory=directory,
client_creator=partial(Client.from_url, key=acme_key, alg=RS256),
cert_store=DirectoryStore(pem_path),
cert_mapping=HostDirectoryMap(pem_path),
sub_endpoint=serverFromString(reactor, sub))
def test_filepath_mode(self):
"""
The given ``FilePath`` is always converted to text mode.
"""
store = DirectoryStore(FilePath(b'bytesbytesbytes'))
self.assertIsInstance(store.path.path, unicode)
def setUp(self):
super(DirectoryStoreTests, self).setUp()
temp_dir = self.useFixture(TempDir())
self.cert_store = DirectoryStore(FilePath(temp_dir.path))
def makeService(config):
ini = ConfigParser.RawConfigParser()
ini.read(config['config'])
configPath = FilePath(config['config']).parent()
rproxyConf = dict(ini.items("rproxy"))
hostsConf = dict(ini.items("hosts"))
hosts = {}
for k, v in hostsConf.items():
k = k.lower()
hostname, part = k.rsplit("_", 1)
if hostname not in hosts:
hosts[hostname] = {}
hosts[hostname][part] = v
if not hosts:
raise ValueError("No hosts configured.")
for i in hosts:
if "port" not in hosts[i]:
raise ValueError("All hosts need a port.")
if "host" not in hosts[i]:
print("%s does not have a host, making localhost" % (i, ))
hosts[i]["host"] = "localhost"
if "wwwtoo" not in hosts[i]:
print("%s does not have an wwwtoo setting, making True" % (i, ))
hosts[i]["wwwtoo"] = "True"
if "proxysecure" not in hosts[i]:
print("%s does not have an proxysecure setting, making False" %
(i, ))
hosts[i]["proxysecure"] = False
hosts[i]["wwwtoo"] = True if hosts[i]["wwwtoo"] == "True" else False
hosts[i]["proxysecure"] = True if hosts[i][
"proxysecure"] == "True" else False
hosts[i]["sendhsts"] = True if hosts[i].get(
"sendhsts") == "True" else False
from twisted.internet import reactor
pool = HTTPConnectionPool(reactor)
resource = EncodingResourceWrapper(
RProxyResource(hosts, rproxyConf.get("clacks"), pool, reactor, {},
False), [server.GzipEncoderFactory()])
responder = HTTP01Responder()
site = server.Site(EnsureHTTPS(resource, responder.resource), )
multiService = service.MultiService()
certificates = rproxyConf.get("certificates", None)
if certificates:
try:
configPath.child(certificates).makedirs()
except:
pass
certificates = configPath.child(certificates).path
for i in rproxyConf.get("https_ports").split(","):
print("Starting HTTPS on port " + i)
multiService.addService(
strports.service('txsni:' + certificates + ':tcp:' + i, site))
for host in hosts.keys():
with open(FilePath(certificates).child(host + ".pem").path, 'w'):
# Open it so that txacme can find it
pass
if hosts[host]["wwwtoo"]:
with open(
FilePath(certificates).child("www." + host +
".pem").path, 'w'):
# Open it so that txacme can find it
pass
for i in rproxyConf.get("http_ports", "").split(","):
print("Starting HTTP on port " + i)
multiService.addService(strports.service('tcp:' + i, site))
issuingService = AcmeIssuingService(
cert_store=DirectoryStore(FilePath(certificates)),
client_creator=(lambda: Client.from_url(
reactor=reactor,
url=LETSENCRYPT_DIRECTORY,
key=load_or_create_client_key(FilePath(certificates)),
alg=RS256,
)),
clock=reactor,
responders=[responder],
)
issuingService.setServiceParent(multiService)
return multiService