def wizard_challenges(global_config): create_s3_challenge_bucket = False s3_challenge_bucket = None terminal.print_header("Lets-Encrypt Challenge Validation Settings") terminal.write_str("""\ This tool will handle validation of your domains automatically. There are two possible validation methods: HTTP and DNS.""") print() terminal.write_str("""\ HTTP validation is only available for CloudFront sites. It requires an S3 bucket to store the challenge responses in. This bucket needs to be publicly accessible. Your CloudFront Distribution(s) will be reconfigured to use this bucket as an origin for challenge responses.""") terminal.write_str( "If you do not configure a bucket for this you will only be able to use DNS validation." ) print() terminal.write_str("""\ DNS validation requires your domain to be managed with Route53. This validation method is always available and requires no additional configuration.""") terminal.write_str( terminal.Colors.WARNING + "Note: DNS validation is currently only supported by the staging server." + terminal.Colors.ENDC) print() terminal.write_str( "Each domain you want to manage can be configured to validate using either of these methods." ) print() use_http_challenges = terminal.get_yn( "Do you want to configure HTTP validation", True) if use_http_challenges: create_s3_challenge_bucket = terminal.get_yn( "Do you want to create a bucket for these challenges(Choose No to select an existing bucket)", True) if create_s3_challenge_bucket: s3_challenge_bucket = "lambda-letsencrypt-challenges-{}".format( global_config['namespace']) else: s3_challenge_bucket = choose_s3_bucket() else: # only dns challenge support is available pass global_config['use_http_challenges'] = use_http_challenges global_config['create_s3_challenge_bucket'] = create_s3_challenge_bucket global_config['s3_challenge_bucket'] = s3_challenge_bucket
def wizard_iam(global_config): terminal.print_header("IAM Configuration") terminal.write_str("""\ An IAM role must be created for this lambda function giving it access to CloudFront, Route53, S3, SNS(notifications), IAM(certificates), and CloudWatch(logs/alarms).""") print() terminal.write_str( "If you do not let the wizard create this role you will be asked to select an existing role to use." ) create_iam_role = terminal.get_yn( "Do you want to automatically create this role", True) if not create_iam_role: role_list = iam.list_roles() options = [] for i, role in enumerate(role_list): options.append({'selector': i, 'prompt': role, 'return': role}) iam_role_name = terminal.get_selection("Select the IAM Role:", options, prompt_after="Which IAM Role?", allow_empty=False) else: iam_role_name = "lambda-letsencrypt-{}".format( global_config['namespace']) global_config['create_iam_role'] = create_iam_role global_config['iam_role_name'] = iam_role_name
def wizard_s3_cfg_bucket(global_config): terminal.print_header("S3 Configuration Bucket") terminal.write_str("""\ An S3 Bucket is required to store configuration. If you already have a bucket you want to use for this choose no and select it from the list. Otherwise let the wizard create one for you.""" ) create_s3_cfg_bucket = terminal.get_yn("Create a bucket for configuration", True) if create_s3_cfg_bucket: s3_cfg_bucket = "lambda-letsencrypt-config-{}".format( global_config['namespace']) else: s3_cfg_bucket = choose_s3_bucket() global_config['create_s3_cfg_bucket'] = create_s3_cfg_bucket global_config['s3_cfg_bucket'] = s3_cfg_bucket
def wizard_trigger(global_config): terminal.print_header("Lets-Encrypt certificate check trigger") terminal.write_str("""\ To set up certificate and later update it, it is necessary to invoke generated AWS Lambda function regularly. Lambda function will make sure certificate is issued (might take 2-3 invocations), will check its expiry, will update it before it expires.""") print() terminal.write_str("""\ Trigger is created as a AWS CloudWatch Event rule with target pointing to Lambda function.""") print() terminal.write_str("""\ If you skip set up of this trigger, you will need to either invoke function yourself or set up trigger which does it.""") print() create_cloudwatch_rule = terminal.get_yn("Set up AWS Lambda trigger?", default=True) global_config['create_cloudwatch_rule'] = create_cloudwatch_rule
def wizard(): terminal.print_header("Lambda Lets-Encrypt Wizard") terminal.write_str("""\ This wizard will guide you through the process of setting up your existing CloudFront Distributions to use SSL certificates provided by Lets-Encrypt and automatically issued/maintained by an AWS Lambda function. These certificates are free of charge, and valid for 90 days. This wizard will also set up a Lambda function that is responsible for issuing and renewing these certificates automatically as they near their expiration date. The cost of the AWS services used to make this work are typically less than a penny per month. For full pricing details please refer to the docs. """) print() print(terminal.Colors.WARNING + "WARNING: ") terminal.write_str("""\ Manual configuration is required at this time to configure the Lambda function to run on a daily basis to keep your certificate updated. If you do not follow the steps provided at the end of this wizard your Lambda function will *NOT* run. """) print(terminal.Colors.ENDC) global_config = {} wizard_namespace(global_config) wizard_region(global_config) wizard_sns(global_config) wizard_iam(global_config) wizard_s3_cfg_bucket(global_config) wizard_challenges(global_config) wizard_cf(global_config) wizard_elb(global_config) wizard_trigger(global_config) cfg_menu = [{ 'selector': 0, 'prompt': 'Namespace', 'return': wizard_namespace }, { 'selector': 1, 'prompt': 'AWS Region', 'return': wizard_region }, { 'selector': 2, 'prompt': 'SNS', 'return': wizard_sns }, { 'selector': 3, 'prompt': 'IAM', 'return': wizard_iam }, { 'selector': 4, 'prompt': 'S3 Config', 'return': wizard_s3_cfg_bucket }, { 'selector': 5, 'prompt': 'Challenges', 'return': wizard_challenges }, { 'selector': 6, 'prompt': 'CloudFront', 'return': wizard_cf }, { 'selector': 7, 'prompt': 'Elastic Load Balancers', 'return': wizard_cf }, { 'selector': 8, 'prompt': 'Lambda function trigger', 'return': wizard_trigger }, { 'selector': 9, 'prompt': 'Done', 'return': None }] finished = False while not finished: wizard_summary(global_config) finished = terminal.get_yn("Are these settings correct", True) if not finished: selection = terminal.get_selection( "Which section do you want to change", cfg_menu, prompt_after="Which section to modify?", allow_empty=False) if selection: selection(global_config) wizard_save_config(global_config)
def wizard_cf(global_config): terminal.print_header("CloudFront Configuration") global_config['cf_sites'] = [] global_config['cf_domains'] = [] # Get the list of all Cloudfront Distributions cf_dist_list = cloudfront.list_distributions() cf_dist_opts = [] for i, d in enumerate(cf_dist_list): cf_dist_opts.append({ 'selector': i, 'prompt': "{} - {} ({}) ".format(d['Id'], d['Comment'], ", ".join(d['Aliases'])), 'return': d }) terminal.write_str("""\ Now we'll detect your existing CloudFront Distributions and allow you to configure them to use SSL. Domain names will be automatically detected from the 'Aliases/CNAMEs' configuration section of each Distribution.""") print() terminal.write_str("""\ You will configure each Distribution fully before being presented with the list of Distributions again. You can configure as many Distributions as you like.""") while True: print() dist = terminal.get_selection( "Select a CloudFront Distribution to configure with Lets-Encrypt(leave blank to finish)", cf_dist_opts, prompt_after="Which CloudFront Distribution?", allow_empty=True) if dist is None: break cnames = dist['Aliases'] terminal.write_str( "The following domain names exist for the selected CloudFront Distribution:" ) terminal.write_str(" " + ", ".join(cnames)) terminal.write_str("""\ Each domain in this list will be validated with Lets-Encrypt and added to the certificate assigned to this Distribution.""") print() for dns_name in cnames: domain = {'DOMAIN': dns_name, 'VALIDATION_METHODS': []} print("Choose validation methods for the domain '{}'".format( dns_name)) route53_id = route53.get_zone_id(dns_name) if route53_id: terminal.write_str(terminal.Colors.OKGREEN + "Route53 zone detected!" + terminal.Colors.ENDC) validate_via_dns = terminal.get_yn("Validate using DNS", default=False) if validate_via_dns: domain['ROUTE53_ZONE_ID'] = route53_id domain['VALIDATION_METHODS'].append('dns-01') else: terminal.write_str( terminal.Colors.WARNING + "No Route53 zone detected, DNS validation not possible." + terminal.Colors.ENDC) validate_via_http = terminal.get_yn("Validate using HTTP", default=True) if validate_via_http: domain['CLOUDFRONT_ID'] = dist['Id'] domain['VALIDATION_METHODS'].append('http-01') global_config['cf_domains'].append(domain) site = {'CLOUDFRONT_ID': dist['Id'], 'DOMAINS': cnames} global_config['cf_sites'].append(site)