def run(config, plugins): # pylint: disable=too-many-branches,too-many-locals """Obtain a certificate and install.""" # TODO: Make run as close to auth + install as possible # Possible difficulties: config.csr was hacked into auth try: installer, authenticator = plug_sel.choose_configurator_plugins( config, plugins, "run") except errors.PluginSelectionError as e: return e.message domains = _find_domains(config, installer) # TODO: Handle errors from _init_le_client? le_client = _init_le_client(config, authenticator, installer) lineage, action = _auth_from_domains(le_client, config, domains) le_client.deploy_certificate(domains, lineage.privkey, lineage.cert, lineage.chain, lineage.fullchain) le_client.enhance_config(domains, config) if len(lineage.available_versions("cert")) == 1: display_ops.success_installation(domains) else: display_ops.success_renewal(domains, action) _suggest_donation_if_appropriate(config, action)
def deploy_certificate(self, domains, privkey_path, cert_path, chain_path): """Install certificate :param list domains: list of domains to install the certificate :param str privkey_path: path to certificate private key :param str cert_path: certificate file path (optional) :param str chain_path: chain file path """ if self.installer is None: logger.warning("No installer specified, client is unable to deploy" "the certificate") raise errors.Error("No installer available") chain_path = None if chain_path is None else os.path.abspath( chain_path) for dom in domains: # TODO: Provide a fullchain reference for installers like # nginx that want it self.installer.deploy_cert(dom, os.path.abspath(cert_path), os.path.abspath(privkey_path), chain_path) self.installer.save("Deployed Let's Encrypt Certificate") # sites may have been enabled / final cleanup self.installer.restart() display_ops.success_installation(domains)
def deploy_certificate(self, domains, privkey_path, cert_path, chain_path): """Install certificate :param list domains: list of domains to install the certificate :param str privkey_path: path to certificate private key :param str cert_path: certificate file path (optional) :param str chain_path: chain file path """ if self.installer is None: logger.warning("No installer specified, client is unable to deploy" "the certificate") raise errors.Error("No installer available") chain_path = None if chain_path is None else os.path.abspath(chain_path) for dom in domains: # TODO: Provide a fullchain reference for installers like # nginx that want it self.installer.deploy_cert( dom, os.path.abspath(cert_path), os.path.abspath(privkey_path), chain_path) self.installer.save("Deployed Let's Encrypt Certificate") # sites may have been enabled / final cleanup self.installer.restart() display_ops.success_installation(domains)
def run(config, plugins): # pylint: disable=too-many-branches,too-many-locals """Obtain a certificate and install.""" # TODO: Make run as close to auth + install as possible # Possible difficulties: config.csr was hacked into auth try: installer, authenticator = plug_sel.choose_configurator_plugins(config, plugins, "run") except errors.PluginSelectionError as e: return e.message domains = _find_domains(config, installer) # TODO: Handle errors from _init_le_client? le_client = _init_le_client(config, authenticator, installer) lineage, action = _auth_from_domains(le_client, config, domains) le_client.deploy_certificate( domains, lineage.privkey, lineage.cert, lineage.chain, lineage.fullchain) le_client.enhance_config(domains, config) if len(lineage.available_versions("cert")) == 1: display_ops.success_installation(domains) else: display_ops.success_renewal(domains, action) _suggest_donation_if_appropriate(config, action)
def deploy_certificate(self, domains, privkey, cert_path, chain_path=None): """Install certificate :param list domains: list of domains to install the certificate :param privkey: private key for certificate :type privkey: :class:`letsencrypt.le_util.Key` :param str cert_path: certificate file path :param str chain_path: chain file path """ if self.installer is None: logging.warning("No installer specified, client is unable to deploy" "the certificate") raise errors.LetsEncryptClientError("No installer available") chain_path = None if chain_path is None else os.path.abspath(chain_path) for dom in domains: self.installer.deploy_cert( dom, os.path.abspath(cert_path), os.path.abspath(privkey.file), chain_path) self.installer.save("Deployed Let's Encrypt Certificate") # sites may have been enabled / final cleanup self.installer.restart() display_ops.success_installation(domains)
def deploy_certificate(self, domains, lineage): """Install certificate :param list domains: list of domains to install the certificate :param lineage: RenewableCert object representing the certificate :type lineage: :class:`letsencrypt.storage.RenewableCert` """ if self.installer is None: logging.warning("No installer specified, client is unable to deploy" "the certificate") raise errors.LetsEncryptClientError("No installer available") # TODO: Is it possible not to have a chain at all? (The # RenewableCert class currently doesn't support this case, but # perhaps the CA can issue according to ACME without providing # a chain, which would currently be a problem for instantiating # RenewableCert, and subsequently also for this method.) for dom in domains: # TODO: Provide a fullchain reference for installers like # nginx that want it self.installer.deploy_cert(dom, lineage.cert, lineage.privkey, lineage.chain) self.installer.save("Deployed Let's Encrypt Certificate") # sites may have been enabled / final cleanup self.installer.restart() display_ops.success_installation(domains)
def run(args, config, plugins): # pylint: disable=too-many-branches,too-many-locals """Obtain a certificate and install.""" # Begin authenticator and installer setup if args.configurator is not None and (args.installer is not None or args.authenticator is not None): return ("Either --configurator or --authenticator/--installer" "pair, but not both, is allowed") if args.authenticator is not None or args.installer is not None: installer = display_ops.pick_installer( config, args.installer, plugins) authenticator = display_ops.pick_authenticator( config, args.authenticator, plugins) else: # TODO: this assumes that user doesn't want to pick authenticator # and installer separately... authenticator = installer = display_ops.pick_configurator( config, args.configurator, plugins) if installer is None or authenticator is None: return "Configurator could not be determined" # End authenticator and installer setup domains = _find_domains(args, installer) # TODO: Handle errors from _init_le_client? le_client = _init_le_client(args, config, authenticator, installer) lineage = _auth_from_domains(le_client, config, domains, plugins) le_client.deploy_certificate( domains, lineage.privkey, lineage.cert, lineage.chain, lineage.fullchain) le_client.enhance_config(domains, args.redirect) if len(lineage.available_versions("cert")) == 1: display_ops.success_installation(domains) else: display_ops.success_renewal(domains)
def run(args, config, plugins): # pylint: disable=too-many-branches,too-many-locals """Obtain a certificate and install.""" # Begin authenticator and installer setup if args.configurator is not None and (args.installer is not None or args.authenticator is not None): return ("Either --configurator or --authenticator/--installer" "pair, but not both, is allowed") if args.authenticator is not None or args.installer is not None: installer = display_ops.pick_installer( config, args.installer, plugins) authenticator = display_ops.pick_authenticator( config, args.authenticator, plugins) else: # TODO: this assumes that user doesn't want to pick authenticator # and installer separately... authenticator = installer = display_ops.pick_configurator( config, args.configurator, plugins) if installer is None or authenticator is None: return "Configurator could not be determined" # End authenticator and installer setup domains = _find_domains(args, installer) # TODO: Handle errors from _init_le_client? le_client = _init_le_client(args, config, authenticator, installer) lineage = _auth_from_domains(le_client, config, domains, plugins) # TODO: We also need to pass the fullchain (for Nginx) le_client.deploy_certificate( domains, lineage.privkey, lineage.cert, lineage.chain) le_client.enhance_config(domains, args.redirect) if len(lineage.available_versions("cert")) == 1: display_ops.success_installation(domains) else: display_ops.success_renewal(domains)
except PluginSelectionError, e: return e.message domains = _find_domains(args, installer) # TODO: Handle errors from _init_le_client? le_client = _init_le_client(args, config, authenticator, installer) lineage = _auth_from_domains(le_client, config, domains, plugins) le_client.deploy_certificate(domains, lineage.privkey, lineage.cert, lineage.chain, lineage.fullchain) le_client.enhance_config(domains, args.redirect) if len(lineage.available_versions("cert")) == 1: display_ops.success_installation(domains) else: display_ops.success_renewal(domains) def auth(args, config, plugins): """Authenticate & obtain cert, but do not install it.""" if args.domains is not None and args.csr is not None: # TODO: --csr could have a priority, when --domains is # supplied, check if CSR matches given domains? return "--domains and --csr are mutually exclusive" try: # installers are used in auth mode to determine domain names installer, authenticator = choose_configurator_plugins(
domains = _find_domains(args, installer) # TODO: Handle errors from _init_le_client? le_client = _init_le_client(args, config, authenticator, installer) lineage = _auth_from_domains(le_client, config, domains) le_client.deploy_certificate( domains, lineage.privkey, lineage.cert, lineage.chain, lineage.fullchain) le_client.enhance_config(domains, config) if len(lineage.available_versions("cert")) == 1: display_ops.success_installation(domains) else: display_ops.success_renewal(domains) def obtain_cert(args, config, plugins): """Authenticate & obtain cert, but do not install it.""" if args.domains is not None and args.csr is not None: # TODO: --csr could have a priority, when --domains is # supplied, check if CSR matches given domains? return "--domains and --csr are mutually exclusive" try: # installers are used in auth mode to determine domain names installer, authenticator = choose_configurator_plugins(args, config, plugins, "certonly")
def _call(cls, names): from letsencrypt.display.ops import success_installation success_installation(names)
def run(args, config, plugins): # pylint: disable=too-many-branches,too-many-locals """Obtain a certificate and install.""" if args.configurator is not None and (args.installer is not None or args.authenticator is not None): return ("Either --configurator or --authenticator/--installer" "pair, but not both, is allowed") if args.authenticator is not None or args.installer is not None: installer = display_ops.pick_installer( config, args.installer, plugins) authenticator = display_ops.pick_authenticator( config, args.authenticator, plugins) else: # TODO: this assumes that user doesn't want to pick authenticator # and installer separately... authenticator = installer = display_ops.pick_configurator( config, args.configurator, plugins) if installer is None or authenticator is None: return "Configurator could not be determined" domains = _find_domains(args, installer) treat_as_renewal = False # Considering the possibility that the requested certificate is # related to an existing certificate. (config.duplicate, which # is set with --duplicate, skips all of this logic and forces any # kind of certificate to be obtained with treat_as_renewal = False.) if not config.duplicate: identical_names_cert, subset_names_cert = _find_duplicative_certs( domains, config, configuration.RenewerConfiguration(config)) # I am not sure whether that correctly reads the systemwide # configuration file. question = None if identical_names_cert is not None: question = ( "You have an existing certificate that contains exactly the " "same domains you requested (ref: {0})\n\nDo you want to " "renew and replace this certificate with a newly-issued one?" ).format(identical_names_cert.configfile.filename) elif subset_names_cert is not None: question = ( "You have an existing certificate that contains a portion of " "the domains you requested (ref: {0})\n\nIt contains these " "names: {1}\n\nYou requested these names for the new " "certificate: {2}.\n\nDo you want to replace this existing " "certificate with the new certificate?" ).format(subset_names_cert.configfile.filename, ", ".join(subset_names_cert.names()), ", ".join(domains)) if question is None: # We aren't in a duplicative-names situation at all, so we don't # have to tell or ask the user anything about this. pass elif zope.component.getUtility(interfaces.IDisplay).yesno( question, "Replace", "Cancel"): treat_as_renewal = True else: reporter_util = zope.component.getUtility(interfaces.IReporter) reporter_util.add_message( "To obtain a new certificate that {0} an existing certificate " "in its domain-name coverage, you must use the --duplicate " "option.\n\nFor example:\n\n{1} --duplicate {2}".format( "duplicates" if identical_names_cert is not None else "overlaps with", sys.argv[0], " ".join(sys.argv[1:])), reporter_util.HIGH_PRIORITY) return 1 # Attempting to obtain the certificate # TODO: Handle errors from _init_le_client? le_client = _init_le_client(args, config, authenticator, installer) if treat_as_renewal: lineage = identical_names_cert if identical_names_cert is not None else subset_names_cert # TODO: Use existing privkey instead of generating a new one new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains) # TODO: Check whether it worked! lineage.save_successor( lineage.latest_common_version(), OpenSSL.crypto.dump_certificate( OpenSSL.crypto.FILETYPE_PEM, new_certr.body), new_key.pem, crypto_util.dump_pyopenssl_chain(new_chain)) lineage.update_all_links_to(lineage.latest_common_version()) # TODO: Check return value of save_successor # TODO: Also update lineage renewal config with any relevant # configuration values from this attempt? le_client.deploy_certificate( domains, lineage.privkey, lineage.cert, lineage.chain) display_ops.success_renewal(domains) else: # TREAT AS NEW REQUEST lineage = le_client.obtain_and_enroll_certificate( domains, authenticator, installer, plugins) if not lineage: return "Certificate could not be obtained" # TODO: This treats the key as changed even when it wasn't # TODO: We also need to pass the fullchain (for Nginx) le_client.deploy_certificate( domains, lineage.privkey, lineage.cert, lineage.chain) le_client.enhance_config(domains, args.redirect) display_ops.success_installation(domains)
def run(args, config, plugins): # pylint: disable=too-many-branches,too-many-locals """Obtain a certificate and install.""" if args.configurator is not None and (args.installer is not None or args.authenticator is not None): return ("Either --configurator or --authenticator/--installer" "pair, but not both, is allowed") if args.authenticator is not None or args.installer is not None: installer = display_ops.pick_installer(config, args.installer, plugins) authenticator = display_ops.pick_authenticator(config, args.authenticator, plugins) else: # TODO: this assumes that user doesn't want to pick authenticator # and installer separately... authenticator = installer = display_ops.pick_configurator( config, args.configurator, plugins) if installer is None or authenticator is None: return "Configurator could not be determined" domains = _find_domains(args, installer) treat_as_renewal = False # Considering the possibility that the requested certificate is # related to an existing certificate. (config.duplicate, which # is set with --duplicate, skips all of this logic and forces any # kind of certificate to be obtained with treat_as_renewal = False.) if not config.duplicate: identical_names_cert, subset_names_cert = _find_duplicative_certs( domains, config, configuration.RenewerConfiguration(config)) # I am not sure whether that correctly reads the systemwide # configuration file. question = None if identical_names_cert is not None: question = ( "You have an existing certificate that contains exactly the " "same domains you requested (ref: {0})\n\nDo you want to " "renew and replace this certificate with a newly-issued one?" ).format(identical_names_cert.configfile.filename) elif subset_names_cert is not None: question = ( "You have an existing certificate that contains a portion of " "the domains you requested (ref: {0})\n\nIt contains these " "names: {1}\n\nYou requested these names for the new " "certificate: {2}.\n\nDo you want to replace this existing " "certificate with the new certificate?").format( subset_names_cert.configfile.filename, ", ".join(subset_names_cert.names()), ", ".join(domains)) if question is None: # We aren't in a duplicative-names situation at all, so we don't # have to tell or ask the user anything about this. pass elif zope.component.getUtility(interfaces.IDisplay).yesno( question, "Replace", "Cancel"): treat_as_renewal = True else: reporter_util = zope.component.getUtility(interfaces.IReporter) reporter_util.add_message( "To obtain a new certificate that {0} an existing certificate " "in its domain-name coverage, you must use the --duplicate " "option.\n\nFor example:\n\n{1} --duplicate {2}".format( "duplicates" if identical_names_cert is not None else "overlaps with", sys.argv[0], " ".join(sys.argv[1:])), reporter_util.HIGH_PRIORITY) return 1 # Attempting to obtain the certificate # TODO: Handle errors from _init_le_client? le_client = _init_le_client(args, config, authenticator, installer) if treat_as_renewal: lineage = identical_names_cert if identical_names_cert is not None else subset_names_cert # TODO: Use existing privkey instead of generating a new one new_certr, new_chain, new_key, _ = le_client.obtain_certificate( domains) # TODO: Check whether it worked! lineage.save_successor( lineage.latest_common_version(), OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, new_certr.body), new_key.pem, crypto_util.dump_pyopenssl_chain(new_chain)) lineage.update_all_links_to(lineage.latest_common_version()) # TODO: Check return value of save_successor # TODO: Also update lineage renewal config with any relevant # configuration values from this attempt? le_client.deploy_certificate(domains, lineage.privkey, lineage.cert, lineage.chain) display_ops.success_renewal(domains) else: # TREAT AS NEW REQUEST lineage = le_client.obtain_and_enroll_certificate( domains, authenticator, installer, plugins) if not lineage: return "Certificate could not be obtained" # TODO: This treats the key as changed even when it wasn't # TODO: We also need to pass the fullchain (for Nginx) le_client.deploy_certificate(domains, lineage.privkey, lineage.cert, lineage.chain) le_client.enhance_config(domains, args.redirect) display_ops.success_installation(domains)