def AddDelCertkey(session, certDict, isdel=0):
ret = True
certlist = []
for certname in certDict.keys():
t = certDict[certname]
certfilename = t[0]
keyfilename = t[1]
ckey = CERTKEY.sslcertkey()
ckey.certkey = certname
ckey.cert = certfilename
ckey.key = keyfilename
certlist.append(ckey)
try:
if (isdel == 0):
CERTKEY.sslcertkey.add(session, certlist)
else:
CERTKEY.sslcertkey.delete(session, certlist)
except NITROEXCEPTION.nitro_exception as e:
print 'Failed to %s certkey %s\n' % (ad[isdel], certName)
print e.message
ret = False
return ret
def addcerts(self):
certs = {
"512": ["sha1", "sha224", "sha256"],
"4096": ["sha1", "sha224", "sha256", "sha384", "sha512"],
"2048": ["sha1", "sha224", "sha256", "sha384", "sha512"],
"1024": ["sha1", "sha224", "sha256", "sha384", "sha512"]
}
for cert in certs:
for sha in certs[cert]:
cert_name = "root_rsa_" + cert + "_" + sha + ".pem"
print(cert_name)
key_name = "root_rsa_" + cert + "_" + sha + ".ky"
print(key_name)
newcert = sslcertkey()
newcert.certkey = cert + "_" + sha
newcert.cert = cert_name
newcert.key = key_name
try:
sslcertkey.add(self.ns_session, newcert)
except nitro_exception as e:
print("Exception::errorcode=" + str(e.errorcode) +
",message=" + e.message)
except Exception as e:
print("Exception::message=" + str(e.args))
return
def create_certkey(u,k,c):
s = sslcertkey()
s.certkey='sni_%s' %u
s.key = '/nsconfig/ssl/snicerts/%s' %k
s.cert = '/nsconfig/ssl/snicerts/%s' %c
s.expirymonitor = 'ENABLED'
s.notificationperiod = 30
s.linkcertkeyname = 'incommonrsa'
try:
sslcertkey.add(session,s)
except nitro_exception as e:
print("Exception::errorcode="+str(e.errorcode)+",message="+ e.message)
def Update_certkey(self, client) :
try :
certkey="cert1"
sslcertkey1 = sslcertkey()
sslcertkey1.certkey = certkey
sslcertkey1.cert = "/nsconfig/ssl/geetika.cert"
sslcertkey1.key = "/nsconfig/ssl/geetika.key"
sslcertkey1.nodomaincheck = True
sslcertkey.change(client,sslcertkey1)
print("Update certkey - Done")
except nitro_exception as e :
print("Exception::Update certkey::rc="+str(e.errorcode)+" , Message ="+ e.message)
except Exception as e:
print("Exception::Update certkey::message="+str(e.args))
def AddDelOneServerCert(session,certName,certFileName,keyFileName=None,isdel=0): ad = ['Add', 'Del'] ret = 0 ckey = CERTKEY.sslcertkey() ckey.certkey = certName ckey.cert = certFileName ckey.key = keyFileName try : if (isdel == 0) : CERTKEY.sslcertkey.add(session,ckey) else : CERTKEY.sslcertkey.delete(session,ckey) except NITROEXCEPTION.nitro_exception as e : print 'Failed to %s certkey %s\n' %(ad[isdel],certName) print e.message ret = e.errorcode return ret
def AddDelCACerts(self, session, isdel=0):
ret = True
L = []
for ec in self.caCerts:
ckey = CERTKEY.sslcertkey()
ckey.certkey = ec[0]
ckey.cert = ec[1]
L.append(ckey)
try:
if (isdel == 0):
CERTKEY.sslcertkey.add(session, L)
else:
CERTKEY.sslcertkey.delete(session, L)
except NITROEXCEPTION.nitro_exception as e:
print 'Exception happened {}'.format(e.message)
ret = e.errorcode
return ret
def LinkUnlinkCertList(session,linklist,isunlink=0) :
ret = 0
links = [CERTKEY.sslcertkey() for i in range(len(linklist))]
try :
for i in range(len(linklist)) :
links[i].certkey = linklist[i][0]
links[i].linkcertkeyname = linklist[i][1]
if(isunlink == 0) :
CERTKEY.sslcertkey.link(session,links[i])
else :
CERTKEY.sslcertkey.unlink(session,links[i])
except NITROEXCEPTION.nitro_exception as e :
ret = e.errorcode
print 'Failed to link unlink certkey {0} {1}\n'.format(links[i].certkey,links[i].linkcertkeyname)
print e.message
return ret
def LinkUnlinkCACerts(self, session, isunlink=0):
tups = [('OneCA2048', 'RootServerCA2048'), ('TwoCA1024', 'OneCA2048'),
('ThreeCA2048', 'TwoCA1024')]
links = []
for (x, y) in tups:
l = CERTKEY.sslcertkey()
l.certkey = x
l.linkcertkeyname = y
links.append(l)
try:
if (isunlink == 0):
CERTKEY.sslcertkey.link(session, links)
else:
CERTKEY.sslcertkey.unlink(session, links)
except NITROEXCEPTION.nitro_exception as e:
ret = e.errorcode
print 'Exception happened {}'.format(e.message)
def LinkUnlinkCertList(session, linklist, isunlink=0):
ret = True
links = []
for (x, y) in linklist:
link = CERTKEY.sslcertkey()
link.certkey = x
link.linkcertkeyname = y
links.append(link)
try:
if (isunlink == 0):
CERTKEY.sslcertkey.link(session, links)
else:
CERTKEY.sslcertkey.unlink(session, links)
except NITROEXCEPTION.nitro_exception as e:
print 'Failed to linkinlink'
ret = False
print e.message
return ret
def LinkUnlinkEntityCerts(self, session, isunlink=0):
tups = [('Server1024_sha1', 'ThreeCA2048'),
('Server1024_sha256', 'ThreeCA2048'),
('Server1024_sha384', 'ThreeCA2048'),
('Server2048_sha1', 'ThreeCA2048'),
('Server2048_sha256', 'ThreeCA2048'),
('Server2048_sha384', 'ThreeCA2048'),
('Server4096_sha1', 'ThreeCA2048'),
('Server4096_sha256', 'ThreeCA2048'),
('Server4096_sha384', 'ThreeCA2048'),
('client1024_sha1', 'ThreeCA2048'),
('client1024_sha256', 'ThreeCA2048'),
('client1024_sha384', 'ThreeCA2048'),
('client2048_sha1', 'ThreeCA2048'),
('client2048_sha256', 'ThreeCA2048'),
('client2048_sha384', 'ThreeCA2048'),
('client4096_sha1', 'ThreeCA2048'),
('client4096_sha256', 'ThreeCA2048'),
('client4096_sha384', 'ThreeCA2048')]
links = []
for (x, y) in tups:
l = CERTKEY.sslcertkey()
l.certkey = x
l.linkcertkeyname = y
links.append(l)
try:
if (isunlink == 0):
CERTKEY.sslcertkey.link(session, links)
else:
CERTKEY.sslcertkey.unlink(session, links)
except NITROEXCEPTION.nitro_exception as e:
ret = e.errorcode
print 'Exception happened {}'.format(e.message)
except Exception as e:
ret = e.errorcode
print 'Exception happened {}'.format(e.message)
def AddDelEntityCerts(self, session, certlist, isdel=0):
ret = True
L = []
#for ec in self.entityCerts :
for ec in certlist:
ckey = CERTKEY.sslcertkey()
ckey.certkey = ec[0]
ckey.cert = ec[1]
ckey.key = ec[2]
L.append(ckey)
try:
if (isdel == 0):
CERTKEY.sslcertkey.add(session, L)
else:
CERTKEY.sslcertkey.delete(session, L)
except NITROEXCEPTION.nitro_exception as e:
print e.message
ret = e.errorcode
except Exception as e:
print e.message
ret = e.errorcode
return ret
def main():
from ansible.module_utils.netscaler import ConfigProxy, get_nitro_client, netscaler_common_arguments, log, loglines
try:
from nssrc.com.citrix.netscaler.nitro.resource.config.ssl.sslcertkey import sslcertkey
from nssrc.com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcertkey_binding import sslvserver_sslcertkey_binding
from nssrc.com.citrix.netscaler.nitro.exception.nitro_exception import nitro_exception
python_sdk_imported = True
except ImportError as e:
python_sdk_imported = False
module_specific_arguments = dict(
certkey=dict(type='str'),
cert=dict(type='str'),
key=dict(type='str'),
password=dict(type='bool'),
fipskey=dict(type='str'),
hsmkey=dict(type='str'),
inform=dict(type='str', choices=[u'DER', u'PEM', u'PFX']),
passplain=dict(type='str'),
expirymonitor=dict(type='str', choices=[u'ENABLED', u'DISABLED']),
notificationperiod=dict(type='float'),
bundle=dict(type='str', choices=[u'YES', u'NO']),
linkcertkeyname=dict(type='str'),
nodomaincheck=dict(type='bool'),
)
argument_spec = dict()
argument_spec.update(netscaler_common_arguments)
argument_spec.update(module_specific_arguments)
module = AnsibleModule(
argument_spec=argument_spec,
supports_check_mode=True,
)
module_result = dict(
changed=False,
failed=False,
loglines=loglines,
)
# Fail the module if imports failed
if not python_sdk_imported:
module.fail_json(msg='Could not load nitro python sdk')
# Fallthrough to rest of execution
client = get_nitro_client(module)
client.login()
# Instantiate Service Config object
readwrite_attrs = [
'certkey', 'cert', 'key', 'password', 'fipskey', 'hsmkey', 'inform',
'passplain', 'expirymonitor', 'notificationperiod', 'bundle',
'linkcertkeyname', 'nodomaincheck'
]
readonly_attrs = [
'signaturealg',
'certificatetype',
'serial',
'issuer',
'clientcertnotbefore',
'clientcertnotafter',
'daystoexpiration',
'subject',
'publickey',
'publickeysize',
'version',
'priority',
'status',
'passcrypt',
'data',
'servicename',
]
sslcertkey_proxy = ConfigProxy(
actual=sslcertkey(),
client=client,
attribute_values_dict=module.params,
readwrite_attrs=readwrite_attrs,
readonly_attrs=readonly_attrs,
)
def key_exists():
log('Entering key_exists')
log('certkey is %s' % module.params['certkey'])
all_certificates = sslcertkey.get(client)
certkeys = [item.certkey for item in all_certificates]
if module.params['certkey'] in certkeys:
return True
else:
return False
def key_identical():
log('Entering key_identical')
sslcertkey_list = sslcertkey.get_filtered(
client, 'certkey:%s' % module.params['certkey'])
diff_dict = sslcertkey_proxy.diff_object(sslcertkey_list[0])
if 'password' in diff_dict:
del diff_dict['password']
if 'passplain' in diff_dict:
del diff_dict['passplain']
if len(diff_dict) == 0:
return True
else:
return False
def diff_list():
sslcertkey_list = sslcertkey.get_filtered(
client, 'certkey:%s' % module.params['certkey'])
return sslcertkey_proxy.diff_object(sslcertkey_list[0])
try:
# Apply appropriate operation
if module.params['operation'] == 'present':
log('Applying present operation')
if not key_exists():
if not module.check_mode:
log('Adding certificate key')
sslcertkey_proxy.add()
client.save_config()
module_result['changed'] = True
elif not key_identical():
if not module.check_mode:
sslcertkey_proxy.update()
client.save_config()
module_result['changed'] = True
else:
module_result['changed'] = False
# Sanity check for operation
if not key_exists():
module.fail_json(msg='Service does not exist')
if not key_identical():
module.fail_json(msg='Service differs from configured',
diff=diff_list())
elif module.params['operation'] == 'absent':
if key_exists():
if not module.check_mode:
sslcertkey_proxy.delete()
client.save_config()
module_result['changed'] = True
else:
module_result['changed'] = False
# Sanity check for operation
if key_exists():
module.fail_json(msg='Service still exists')
except nitro_exception as e:
msg = "nitro exception errorcode=" + str(
e.errorcode) + ",message=" + e.message
module.fail_json(msg=msg, **module_result)
client.logout()
module.exit_json(**module_result)
def main():
module_specific_arguments = dict(
certkey=dict(type='str', no_log=False),
cert=dict(type='str'),
key=dict(type='str', no_log=False),
password=dict(type='bool'),
inform=dict(type='str', choices=[
'DER',
'PEM',
'PFX',
]),
passplain=dict(
type='str',
no_log=True,
),
expirymonitor=dict(type='str', choices=[
'enabled',
'disabled',
]),
notificationperiod=dict(type='float'),
)
argument_spec = dict()
argument_spec.update(netscaler_common_arguments)
argument_spec.update(module_specific_arguments)
module = AnsibleModule(
argument_spec=argument_spec,
supports_check_mode=True,
)
module_result = dict(
changed=False,
failed=False,
loglines=loglines,
)
# Fail the module if imports failed
if not PYTHON_SDK_IMPORTED:
module.fail_json(msg='Could not load nitro python sdk')
# Fallthrough to rest of execution
client = get_nitro_client(module)
try:
client.login()
except nitro_exception as e:
msg = "nitro exception during login. errorcode=%s, message=%s" % (str(
e.errorcode), e.message)
module.fail_json(msg=msg)
except Exception as e:
if str(type(e)) == "<class 'requests.exceptions.ConnectionError'>":
module.fail_json(msg='Connection error %s' % str(e))
elif str(type(e)) == "<class 'requests.exceptions.SSLError'>":
module.fail_json(msg='SSL Error %s' % str(e))
else:
module.fail_json(msg='Unexpected error during login %s' % str(e))
readwrite_attrs = [
'certkey',
'cert',
'key',
'password',
'inform',
'passplain',
'expirymonitor',
'notificationperiod',
]
readonly_attrs = [
'signaturealg',
'certificatetype',
'serial',
'issuer',
'clientcertnotbefore',
'clientcertnotafter',
'daystoexpiration',
'subject',
'publickey',
'publickeysize',
'version',
'priority',
'status',
'passcrypt',
'data',
'servicename',
]
immutable_attrs = [
'certkey',
'cert',
'key',
'password',
'inform',
'passplain',
]
transforms = {
'expirymonitor': [lambda v: v.upper()],
}
# Instantiate config proxy
sslcertkey_proxy = ConfigProxy(
actual=sslcertkey(),
client=client,
attribute_values_dict=module.params,
readwrite_attrs=readwrite_attrs,
readonly_attrs=readonly_attrs,
immutable_attrs=immutable_attrs,
transforms=transforms,
)
try:
if module.params['state'] == 'present':
log('Applying actions for state present')
if not key_exists(client, module):
if not module.check_mode:
log('Adding certificate key')
sslcertkey_proxy.add()
if module.params['save_config']:
client.save_config()
module_result['changed'] = True
elif not key_identical(client, module, sslcertkey_proxy):
# Check if we try to change value of immutable attributes
immutables_changed = get_immutables_intersection(
sslcertkey_proxy,
diff_list(client, module, sslcertkey_proxy).keys())
if immutables_changed != []:
module.fail_json(
msg='Cannot update immutable attributes %s' %
(immutables_changed, ),
diff=diff_list(client, module, sslcertkey_proxy),
**module_result)
if not module.check_mode:
sslcertkey_proxy.update()
if module.params['save_config']:
client.save_config()
module_result['changed'] = True
else:
module_result['changed'] = False
# Sanity check for state
if not module.check_mode:
log('Sanity checks for state present')
if not key_exists(client, module):
module.fail_json(msg='SSL certkey does not exist')
if not key_identical(client, module, sslcertkey_proxy):
module.fail_json(msg='SSL certkey differs from configured',
diff=diff_list(client, module,
sslcertkey_proxy))
elif module.params['state'] == 'absent':
log('Applying actions for state absent')
if key_exists(client, module):
if not module.check_mode:
sslcertkey_proxy.delete()
if module.params['save_config']:
client.save_config()
module_result['changed'] = True
else:
module_result['changed'] = False
# Sanity check for state
if not module.check_mode:
log('Sanity checks for state absent')
if key_exists(client, module):
module.fail_json(msg='SSL certkey still exists')
except nitro_exception as e:
msg = "nitro exception errorcode=%s, message=%s" % (str(
e.errorcode), e.message)
module.fail_json(msg=msg, **module_result)
client.logout()
module.exit_json(**module_result)
def main():
module_specific_arguments = dict(
certkey=dict(type='str'),
cert=dict(type='str'),
key=dict(type='str'),
password=dict(type='bool'),
inform=dict(
type='str',
choices=[
'DER',
'PEM',
'PFX',
]
),
passplain=dict(
type='str',
no_log=True,
),
expirymonitor=dict(
type='str',
choices=[
'enabled',
'disabled',
]
),
notificationperiod=dict(type='float'),
)
argument_spec = dict()
argument_spec.update(netscaler_common_arguments)
argument_spec.update(module_specific_arguments)
module = AnsibleModule(
argument_spec=argument_spec,
supports_check_mode=True,
)
module_result = dict(
changed=False,
failed=False,
loglines=loglines,
)
# Fail the module if imports failed
if not PYTHON_SDK_IMPORTED:
module.fail_json(msg='Could not load nitro python sdk')
# Fallthrough to rest of execution
client = get_nitro_client(module)
try:
client.login()
except nitro_exception as e:
msg = "nitro exception during login. errorcode=%s, message=%s" % (str(e.errorcode), e.message)
module.fail_json(msg=msg)
except Exception as e:
if str(type(e)) == "<class 'requests.exceptions.ConnectionError'>":
module.fail_json(msg='Connection error %s' % str(e))
elif str(type(e)) == "<class 'requests.exceptions.SSLError'>":
module.fail_json(msg='SSL Error %s' % str(e))
else:
module.fail_json(msg='Unexpected error during login %s' % str(e))
readwrite_attrs = [
'certkey',
'cert',
'key',
'password',
'inform',
'passplain',
'expirymonitor',
'notificationperiod',
]
readonly_attrs = [
'signaturealg',
'certificatetype',
'serial',
'issuer',
'clientcertnotbefore',
'clientcertnotafter',
'daystoexpiration',
'subject',
'publickey',
'publickeysize',
'version',
'priority',
'status',
'passcrypt',
'data',
'servicename',
]
immutable_attrs = [
'certkey',
'cert',
'key',
'password',
'inform',
'passplain',
]
transforms = {
'expirymonitor': [lambda v: v.upper()],
}
# Instantiate config proxy
sslcertkey_proxy = ConfigProxy(
actual=sslcertkey(),
client=client,
attribute_values_dict=module.params,
readwrite_attrs=readwrite_attrs,
readonly_attrs=readonly_attrs,
immutable_attrs=immutable_attrs,
transforms=transforms,
)
try:
if module.params['state'] == 'present':
log('Applying actions for state present')
if not key_exists(client, module):
if not module.check_mode:
log('Adding certificate key')
sslcertkey_proxy.add()
if module.params['save_config']:
client.save_config()
module_result['changed'] = True
elif not key_identical(client, module, sslcertkey_proxy):
# Check if we try to change value of immutable attributes
immutables_changed = get_immutables_intersection(sslcertkey_proxy, diff_list(client, module, sslcertkey_proxy).keys())
if immutables_changed != []:
module.fail_json(
msg='Cannot update immutable attributes %s' % (immutables_changed,),
diff=diff_list(client, module, sslcertkey_proxy),
**module_result
)
if not module.check_mode:
sslcertkey_proxy.update()
if module.params['save_config']:
client.save_config()
module_result['changed'] = True
else:
module_result['changed'] = False
# Sanity check for state
if not module.check_mode:
log('Sanity checks for state present')
if not key_exists(client, module):
module.fail_json(msg='SSL certkey does not exist')
if not key_identical(client, module, sslcertkey_proxy):
module.fail_json(msg='SSL certkey differs from configured', diff=diff_list(client, module, sslcertkey_proxy))
elif module.params['state'] == 'absent':
log('Applying actions for state absent')
if key_exists(client, module):
if not module.check_mode:
sslcertkey_proxy.delete()
if module.params['save_config']:
client.save_config()
module_result['changed'] = True
else:
module_result['changed'] = False
# Sanity check for state
if not module.check_mode:
log('Sanity checks for state absent')
if key_exists(client, module):
module.fail_json(msg='SSL certkey still exists')
except nitro_exception as e:
msg = "nitro exception errorcode=%s, message=%s" % (str(e.errorcode), e.message)
module.fail_json(msg=msg, **module_result)
client.logout()
module.exit_json(**module_result)
def deploy_cert(self, domain: str, key_file: str, cert_file: str,
full_chain_file: str, chain_file: str):
"""Deploy a certificate"""
logging.info('Deploying cert for %s' % domain)
client = self.get_client(domain)
# cert
cert = self.get_certificate(domain)
cert_filename = get_cert_filename(domain)
key_filename = get_key_filename(domain)
# ca
cacert_name = get_sslcertkey_name('chain') # note: fixed value here
cacert_filename = get_cert_filename('chain') # note: fixed value here
# create CA if needed
try:
cacert = sslcertkey.get(client, cacert_name)
except nitro_exception:
# CA not found
# add CA file
self.save_systemfile(client, cacert_filename, chain_file)
# add cert
cacert = sslcertkey()
cacert.certkey = cacert_name
cacert.cert = cacert_filename
sslcertkey.add(client, cacert)
logging.info('Added Let\'s Encrypt CA')
if cert is None:
# cert not found
logging.info('Creating new cert for %s' % domain)
# add cert file
self.save_systemfile(client, cert_filename, cert_file)
# add key file
self.save_systemfile(client, key_filename, key_file)
# add cert
cert = sslcertkey()
cert.certkey = get_sslcertkey_name(domain)
cert.cert = cert_filename
cert.key = key_filename
cert.nodomaincheck = True
sslcertkey.add(client, cert)
logging.info('Certificate added for %s' % domain)
# link the cert to the CA
link = sslcertkey()
link.certkey = cert.certkey
link.linkcertkeyname = cacert.certkey
sslcertkey.link(client, link)
logging.info('Certificate link to CA created for %s' % domain)
else:
# cert found
logging.info('Updating cert for %s' % domain)
add_key_file = False
# replace cert file
try:
self.delete_systemfile(client, cert_filename)
except NitroError:
logging.warn(
'Could not remove existing cert file %s, now adding key as well'
% cert_filename)
add_key_file = True
self.save_systemfile(client, cert_filename, cert_file)
# add key file
if add_key_file:
# as it is most likely not present
self.save_systemfile(client, key_filename, key_file)
# update cert
cert = sslcertkey()
cert.certkey = get_sslcertkey_name(domain)
cert.cert = cert_filename
if add_key_file:
cert.key = key_filename
cert.nodomaincheck = True
sslcertkey.change(client, cert)
logging.info('Certificate updated for %s' % domain)
