def AddDelCertkey(session, certDict, isdel=0): ret = True certlist = [] for certname in certDict.keys(): t = certDict[certname] certfilename = t[0] keyfilename = t[1] ckey = CERTKEY.sslcertkey() ckey.certkey = certname ckey.cert = certfilename ckey.key = keyfilename certlist.append(ckey) try: if (isdel == 0): CERTKEY.sslcertkey.add(session, certlist) else: CERTKEY.sslcertkey.delete(session, certlist) except NITROEXCEPTION.nitro_exception as e: print 'Failed to %s certkey %s\n' % (ad[isdel], certName) print e.message ret = False return ret
def addcerts(self): certs = { "512": ["sha1", "sha224", "sha256"], "4096": ["sha1", "sha224", "sha256", "sha384", "sha512"], "2048": ["sha1", "sha224", "sha256", "sha384", "sha512"], "1024": ["sha1", "sha224", "sha256", "sha384", "sha512"] } for cert in certs: for sha in certs[cert]: cert_name = "root_rsa_" + cert + "_" + sha + ".pem" print(cert_name) key_name = "root_rsa_" + cert + "_" + sha + ".ky" print(key_name) newcert = sslcertkey() newcert.certkey = cert + "_" + sha newcert.cert = cert_name newcert.key = key_name try: sslcertkey.add(self.ns_session, newcert) except nitro_exception as e: print("Exception::errorcode=" + str(e.errorcode) + ",message=" + e.message) except Exception as e: print("Exception::message=" + str(e.args)) return
def create_certkey(u,k,c): s = sslcertkey() s.certkey='sni_%s' %u s.key = '/nsconfig/ssl/snicerts/%s' %k s.cert = '/nsconfig/ssl/snicerts/%s' %c s.expirymonitor = 'ENABLED' s.notificationperiod = 30 s.linkcertkeyname = 'incommonrsa' try: sslcertkey.add(session,s) except nitro_exception as e: print("Exception::errorcode="+str(e.errorcode)+",message="+ e.message)
def Update_certkey(self, client) : try : certkey="cert1" sslcertkey1 = sslcertkey() sslcertkey1.certkey = certkey sslcertkey1.cert = "/nsconfig/ssl/geetika.cert" sslcertkey1.key = "/nsconfig/ssl/geetika.key" sslcertkey1.nodomaincheck = True sslcertkey.change(client,sslcertkey1) print("Update certkey - Done") except nitro_exception as e : print("Exception::Update certkey::rc="+str(e.errorcode)+" , Message ="+ e.message) except Exception as e: print("Exception::Update certkey::message="+str(e.args))
def AddDelOneServerCert(session,certName,certFileName,keyFileName=None,isdel=0): ad = ['Add', 'Del'] ret = 0 ckey = CERTKEY.sslcertkey() ckey.certkey = certName ckey.cert = certFileName ckey.key = keyFileName try : if (isdel == 0) : CERTKEY.sslcertkey.add(session,ckey) else : CERTKEY.sslcertkey.delete(session,ckey) except NITROEXCEPTION.nitro_exception as e : print 'Failed to %s certkey %s\n' %(ad[isdel],certName) print e.message ret = e.errorcode return ret
def AddDelCACerts(self, session, isdel=0): ret = True L = [] for ec in self.caCerts: ckey = CERTKEY.sslcertkey() ckey.certkey = ec[0] ckey.cert = ec[1] L.append(ckey) try: if (isdel == 0): CERTKEY.sslcertkey.add(session, L) else: CERTKEY.sslcertkey.delete(session, L) except NITROEXCEPTION.nitro_exception as e: print 'Exception happened {}'.format(e.message) ret = e.errorcode return ret
def LinkUnlinkCertList(session,linklist,isunlink=0) : ret = 0 links = [CERTKEY.sslcertkey() for i in range(len(linklist))] try : for i in range(len(linklist)) : links[i].certkey = linklist[i][0] links[i].linkcertkeyname = linklist[i][1] if(isunlink == 0) : CERTKEY.sslcertkey.link(session,links[i]) else : CERTKEY.sslcertkey.unlink(session,links[i]) except NITROEXCEPTION.nitro_exception as e : ret = e.errorcode print 'Failed to link unlink certkey {0} {1}\n'.format(links[i].certkey,links[i].linkcertkeyname) print e.message return ret
def LinkUnlinkCACerts(self, session, isunlink=0): tups = [('OneCA2048', 'RootServerCA2048'), ('TwoCA1024', 'OneCA2048'), ('ThreeCA2048', 'TwoCA1024')] links = [] for (x, y) in tups: l = CERTKEY.sslcertkey() l.certkey = x l.linkcertkeyname = y links.append(l) try: if (isunlink == 0): CERTKEY.sslcertkey.link(session, links) else: CERTKEY.sslcertkey.unlink(session, links) except NITROEXCEPTION.nitro_exception as e: ret = e.errorcode print 'Exception happened {}'.format(e.message)
def LinkUnlinkCertList(session, linklist, isunlink=0): ret = True links = [] for (x, y) in linklist: link = CERTKEY.sslcertkey() link.certkey = x link.linkcertkeyname = y links.append(link) try: if (isunlink == 0): CERTKEY.sslcertkey.link(session, links) else: CERTKEY.sslcertkey.unlink(session, links) except NITROEXCEPTION.nitro_exception as e: print 'Failed to linkinlink' ret = False print e.message return ret
def LinkUnlinkEntityCerts(self, session, isunlink=0): tups = [('Server1024_sha1', 'ThreeCA2048'), ('Server1024_sha256', 'ThreeCA2048'), ('Server1024_sha384', 'ThreeCA2048'), ('Server2048_sha1', 'ThreeCA2048'), ('Server2048_sha256', 'ThreeCA2048'), ('Server2048_sha384', 'ThreeCA2048'), ('Server4096_sha1', 'ThreeCA2048'), ('Server4096_sha256', 'ThreeCA2048'), ('Server4096_sha384', 'ThreeCA2048'), ('client1024_sha1', 'ThreeCA2048'), ('client1024_sha256', 'ThreeCA2048'), ('client1024_sha384', 'ThreeCA2048'), ('client2048_sha1', 'ThreeCA2048'), ('client2048_sha256', 'ThreeCA2048'), ('client2048_sha384', 'ThreeCA2048'), ('client4096_sha1', 'ThreeCA2048'), ('client4096_sha256', 'ThreeCA2048'), ('client4096_sha384', 'ThreeCA2048')] links = [] for (x, y) in tups: l = CERTKEY.sslcertkey() l.certkey = x l.linkcertkeyname = y links.append(l) try: if (isunlink == 0): CERTKEY.sslcertkey.link(session, links) else: CERTKEY.sslcertkey.unlink(session, links) except NITROEXCEPTION.nitro_exception as e: ret = e.errorcode print 'Exception happened {}'.format(e.message) except Exception as e: ret = e.errorcode print 'Exception happened {}'.format(e.message)
def AddDelEntityCerts(self, session, certlist, isdel=0): ret = True L = [] #for ec in self.entityCerts : for ec in certlist: ckey = CERTKEY.sslcertkey() ckey.certkey = ec[0] ckey.cert = ec[1] ckey.key = ec[2] L.append(ckey) try: if (isdel == 0): CERTKEY.sslcertkey.add(session, L) else: CERTKEY.sslcertkey.delete(session, L) except NITROEXCEPTION.nitro_exception as e: print e.message ret = e.errorcode except Exception as e: print e.message ret = e.errorcode return ret
def main(): from ansible.module_utils.netscaler import ConfigProxy, get_nitro_client, netscaler_common_arguments, log, loglines try: from nssrc.com.citrix.netscaler.nitro.resource.config.ssl.sslcertkey import sslcertkey from nssrc.com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcertkey_binding import sslvserver_sslcertkey_binding from nssrc.com.citrix.netscaler.nitro.exception.nitro_exception import nitro_exception python_sdk_imported = True except ImportError as e: python_sdk_imported = False module_specific_arguments = dict( certkey=dict(type='str'), cert=dict(type='str'), key=dict(type='str'), password=dict(type='bool'), fipskey=dict(type='str'), hsmkey=dict(type='str'), inform=dict(type='str', choices=[u'DER', u'PEM', u'PFX']), passplain=dict(type='str'), expirymonitor=dict(type='str', choices=[u'ENABLED', u'DISABLED']), notificationperiod=dict(type='float'), bundle=dict(type='str', choices=[u'YES', u'NO']), linkcertkeyname=dict(type='str'), nodomaincheck=dict(type='bool'), ) argument_spec = dict() argument_spec.update(netscaler_common_arguments) argument_spec.update(module_specific_arguments) module = AnsibleModule( argument_spec=argument_spec, supports_check_mode=True, ) module_result = dict( changed=False, failed=False, loglines=loglines, ) # Fail the module if imports failed if not python_sdk_imported: module.fail_json(msg='Could not load nitro python sdk') # Fallthrough to rest of execution client = get_nitro_client(module) client.login() # Instantiate Service Config object readwrite_attrs = [ 'certkey', 'cert', 'key', 'password', 'fipskey', 'hsmkey', 'inform', 'passplain', 'expirymonitor', 'notificationperiod', 'bundle', 'linkcertkeyname', 'nodomaincheck' ] readonly_attrs = [ 'signaturealg', 'certificatetype', 'serial', 'issuer', 'clientcertnotbefore', 'clientcertnotafter', 'daystoexpiration', 'subject', 'publickey', 'publickeysize', 'version', 'priority', 'status', 'passcrypt', 'data', 'servicename', ] sslcertkey_proxy = ConfigProxy( actual=sslcertkey(), client=client, attribute_values_dict=module.params, readwrite_attrs=readwrite_attrs, readonly_attrs=readonly_attrs, ) def key_exists(): log('Entering key_exists') log('certkey is %s' % module.params['certkey']) all_certificates = sslcertkey.get(client) certkeys = [item.certkey for item in all_certificates] if module.params['certkey'] in certkeys: return True else: return False def key_identical(): log('Entering key_identical') sslcertkey_list = sslcertkey.get_filtered( client, 'certkey:%s' % module.params['certkey']) diff_dict = sslcertkey_proxy.diff_object(sslcertkey_list[0]) if 'password' in diff_dict: del diff_dict['password'] if 'passplain' in diff_dict: del diff_dict['passplain'] if len(diff_dict) == 0: return True else: return False def diff_list(): sslcertkey_list = sslcertkey.get_filtered( client, 'certkey:%s' % module.params['certkey']) return sslcertkey_proxy.diff_object(sslcertkey_list[0]) try: # Apply appropriate operation if module.params['operation'] == 'present': log('Applying present operation') if not key_exists(): if not module.check_mode: log('Adding certificate key') sslcertkey_proxy.add() client.save_config() module_result['changed'] = True elif not key_identical(): if not module.check_mode: sslcertkey_proxy.update() client.save_config() module_result['changed'] = True else: module_result['changed'] = False # Sanity check for operation if not key_exists(): module.fail_json(msg='Service does not exist') if not key_identical(): module.fail_json(msg='Service differs from configured', diff=diff_list()) elif module.params['operation'] == 'absent': if key_exists(): if not module.check_mode: sslcertkey_proxy.delete() client.save_config() module_result['changed'] = True else: module_result['changed'] = False # Sanity check for operation if key_exists(): module.fail_json(msg='Service still exists') except nitro_exception as e: msg = "nitro exception errorcode=" + str( e.errorcode) + ",message=" + e.message module.fail_json(msg=msg, **module_result) client.logout() module.exit_json(**module_result)
def main(): module_specific_arguments = dict( certkey=dict(type='str', no_log=False), cert=dict(type='str'), key=dict(type='str', no_log=False), password=dict(type='bool'), inform=dict(type='str', choices=[ 'DER', 'PEM', 'PFX', ]), passplain=dict( type='str', no_log=True, ), expirymonitor=dict(type='str', choices=[ 'enabled', 'disabled', ]), notificationperiod=dict(type='float'), ) argument_spec = dict() argument_spec.update(netscaler_common_arguments) argument_spec.update(module_specific_arguments) module = AnsibleModule( argument_spec=argument_spec, supports_check_mode=True, ) module_result = dict( changed=False, failed=False, loglines=loglines, ) # Fail the module if imports failed if not PYTHON_SDK_IMPORTED: module.fail_json(msg='Could not load nitro python sdk') # Fallthrough to rest of execution client = get_nitro_client(module) try: client.login() except nitro_exception as e: msg = "nitro exception during login. errorcode=%s, message=%s" % (str( e.errorcode), e.message) module.fail_json(msg=msg) except Exception as e: if str(type(e)) == "<class 'requests.exceptions.ConnectionError'>": module.fail_json(msg='Connection error %s' % str(e)) elif str(type(e)) == "<class 'requests.exceptions.SSLError'>": module.fail_json(msg='SSL Error %s' % str(e)) else: module.fail_json(msg='Unexpected error during login %s' % str(e)) readwrite_attrs = [ 'certkey', 'cert', 'key', 'password', 'inform', 'passplain', 'expirymonitor', 'notificationperiod', ] readonly_attrs = [ 'signaturealg', 'certificatetype', 'serial', 'issuer', 'clientcertnotbefore', 'clientcertnotafter', 'daystoexpiration', 'subject', 'publickey', 'publickeysize', 'version', 'priority', 'status', 'passcrypt', 'data', 'servicename', ] immutable_attrs = [ 'certkey', 'cert', 'key', 'password', 'inform', 'passplain', ] transforms = { 'expirymonitor': [lambda v: v.upper()], } # Instantiate config proxy sslcertkey_proxy = ConfigProxy( actual=sslcertkey(), client=client, attribute_values_dict=module.params, readwrite_attrs=readwrite_attrs, readonly_attrs=readonly_attrs, immutable_attrs=immutable_attrs, transforms=transforms, ) try: if module.params['state'] == 'present': log('Applying actions for state present') if not key_exists(client, module): if not module.check_mode: log('Adding certificate key') sslcertkey_proxy.add() if module.params['save_config']: client.save_config() module_result['changed'] = True elif not key_identical(client, module, sslcertkey_proxy): # Check if we try to change value of immutable attributes immutables_changed = get_immutables_intersection( sslcertkey_proxy, diff_list(client, module, sslcertkey_proxy).keys()) if immutables_changed != []: module.fail_json( msg='Cannot update immutable attributes %s' % (immutables_changed, ), diff=diff_list(client, module, sslcertkey_proxy), **module_result) if not module.check_mode: sslcertkey_proxy.update() if module.params['save_config']: client.save_config() module_result['changed'] = True else: module_result['changed'] = False # Sanity check for state if not module.check_mode: log('Sanity checks for state present') if not key_exists(client, module): module.fail_json(msg='SSL certkey does not exist') if not key_identical(client, module, sslcertkey_proxy): module.fail_json(msg='SSL certkey differs from configured', diff=diff_list(client, module, sslcertkey_proxy)) elif module.params['state'] == 'absent': log('Applying actions for state absent') if key_exists(client, module): if not module.check_mode: sslcertkey_proxy.delete() if module.params['save_config']: client.save_config() module_result['changed'] = True else: module_result['changed'] = False # Sanity check for state if not module.check_mode: log('Sanity checks for state absent') if key_exists(client, module): module.fail_json(msg='SSL certkey still exists') except nitro_exception as e: msg = "nitro exception errorcode=%s, message=%s" % (str( e.errorcode), e.message) module.fail_json(msg=msg, **module_result) client.logout() module.exit_json(**module_result)
def main(): module_specific_arguments = dict( certkey=dict(type='str'), cert=dict(type='str'), key=dict(type='str'), password=dict(type='bool'), inform=dict( type='str', choices=[ 'DER', 'PEM', 'PFX', ] ), passplain=dict( type='str', no_log=True, ), expirymonitor=dict( type='str', choices=[ 'enabled', 'disabled', ] ), notificationperiod=dict(type='float'), ) argument_spec = dict() argument_spec.update(netscaler_common_arguments) argument_spec.update(module_specific_arguments) module = AnsibleModule( argument_spec=argument_spec, supports_check_mode=True, ) module_result = dict( changed=False, failed=False, loglines=loglines, ) # Fail the module if imports failed if not PYTHON_SDK_IMPORTED: module.fail_json(msg='Could not load nitro python sdk') # Fallthrough to rest of execution client = get_nitro_client(module) try: client.login() except nitro_exception as e: msg = "nitro exception during login. errorcode=%s, message=%s" % (str(e.errorcode), e.message) module.fail_json(msg=msg) except Exception as e: if str(type(e)) == "<class 'requests.exceptions.ConnectionError'>": module.fail_json(msg='Connection error %s' % str(e)) elif str(type(e)) == "<class 'requests.exceptions.SSLError'>": module.fail_json(msg='SSL Error %s' % str(e)) else: module.fail_json(msg='Unexpected error during login %s' % str(e)) readwrite_attrs = [ 'certkey', 'cert', 'key', 'password', 'inform', 'passplain', 'expirymonitor', 'notificationperiod', ] readonly_attrs = [ 'signaturealg', 'certificatetype', 'serial', 'issuer', 'clientcertnotbefore', 'clientcertnotafter', 'daystoexpiration', 'subject', 'publickey', 'publickeysize', 'version', 'priority', 'status', 'passcrypt', 'data', 'servicename', ] immutable_attrs = [ 'certkey', 'cert', 'key', 'password', 'inform', 'passplain', ] transforms = { 'expirymonitor': [lambda v: v.upper()], } # Instantiate config proxy sslcertkey_proxy = ConfigProxy( actual=sslcertkey(), client=client, attribute_values_dict=module.params, readwrite_attrs=readwrite_attrs, readonly_attrs=readonly_attrs, immutable_attrs=immutable_attrs, transforms=transforms, ) try: if module.params['state'] == 'present': log('Applying actions for state present') if not key_exists(client, module): if not module.check_mode: log('Adding certificate key') sslcertkey_proxy.add() if module.params['save_config']: client.save_config() module_result['changed'] = True elif not key_identical(client, module, sslcertkey_proxy): # Check if we try to change value of immutable attributes immutables_changed = get_immutables_intersection(sslcertkey_proxy, diff_list(client, module, sslcertkey_proxy).keys()) if immutables_changed != []: module.fail_json( msg='Cannot update immutable attributes %s' % (immutables_changed,), diff=diff_list(client, module, sslcertkey_proxy), **module_result ) if not module.check_mode: sslcertkey_proxy.update() if module.params['save_config']: client.save_config() module_result['changed'] = True else: module_result['changed'] = False # Sanity check for state if not module.check_mode: log('Sanity checks for state present') if not key_exists(client, module): module.fail_json(msg='SSL certkey does not exist') if not key_identical(client, module, sslcertkey_proxy): module.fail_json(msg='SSL certkey differs from configured', diff=diff_list(client, module, sslcertkey_proxy)) elif module.params['state'] == 'absent': log('Applying actions for state absent') if key_exists(client, module): if not module.check_mode: sslcertkey_proxy.delete() if module.params['save_config']: client.save_config() module_result['changed'] = True else: module_result['changed'] = False # Sanity check for state if not module.check_mode: log('Sanity checks for state absent') if key_exists(client, module): module.fail_json(msg='SSL certkey still exists') except nitro_exception as e: msg = "nitro exception errorcode=%s, message=%s" % (str(e.errorcode), e.message) module.fail_json(msg=msg, **module_result) client.logout() module.exit_json(**module_result)
def deploy_cert(self, domain: str, key_file: str, cert_file: str, full_chain_file: str, chain_file: str): """Deploy a certificate""" logging.info('Deploying cert for %s' % domain) client = self.get_client(domain) # cert cert = self.get_certificate(domain) cert_filename = get_cert_filename(domain) key_filename = get_key_filename(domain) # ca cacert_name = get_sslcertkey_name('chain') # note: fixed value here cacert_filename = get_cert_filename('chain') # note: fixed value here # create CA if needed try: cacert = sslcertkey.get(client, cacert_name) except nitro_exception: # CA not found # add CA file self.save_systemfile(client, cacert_filename, chain_file) # add cert cacert = sslcertkey() cacert.certkey = cacert_name cacert.cert = cacert_filename sslcertkey.add(client, cacert) logging.info('Added Let\'s Encrypt CA') if cert is None: # cert not found logging.info('Creating new cert for %s' % domain) # add cert file self.save_systemfile(client, cert_filename, cert_file) # add key file self.save_systemfile(client, key_filename, key_file) # add cert cert = sslcertkey() cert.certkey = get_sslcertkey_name(domain) cert.cert = cert_filename cert.key = key_filename cert.nodomaincheck = True sslcertkey.add(client, cert) logging.info('Certificate added for %s' % domain) # link the cert to the CA link = sslcertkey() link.certkey = cert.certkey link.linkcertkeyname = cacert.certkey sslcertkey.link(client, link) logging.info('Certificate link to CA created for %s' % domain) else: # cert found logging.info('Updating cert for %s' % domain) add_key_file = False # replace cert file try: self.delete_systemfile(client, cert_filename) except NitroError: logging.warn( 'Could not remove existing cert file %s, now adding key as well' % cert_filename) add_key_file = True self.save_systemfile(client, cert_filename, cert_file) # add key file if add_key_file: # as it is most likely not present self.save_systemfile(client, key_filename, key_file) # update cert cert = sslcertkey() cert.certkey = get_sslcertkey_name(domain) cert.cert = cert_filename if add_key_file: cert.key = key_filename cert.nodomaincheck = True sslcertkey.change(client, cert) logging.info('Certificate updated for %s' % domain)