openstack/kolla
Code Issues Proposed changes
Files
3213dccb8c318134695bcc9c9ba480448964314f
kolla/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh
Michal Arbet 3213dccb8c Rework letsencrypt 
This patch is adding "API layer" to letsencrypt
images which is represented by set of scripts inside.

This scripts are called by kolla-ansible orchestration.

Change-Id: I61b70fb4e12ba03b96e79004e735d2ead0f52319
2023-09-18 11:26:22 +02:00

168 lines
5.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
function log_info {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}"
}
function log_error {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}"
}
function obtain_or_renew_certificate {
local certificate_fqdns="${1}"
local certificate_type="${2}"
local listen_port="${3}"
local valid_days="${4}"
local acme_url="${5}"
local mail="${6}"
local letsencrypt_ssh_port="${7}"
certificate_domain_opts=$(echo ${certificate_fqdns} | sed -r -e 's/^/,/g' -e 's/,/--domains=/g' -e 's/--/ --/g')
certificate_fqdn=$(echo ${certificate_fqdns} | awk -F ',' '{print $1}')
certificate_fqdns=$(echo ${certificate_fqdns} | sed -r 's/,/\ /g')
if [ -d "/etc/letsencrypt/lego/${certificate_type}/certificates" ]; then
garbage_count=$(find /etc/letsencrypt/lego/${certificate_type}/certificates/ -type f | grep -v "${certificate_fqdn}" | wc -l)
if [ ${garbage_count} -ne 0 ]; then
log_info "[${certificate_fqdn} - cron] Cleaning up garbage in certificates directory."
find /etc/letsencrypt/lego/${certificate_type}/certificates/ -type f | grep -v "${certificate_fqdn}" | xargs rm -f
fi
fi
if [ -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ]; then
certificate_current_fqdns=$(openssl x509 -text -in /etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem \
| grep DNS: \
| sed -r -e 's/\ *DNS://g' -e 's/^/,/g' -e 's/$/,/g')
local domains_add=""
for i in ${certificate_fqdns}; do
if ! echo "${certificate_current_fqdns}" | grep -q ",${i},"; then
domains_add="${domains_add} ${i}"
fi
done
domains_add=$(echo "${domains_add}" | sed -r -e 's/^\ //g' -e 's/\ /, /g')
if [ "${domains_add}" != "" ]; then
log_info "[${certificate_fqdn} - cron] Domains ${domains_add} will be added to certificate."
rm -f /etc/letsencrypt/lego/${certificate_type}/certificates/*
fi
fi
[ ! -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ] && local lego_action="run" || local lego_action="renew"
log_info "[INFO] [${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}."
/opt/lego --email="${mail}" \
${certificate_domain_opts} \
--server "${acme_url}" \
--path "/etc/letsencrypt/lego/${certificate_type}/" \
--http.webroot "/etc/letsencrypt/http-01" \
--http.port ${listen_port} \
--cert.timeout ${valid_days} \
--accept-tos \
--http \
--pem ${lego_action} \
--${lego_action}-hook="/usr/bin/sync-and-update-certificate --${certificate_type} --fqdn ${certificate_fqdn} --haproxies-ssh ${letsencrypt_ssh_port}"
}
# Parser
INTERNAL_SET="false"
EXTERNAL_SET="false"
LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log"
VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh: -- "$@")
if [[ $? -ne 0 ]]; then
exit 1;
fi
eval set -- "$VALID_ARGS"
while [ : ]; do
case "$1" in
-i | --internal)
CERT_TYPE="internal"
INTERNAL_SET="true"
shift
;;
-e | --external)
CERT_TYPE="external"
EXTERNAL_SET="true"
shift
;;
-f | --fqdns)
FQDNS="${2}"
shift 2
;;
-p | --port)
PORT="${2}"
shift 2
;;
-d | --days)
DAYS="${2}"
shift 2
;;
-m | --mail)
MAIL="${2}"
shift 2
;;
-a | --acme)
ACME="${2}"
shift 2
;;
-v | --vips)
VIPS="${2}"
shift 2
;;
-h | --haproxies-ssh)
LETSENCRYPT_SSH_PORT="${2}"
shift 2
;;
--) shift;
break
;;
esac
done
FQDN=$(echo "${FQDNS}" | awk -F ',' '{print $1}')
if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then
log_error "[${FQDN} - cron] Only --internal or --external parameter is allowed at a time."
exit 1
fi
LETSENCRYPT_VIP_ADDRESSES="$(echo ${VIPS} | sed -e 's/,/|/g')"
if [ "${INTERNAL_SET}" = "true" ]; then
LETSENCRYPT_INTERNAL_FQDNS="${FQDNS}"
fi
if [ "${EXTERNAL_SET}" = "true" ]; then
LETSENCRYPT_EXTERNAL_FQDNS="${FQDNS}"
fi
if ip a | egrep -q "${LETSENCRYPT_VIP_ADDRESSES}"; then
log_info "[${FQDN} - cron] This Letsencrypt-lego host is active..."
if [ "${LETSENCRYPT_INTERNAL_FQDNS}" != "" ]; then
log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS}"
obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
fi
if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then
log_info "[INFO] [${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}"
obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
fi
else
log_info "[${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..."
fi
fi
if [ -d "/etc/letsencrypt/lego" ]; then
chown -R haproxy:haproxy /etc/letsencrypt/lego
fi
View Git Blame Copy Permalink