Mailu/core/nginx/letsencrypt.py

#!/usr/bin/env python3

import logging as log
import os
import requests
import sys
import subprocess
import time
from threading import Thread
from http.server import HTTPServer, SimpleHTTPRequestHandler

log.basicConfig(stream=sys.stderr, level="WARNING")
hostnames = ','.join(set(host.strip() for host in os.environ['HOSTNAMES'].split(',')))

command = [
    "certbot",
    "-n", "--agree-tos", # non-interactive
    "-d", hostnames, "--expand", "--allow-subset-of-names",
    "-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
    "certonly", "--standalone",
    "--cert-name", "mailu",
    "--preferred-challenges", "http", "--http-01-port", "8008",
    "--keep-until-expiring",
    "--allow-subset-of-names",
    "--renew-with-new-domains",
    "--config-dir", "/certs/letsencrypt",
    "--post-hook", "/config.py"
]
command2 = [
    "certbot",
    "-n", "--agree-tos", # non-interactive
    "-d", hostnames, "--expand", "--allow-subset-of-names",
    "-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
    "certonly", "--standalone",
    "--cert-name", "mailu-ecdsa",
    "--preferred-challenges", "http", "--http-01-port", "8008",
    "--keep-until-expiring",
    "--allow-subset-of-names",
    "--key-type", "ecdsa",
    "--renew-with-new-domains",
    "--config-dir", "/certs/letsencrypt",
    "--post-hook", "/config.py"
]

# Wait for nginx to start
time.sleep(5)

class MyRequestHandler(SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/.well-known/acme-challenge/testing':
            self.send_response(204)
        else:
            self.send_response(404)
        self.send_header('Content-Type', 'text/plain')
        self.end_headers()

def serve_one_request():
    with HTTPServer(("127.0.0.1", 8008), MyRequestHandler) as server:
        server.handle_request()

# Run certbot every day
while True:
    while True:
        hostname = os.environ['HOSTNAMES'].split(',')[0]
        target = f'http://{hostname}/.well-known/acme-challenge/testing'
        thread = Thread(target=serve_one_request)
        thread.start()
        r = requests.get(target)
        if r.status_code != 204:
            log.critical(f"Can't reach {target}!, please ensure it's fixed or change the TLS_FLAVOR.")
            time.sleep(5)
        else:
            break
        thread.join()

    subprocess.call(command)
    subprocess.call(command2)
    time.sleep(86400)
Move even more python deps to base image 2022-10-08 15:55:40 +02:00			`#!/usr/bin/env python3`
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`import logging as log`
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00			`import os`
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`import requests`
			`import sys`
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00			`import subprocess`
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`import time`
			`from threading import Thread`
			`from http.server import HTTPServer, SimpleHTTPRequestHandler`
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`log.basicConfig(stream=sys.stderr, level="WARNING")`
ghostwheel42's suggestion 2022-03-17 11:35:31 +01:00			`hostnames = ','.join(set(host.strip() for host in os.environ['HOSTNAMES'].split(',')))`
try to get LE certs for the new names 2022-03-10 12:31:01 +01:00
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00			`command = [`
			`"certbot",`
			`"-n", "--agree-tos", # non-interactive`
try to get LE certs for the new names 2022-03-10 12:31:01 +01:00			`"-d", hostnames, "--expand", "--allow-subset-of-names",`
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00			`"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),`
			`"certonly", "--standalone",`
			`"--cert-name", "mailu",`
Fix letsencrypt by using a separate port than the proxy 2017-11-01 15:24:22 +01:00			`"--preferred-challenges", "http", "--http-01-port", "8008",`
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00			`"--keep-until-expiring",`
Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES 2022-10-08 15:32:08 +02:00			`"--allow-subset-of-names",`
fix #1270 2021-08-23 19:41:44 +02:00			`"--renew-with-new-domains",`
Add ECC certs for modern clients 2021-08-09 21:06:15 +02:00			`"--config-dir", "/certs/letsencrypt",`
			`"--post-hook", "/config.py"`
			`]`
			`command2 = [`
			`"certbot",`
			`"-n", "--agree-tos", # non-interactive`
try to get LE certs for the new names 2022-03-10 12:31:01 +01:00			`"-d", hostnames, "--expand", "--allow-subset-of-names",`
Add ECC certs for modern clients 2021-08-09 21:06:15 +02:00			`"-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),`
			`"certonly", "--standalone",`
			`"--cert-name", "mailu-ecdsa",`
			`"--preferred-challenges", "http", "--http-01-port", "8008",`
			`"--keep-until-expiring",`
Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES 2022-10-08 15:32:08 +02:00			`"--allow-subset-of-names",`
Add ECC certs for modern clients 2021-08-09 21:06:15 +02:00			`"--key-type", "ecdsa",`
fix #1270 2021-08-23 19:41:44 +02:00			`"--renew-with-new-domains",`
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00			`"--config-dir", "/certs/letsencrypt",`
			`"--post-hook", "/config.py"`
			`]`

			`# Wait for nginx to start`
			`time.sleep(5)`

Fix the obvious issue 2023-08-09 19:10:07 +02:00			`class MyRequestHandler(SimpleHTTPRequestHandler):`
			`def do_GET(self):`
Fix letsencrypt on master 2023-10-06 13:48:09 +02:00			`if self.path == '/.well-known/acme-challenge/testing':`
Serve actual content as requested in review 2023-08-28 17:42:19 +02:00			`self.send_response(204)`
			`else:`
			`self.send_response(404)`
			`self.send_header('Content-Type', 'text/plain')`
			`self.end_headers()`
Fix the obvious issue 2023-08-09 19:10:07 +02:00
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`def serve_one_request():`
Fix letsencrypt on master 2023-10-06 13:48:09 +02:00			`with HTTPServer(("127.0.0.1", 8008), MyRequestHandler) as server:`
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`server.handle_request()`

Change letsencrypt timer from 1h --> 1 day There's no need to be calling certbot so frequently 2021-08-14 14:04:02 +01:00			`# Run certbot every day`
Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00			`while True:`
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`while True:`
Fix letsencrypt on master 2023-10-17 13:58:38 +02:00			`hostname = os.environ['HOSTNAMES'].split(',')[0]`
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`target = f'http://{hostname}/.well-known/acme-challenge/testing'`
			`thread = Thread(target=serve_one_request)`
			`thread.start()`
			`r = requests.get(target)`
Serve actual content as requested in review 2023-08-28 17:42:19 +02:00			`if r.status_code != 204:`
log.critical() where useful 2023-10-17 14:05:08 +02:00			`log.critical(f"Can't reach {target}!, please ensure it's fixed or change the TLS_FLAVOR.")`
Implement a busy loop for letsencrypt 2023-08-09 15:28:07 +02:00			`time.sleep(5)`
			`else:`
			`break`
			`thread.join()`

Add letsencrypt support in the nginx container 2017-09-24 17:50:10 +02:00			`subprocess.call(command)`
Add ECC certs for modern clients 2021-08-09 21:06:15 +02:00			`subprocess.call(command2)`
Change letsencrypt timer from 1h --> 1 day There's no need to be calling certbot so frequently 2021-08-14 14:04:02 +01:00			`time.sleep(86400)`