Changed letsencrypt script to handle all vhosts domains (refs #21701).

2.Common_services/5.Nginx/0_setup.py

@@ -122,7 +122,7 @@ def setup(interactive=True):
             if new_content != content:
                 with open(ssl_conf, 'w') as fo:
                     fo.write(new_content)
-                utils.log('SSL configuration file %s updated.' % ssl_conf)
+                utils.log('SSL configuration file "%s" updated.' % ssl_conf)
             else:
-                utils.log('SSL configuration file %s already up to date.' % ssl_conf)
+                utils.log('SSL configuration file "%s" already up to date.' % ssl_conf)
     utils.run_commands(['nginx -t', 'service nginx restart'])

2.Common_services/5.Nginx/vhost_cache.conf

 proxy_cache_path /tmp/nginx-uc-cache levels=1:2 keys_zone=uc-cache:10m max_size=10g inactive=300s;
 
 log_format cache '$remote_addr - $host [$time_local] "$request" $status '
-    '$body_bytes_sent "$http_referer" '
-    'rt=$request_time ut="$upstream_response_time" '
-    'cs=$upstream_cache_status';
+	'$body_bytes_sent "$http_referer" '
+	'rt=$request_time ut="$upstream_response_time" '
+	'cs=$upstream_cache_status';
 
 server {
-    listen 80 default_server;
-    listen 443 default_server ssl;
-    server_name {{ server_name }};
+	listen 80 default_server;
+	listen 443 default_server ssl;
+	server_name {{ server_name }};
 
-    root /var/www/cache/;
+	root /var/www/cache/;
 
-    access_log /var/log/nginx/access_cache.log cache;
-    error_log /var/log/nginx/error_cache.log;
+	access_log /var/log/nginx/access_cache.log cache;
+	error_log /var/log/nginx/error_cache.log;
 
-    location /crossdomain {
-    }
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		root /tmp/letsencrypt;
+	}
 
-    location /streaming/ {
-        # Live; expiration headers are defined by upstream (nginx/wowza)
-        rewrite ^/(.*)$ /$1? break;
-        proxy_pass {{ source_server }};
-        proxy_cache uc-cache;
-        # do not consider secure urls as new files
-        proxy_cache_key $scheme$proxy_host$uri;
-        # only one request at a time will be allowed to populate a new cache element
-        proxy_cache_lock on;
-        # hide upstream X-Cache header
-        proxy_hide_header X-Cache;
-        # add own X-Cache header
-        add_header X-Cache $upstream_cache_status;
-    }
-    location /resources/ {
-        # VOD
-        location ~ \.(m3u8|ts|mp4|mp3|webm|oga|ogv|ogg|mov|flv)$ {
-            rewrite ^/(.*)$ /$1? break;
-            proxy_pass {{ source_server }};
-            proxy_cache uc-cache;
-            # do not consider secure urls as new files
-            proxy_cache_key $scheme$proxy_host$uri;
-            # only one request at a time will be allowed to populate a new cache element
-            proxy_cache_lock on;
-            # how long should the data be kept in the cache
-            proxy_cache_valid 200 7d;
-            # instruct browser to cache this
-            expires 7d;
-            # headers
-            proxy_ignore_headers "Cache-Control" "X-Accel-Expires" "Expires";
-            add_header X-Cache $upstream_cache_status;
-        }
-    }
-    location / {
-        # only urls to video and audio files are allowed, discard any requested path for other urls
-        rewrite ^/(.*)$ /index.html? break;
-    }
+	location /crossdomain {
+	}
+
+	location /streaming/ {
+		# Live; expiration headers are defined by upstream (nginx/wowza)
+		rewrite ^/(.*)$ /$1? break;
+		proxy_pass {{ source_server }};
+		proxy_cache uc-cache;
+		# do not consider secure urls as new files
+		proxy_cache_key $scheme$proxy_host$uri;
+		# only one request at a time will be allowed to populate a new cache element
+		proxy_cache_lock on;
+		# hide upstream X-Cache header
+		proxy_hide_header X-Cache;
+		# add own X-Cache header
+		add_header X-Cache $upstream_cache_status;
+	}
+	location /resources/ {
+		# VOD
+		location ~ \.(m3u8|ts|mp4|mp3|webm|oga|ogv|ogg|mov|flv)$ {
+			rewrite ^/(.*)$ /$1? break;
+			proxy_pass {{ source_server }};
+			proxy_cache uc-cache;
+			# do not consider secure urls as new files
+			proxy_cache_key $scheme$proxy_host$uri;
+			# only one request at a time will be allowed to populate a new cache element
+			proxy_cache_lock on;
+			# how long should the data be kept in the cache
+			proxy_cache_valid 200 7d;
+			# instruct browser to cache this
+			expires 7d;
+			# headers
+			proxy_ignore_headers "Cache-Control" "X-Accel-Expires" "Expires";
+			add_header X-Cache $upstream_cache_status;
+		}
+	}
+	location / {
+		# only urls to video and audio files are allowed, discard any requested path for other urls
+		rewrite ^/(.*)$ /index.html? break;
+	}
 }

2.Common_services/5.Nginx/vhost_mediaserver-msuser.conf

@@ -10,22 +10,20 @@ map $msuser_whitelist $msuser_allowed {
 server {
 	listen 80;
 	server_name {{ server_name }};
-	
-	#location '/.well-known/acme-challenge' {
-	#	default_type "text/plain";
-	#	root /tmp/letsencrypt;
-	#}
 
-	rewrite ^ https://$host$request_uri? permanent;
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		root /tmp/letsencrypt;
+	}
+	location / {
+		rewrite ^ https://$host$request_uri? permanent;
+	}
 }
 
 server {
 	listen 443 ssl http2;
 	server_name {{ server_name }};
 	root /var/www/msuser;
-	
-	#ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
-	#ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;
 
 	access_log /var/log/nginx/access_msuser.log;
 	error_log /var/log/nginx/error_msuser.log;

2.Common_services/5.Nginx/vhost_msmonitor.conf

@@ -2,12 +2,13 @@ server {
 	listen 80;
 	server_name {{ server_name }};
 
-	#location '/.well-known/acme-challenge' {
-	#   default_type "text/plain";
-	#   root /tmp/letsencrypt;
-	#}
-
-	rewrite ^ https://$host$request_uri? permanent;
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		root /tmp/letsencrypt;
+	}
+	location / {
+		rewrite ^ https://$host$request_uri? permanent;
+	}
 }
 
 server {
@@ -18,10 +19,6 @@ server {
 	access_log /var/log/nginx/access_msmonitor.log;
 	error_log /var/log/nginx/error_msmonitor.log;
 
-	#ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
-	#ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;
-
-
 	location /media {
 	}
 	location /static {

2.Common_services/5.Nginx/vhost_skyreach.conf

@@ -2,12 +2,13 @@ server {
 	listen 80;
 	server_name {{ server_name }};
 
-	#location '/.well-known/acme-challenge' {
-	#	default_type "text/plain";
-	#	root /tmp/letsencrypt;
-	#}
-
-	rewrite ^ https://$host$request_uri? permanent;
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		root /tmp/letsencrypt;
+	}
+	location / {
+		rewrite ^ https://$host$request_uri? permanent;
+	}
 }
 
 server {
@@ -18,9 +19,6 @@ server {
 	access_log /var/log/nginx/access_skyreach.log;
 	error_log /var/log/nginx/error_skyreach.log;
 
-	#ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
-	#ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;
-
 	location /media {
 		alias /home/skyreach/htdocs/skyreach_site/media;
 		expires 30d;

2.Common_services/5.Nginx/vhost_streaming.conf

 server {
 	listen 80;
 	server_name {{ server_name }};
-	rewrite ^ https://$host$request_uri? permanent;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		root /tmp/letsencrypt;
+	}
+	location / {
+		rewrite ^ https://$host$request_uri? permanent;
+	}
 }
 
 server {

2.Common_services/5.Nginx/vhost_videos.conf

@@ -9,4 +9,9 @@ server {
 	error_log /var/log/nginx/error_videos.log;
 
 	add_header Access-Control-Allow-Origin "*";
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		root /tmp/letsencrypt;
+	}
 }

2.Common_services/7.LetsEncrypt/0_setup.py

+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+import os
+import re
+
+import utils
+
+
+def setup(interactive=True):
+    # Check if a custom SSL certificate is used
+    ssl_conf = '/etc/nginx/conf.d/ssl.conf'
+    if not os.path.exists(ssl_conf):
+        utils.log('The SSL configuration file "%s" does not exist, letsencrypt will not be used.' % ssl_conf)
+        return
+    default_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+    ssl_cert = utils.get_conf('SSL_CERTIFICATE') or default_cert
+    if ssl_cert != default_cert:
+        utils.log('The configuration does not use the default certificate, letsencrypt will not be used.')
+        return
+    # Install certbot
+    cmds = [
+        'apt-get update',
+        'apt-get install -y software-properties-common',
+        'add-apt-repository ppa:certbot/certbot -y',
+        'apt-get update',
+        'apt-get install -y python-certbot',
+    ]
+    utils.run_commands(cmds)
+    # Get system domains
+    domains = list()
+    nginx_dir = '/etc/nginx/sites-enabled'
+    names = os.listdir(nginx_dir)
+    names.sort()
+    for name in names:
+        path = os.path.join(nginx_dir, name)
+        with open(path, 'r') as fo:
+            vhost = fo.read()
+        vhost = vhost.replace('\t', ' ')
+        matching = re.search(r'.*server_name\ +([0-9a-zA-Z\.\-\_\ ]+);.*', vhost)
+        if not matching:
+            print('The server_name was not found in: "%s".' % path)
+            continue
+        for domain in matching.groups()[0].strip().split(' '):
+            domain = domain.strip()
+            if domain and domain != 'localhost' and domain not in domains:
+                domains.append(domain)
+    # Get certificates
+    cmds = [
+        'mkdir -p /tmp/letsencrypt',
+        'chmod 755 /tmp/letsencrypt',
+        'certbot certonly --rsa-key-size 4096 --webroot --webroot-path /tmp/letsencrypt --domains "%s" --email "%s"' % (','.join(domains), utils.get_conf('EMAIL_ADMINS') or 'sysadmin@ubicast.eu'),
+    ]
+    utils.run_commands(cmds)
+    # Update Nginx configuration in ssl.conf
+    ssl_cert = '/etc/letsencrypt/live/%s/fullchain.pem' % domains[0]
+    ssl_key = '/etc/letsencrypt/live/%s/privkey.pem' % domains[0]
+    if not os.path.exists(ssl_cert):
+        raise Exception('The certificate file "%s" does not exist. Was it correclty created by the certbot command ? Has it been moved ? Take a look in "/etc/letsencrypt/live/" to see if it is in it.' % ssl_cert)
+    if not os.path.exists(ssl_key):
+        raise Exception('The key file "%s" does not exist. Was it correclty created by the certbot command ? Has it been moved ? Take a look in "/etc/letsencrypt/live/" to see if it is in it.' % ssl_key)
+    with open(ssl_conf, 'r') as fo:
+        content = fo.read()
+    new_content = content
+    new_content = re.sub(r'ssl_certificate\s+([\w/\-\_\.]+);', 'ssl_certificate %s;' % ssl_cert, new_content)
+    new_content = re.sub(r'ssl_certificate_key\s+([\w/\-\_\.]+);', 'ssl_certificate_key %s;' % ssl_key, new_content)
+    if new_content != content:
+        with open(ssl_conf, 'w') as fo:
+            fo.write(new_content)
+        utils.log('SSL configuration file "%s" updated.' % ssl_conf)
+    else:
+        utils.log('SSL configuration file "%s" already up to date.' % ssl_conf)
+    utils.run_commands(['nginx -t', 'service nginx restart'])

2.Common_services/7.letsencrypt/0_setup.sh

-#!/bin/bash
-# automate letsencrypt certificate generation and authentication
-# Copyright (C) 1993-2993 Hugo Mangeart
-
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-set -ve
-trap "cp /tmp/{mediaserver-msuser.conf,skyreach.conf,msmonitor.conf} /etc/nginx/sites-available/; nginx -t && service nginx reload; exit 255" ERR
-source /root/envsetup/global-conf.sh
-LE_DIR="/etc/letsencrypt/live/"
-
-# GET LETSENCRYPT
-sudo apt-get update
-sudo apt-get install software-properties-common
-sudo add-apt-repository ppa:certbot/certbot -y
-sudo apt-get update
-sudo apt-get install python-certbot-nginx
-
-cd /etc/nginx/sites-available/
-
-# BACKUP
-cp mediaserver-msuser.conf skyreach.conf msmonitor.conf /tmp/
-
-# PREPARE LETSENCRYPT REQUEST STRING
-# ALTER NGINX CONF TO ACCEPT CLEAR HTTP
-# (DEACTIVATE errexit BECAUSE USING FAILING COMMANDS)
-set +e
-DOMAIN_STRING="${MS_SERVER_NAME}" && \
-	sed -i s/rewrite/#rewrite/ mediaserver-msuser.conf
-[ -n "${CM_SERVER_NAME}" ] && \
-	DOMAIN_STRING="${DOMAIN_STRING},${CM_SERVER_NAME}" && \
-	sed -i s/rewrite/#rewrite/ skyreach.conf
-[ -n "${MONITOR_SERVER_NAME}" ] && \
-	DOMAIN_STRING="${DOMAIN_STRING},${MONITOR_SERVER_NAME}" && \
-	sed -i s/rewrite/#rewrite/ msmonitor.conf
-
-set -e
-nginx -t && \
-	service nginx reload
-
-# ASKS FOR CERTS TO LETSENCRYPT
-mkdir -p /tmp/letsencrypt
-certbot certonly \
-	--webroot --webroot-path /tmp/letsencrypt \
-	--domains "${DOMAIN_STRING}" \
-	--email "${EMAIL_ADMINS}" \
-	--rsa-key-size 4096
-
-# RE-REDIRECT HTTP to HTTPS
-sed -i s/#rewrite/rewrite/ mediaserver-msuser.conf skyreach.conf msmonitor.conf
-
-# CHECK CERTS PRESENCE & EDIT NGINX CONFIG
-# (DEACTIVATE errexit BECAUSE USING FAILING COMMANDS)
-set +e
-[ -f ${LE_DIR}/${MS_SERVER_NAME}/fullchain.pem ] && \
-	sed -i s/#ssl_certificate/ssl_certificate/g mediaserver-msuser.conf
-
-[ -f ${LE_DIR}/${CM_SERVER_NAME}/fullchain.pem ] && \
-	sed -i s/#ssl_certificate/ssl_certificate/g skyreach.conf
-
-[ -f ${LE_DIR}/${MONITOR_SERVER_NAME}/fullchain.pem ] && \
-	sed -i s/#ssl_certificate/ssl_certificate/g msmonitor.conf
-
-# RELOAD NGINX IF CONF IS CORRECT
-nginx -t && \
-	service nginx reload
-rm /tmp/{mediaserver-msuser.conf,skyreach.conf,msmonitor.conf}
-cd -