From 68e6d6cb23fffaaf4e386c484f91c444475cf725 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 27 Sep 2019 14:03:39 +0200 Subject: [PATCH] improve hooks maintainability --- certbot/files/hooks/apache.sh | 46 ++++++++++------ certbot/files/hooks/commit-etc.sh | 42 ++++++++------- certbot/files/hooks/dovecot.sh | 46 ++++++++++------ certbot/files/hooks/haproxy.sh | 90 ++++++++++++++++++------------- certbot/files/hooks/nginx.sh | 46 ++++++++++------ certbot/files/hooks/postfix.sh | 46 ++++++++++------ certbot/tasks/acme-challenge.yml | 2 +- 7 files changed, 194 insertions(+), 124 deletions(-) diff --git a/certbot/files/hooks/apache.sh b/certbot/files/hooks/apache.sh index 9692c3c5..1235a23e 100644 --- a/certbot/files/hooks/apache.sh +++ b/certbot/files/hooks/apache.sh @@ -1,9 +1,5 @@ #!/bin/sh -readonly PROGNAME=$(basename "$0") -readonly VERBOSE=${VERBOSE:-"0"} -readonly QUIET=${QUIET:-"0"} - error() { >&2 echo "${PROGNAME}: $1" exit 1 @@ -13,20 +9,36 @@ debug() { >&2 echo "${PROGNAME}: $1" fi } - -apache2ctl_bin=$(command -v apache2ctl) - -if [ -n "$(pidof apache2)" ] && [ -n "${apache2ctl_bin}" ]; then - if grep -q -r -E "letsencrypt" /etc/apache2/; then - if ${apache2ctl_bin} configtest > /dev/null 2>&1; then - debug "Apache detected... reloading" - systemctl reload apache2 +daemon_found_and_running() { + test -n "$(pidof apache2)" && test -n "${apache2ctl_bin}" +} +config_check() { + ${apache2ctl_bin} configtest > /dev/null 2>&1 +} +letsencrypt_used() { + grep -q -r -E "letsencrypt" /etc/apache2/ +} +main() { + if daemon_found_and_running; then + if letsencrypt_used; then + if config_check; then + debug "Apache detected... reloading" + systemctl reload apache2 + else + error "Apache config is broken, you must fix it !" + fi else - error "Apache config is broken, you must fix it !" + debug "Apache doesn't use Let's Encrypt certificate. Skip." fi else - debug "Apache doesn't use Let's Encrypt certificate. Skip." + debug "Apache is not running or missing. Skip." fi -else - debug "Apache is not running or missing. Skip." -fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly apache2ctl_bin=$(command -v apache2ctl) + +main diff --git a/certbot/files/hooks/commit-etc.sh b/certbot/files/hooks/commit-etc.sh index 970fa81b..f55b253c 100644 --- a/certbot/files/hooks/commit-etc.sh +++ b/certbot/files/hooks/commit-etc.sh @@ -1,9 +1,5 @@ #!/bin/sh -readonly PROGNAME=$(basename "$0") -readonly VERBOSE=${VERBOSE:-"0"} -readonly QUIET=${QUIET:-"0"} - error() { >&2 echo "${PROGNAME}: $1" exit 1 @@ -13,21 +9,29 @@ debug() { >&2 echo "${PROGNAME}: $1" fi } +main() { + export GIT_DIR="/etc/.git" + export GIT_WORK_TREE="/etc" -git_bin=$(command -v git) -letsencrypt_dir=/etc/letsencrypt -export GIT_DIR="/etc/.git" -export GIT_WORK_TREE="/etc" + if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then + changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ') -if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then - changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ') + if [ "${changed_lines}" != "0" ]; then + debug "Committing for ${RENEWED_DOMAINS}" + ${git_bin} add --all ${letsencrypt_dir} + message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})" + ${git_bin} commit --message "${message}" --quiet + else + error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'" + fi + fi +} - if [ "${changed_lines}" != "0" ]; then - debug "Committing for ${RENEWED_DOMAINS}" - ${git_bin} add --all ${letsencrypt_dir} - message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})" - ${git_bin} commit --message "${message}" --quiet - else - error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'" - fi -fi +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly git_bin=$(command -v git) +readonly letsencrypt_dir=/etc/letsencrypt + +main diff --git a/certbot/files/hooks/dovecot.sh b/certbot/files/hooks/dovecot.sh index 49ec9bb5..56e5b5ae 100644 --- a/certbot/files/hooks/dovecot.sh +++ b/certbot/files/hooks/dovecot.sh @@ -1,9 +1,5 @@ #!/bin/sh -readonly PROGNAME=$(basename "$0") -readonly VERBOSE=${VERBOSE:-"0"} -readonly QUIET=${QUIET:-"0"} - error() { >&2 echo "${PROGNAME}: $1" exit 1 @@ -13,20 +9,36 @@ debug() { >&2 echo "${PROGNAME}: $1" fi } - -doveconf_bin=$(command -v doveconf) - -if [ -n "$(pidof dovecot)" ] && [ -n "${doveconf_bin}" ]; then - if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then - if ${doveconf_bin} > /dev/null 2>&1; then - debug "Dovecot detected... reloading" - systemctl reload dovecot +daemon_found_and_running() { + test -n "$(pidof dovecot)" && test -n "${doveconf_bin}" +} +config_check() { + ${doveconf_bin} > /dev/null 2>&1 +} +letsencrypt_used() { + ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt" +} +main() { + if daemon_found_and_running; then + if letsencrypt_used; then + if config_check; then + debug "Dovecot detected... reloading" + systemctl reload dovecot + else + error "Dovecot config is broken, you must fix it !" + fi else - error "Dovecot config is broken, you must fix it !" + debug "Dovecot doesn't use Let's Encrypt certificate. Skip." fi else - debug "Dovecot doesn't use Let's Encrypt certificate. Skip." + debug "Dovecot is not running or missing. Skip." fi -else - debug "Dovecot is not running or missing. Skip." -fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly doveconf_bin=$(command -v doveconf) + +main diff --git a/certbot/files/hooks/haproxy.sh b/certbot/files/hooks/haproxy.sh index 1e99cc88..63ef6990 100644 --- a/certbot/files/hooks/haproxy.sh +++ b/certbot/files/hooks/haproxy.sh @@ -1,9 +1,5 @@ #!/bin/sh -readonly PROGNAME=$(basename "$0") -readonly VERBOSE=${VERBOSE:-"0"} -readonly QUIET=${QUIET:-"0"} - error() { >&2 echo "${PROGNAME}: $1" exit 1 @@ -13,45 +9,67 @@ debug() { >&2 echo "${PROGNAME}: $1" fi } +daemon_found_and_running() { + test -n "$(pidof haproxy)" && test -n "${haproxy_bin}" +} +found_renewed_lineage() { + test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" +} +config_check() { + ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1 +} +concat_files() { + # shellcheck disable=SC2174 + mkdir --mode=700 --parents "${haproxy_cert_dir}" + chown root: "${haproxy_cert_dir}" -if [ -z "${RENEWED_LINEAGE}" ]; then - error "This script must be called only by certbot!" -fi + debug "Concatenating certificate files to ${haproxy_cert_file}" + cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}" + chmod 600 "${haproxy_cert_file}" + chown root: "${haproxy_cert_file}" +} +cert_and_key_mismatch() { + haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5) + haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5) -haproxy_bin=$(command -v haproxy) -haproxy_cert_dir="/etc/ssl/haproxy/" + test "${haproxy_cert_md5}" != "${haproxy_key_md5}" +} +main() { + if [ -z "${RENEWED_LINEAGE}" ]; then + error "This script must be called only by certbot!" + fi -if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then - if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then - haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" - failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" + if daemon_found_and_running; then + if found_renewed_lineage; then + haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" + failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" - # shellcheck disable=SC2174 - mkdir --mode=700 --parents "${haproxy_cert_dir}" - chown root: "${haproxy_cert_dir}" + concat_files - debug "Concatenating certificate files to ${haproxy_cert_file}" - cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}" - chmod 600 "${haproxy_cert_file}" - chown root: "${haproxy_cert_file}" + if cert_and_key_mismatch; then + mv "${haproxy_cert_file}" "${failed_cert_file}" + error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection" + fi - haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5) - haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5) - - if [ "${haproxy_cert_md5}" != "${haproxy_key_md5}" ]; then - mv "${haproxy_cert_file}" "${failed_cert_file}" - error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection" - fi - - if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1; then - debug "HAProxy detected... reloading" - systemctl reload apache2 + if config_check; then + debug "HAProxy detected... reloading" + systemctl reload apache2 + else + error "HAProxy config is broken, you must fix it !" + fi else - error "HAProxy config is broken, you must fix it !" + error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem" fi else - error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem" + debug "HAProxy is not running or missing. Skip." fi -else - debug "HAProxy is not running or missing. Skip." -fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly haproxy_bin=$(command -v haproxy) +readonly haproxy_cert_dir="/etc/ssl/haproxy" + +main diff --git a/certbot/files/hooks/nginx.sh b/certbot/files/hooks/nginx.sh index aafbedd3..2a1d27e9 100644 --- a/certbot/files/hooks/nginx.sh +++ b/certbot/files/hooks/nginx.sh @@ -1,9 +1,5 @@ #!/bin/sh -readonly PROGNAME=$(basename "$0") -readonly VERBOSE=${VERBOSE:-"0"} -readonly QUIET=${QUIET:-"0"} - error() { >&2 echo "${PROGNAME}: $1" exit 1 @@ -13,20 +9,36 @@ debug() { >&2 echo "${PROGNAME}: $1" fi } - -nginx_bin=$(command -v nginx) - -if [ -n "$(pidof nginx)" ] && [ -n "${nginx_bin}" ]; then - if grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled; then - if ${nginx_bin} -t > /dev/null 2>&1; then - debug "Nginx detected... reloading" - systemctl reload nginx +daemon_found_and_running() { + test -n "$(pidof nginx)" && test -n "${nginx_bin}" +} +config_check() { + ${nginx_bin} -t > /dev/null 2>&1 +} +letsencrypt_used() { + grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled +} +main() { + if daemon_found_and_running; then + if letsencrypt_used; then + if config_check; then + debug "Nginx detected... reloading" + systemctl reload nginx + else + error "Nginx config is broken, you must fix it !" + fi else - error "Nginx config is broken, you must fix it !" + debug "Nginx doesn't use Let's Encrypt certificate. Skip." fi else - debug "Nginx doesn't use Let's Encrypt certificate. Skip." + debug "Nginx is not running or missing. Skip." fi -else - debug "Nginx is not running or missing. Skip." -fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly nginx_bin=$(command -v nginx) + +main diff --git a/certbot/files/hooks/postfix.sh b/certbot/files/hooks/postfix.sh index 3a9b3b3d..de6a4b7c 100644 --- a/certbot/files/hooks/postfix.sh +++ b/certbot/files/hooks/postfix.sh @@ -1,9 +1,5 @@ #!/bin/sh -readonly PROGNAME=$(basename "$0") -readonly VERBOSE=${VERBOSE:-"0"} -readonly QUIET=${QUIET:-"0"} - error() { >&2 echo "${PROGNAME}: $1" exit 1 @@ -13,20 +9,36 @@ debug() { >&2 echo "${PROGNAME}: $1" fi } - -postconf_bin=$(command -v postconf) - -if [ -n "$(pidof master)" ] && [ -n "${postconf_bin}" ]; then - if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then - if ${postconf_bin} > /dev/null 2>&1; then - debug "Postfix detected... reloading" - systemctl reload postfix +daemon_found_and_running() { + test -n "$(pidof master)" && test -n "${postconf_bin}" +} +config_check() { + ${postconf_bin} > /dev/null 2>&1 +} +letsencrypt_used() { + ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt" +} +main() { + if daemon_found_and_running; then + if letsencrypt_used; then + if config_check; then + debug "Postfix detected... reloading" + systemctl reload postfix + else + error "Postfix config is broken, you must fix it !" + fi else - error "Postfix config is broken, you must fix it !" + debug "Postfix doesn't use Let's Encrypt certificate. Skip." fi else - debug "Postfix doesn't use Let's Encrypt certificate. Skip." + debug "Postfix is not running or missing. Skip." fi -else - debug "Postfix is not running or missing. Skip." -fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly postconf_bin=$(command -v postconf) + +main diff --git a/certbot/tasks/acme-challenge.yml b/certbot/tasks/acme-challenge.yml index 467b4606..d2fa78ec 100644 --- a/certbot/tasks/acme-challenge.yml +++ b/certbot/tasks/acme-challenge.yml @@ -46,5 +46,5 @@ - name: ACME challenge for HAProxy is installed debug: - msg: "ACME challenge configuration for HAProxy should be configured manually" + msg: "ACME challenge configuration for HAProxy must be configured manually" when: is_haproxy.stat.exists