letsencrypt: Add option to let Plinth "manage" certbot's renewal hooks

- add action commands for managing and running hooks - adding template, view and url for managing and running hooks - disable Plinth hook management on domain change
2026-04-29 10:10:19 +00:00 · 2017-07-02 19:11:57 +02:00 · 2017-07-02 19:11:57 +02:00 · 1069f84154
commit 1069f84154
parent 1d4289068a
6 changed files with 334 additions and 6 deletions
--- a/actions/letsencrypt
+++ b/actions/letsencrypt
@ -26,11 +26,17 @@ import os
 import subprocess
 import sys
 import re
 import configobj
 import shutil
 from plinth import action_utils
 from plinth.modules.config import config
 TEST_MODE = False
 LIVE_DIRECTORY = '/etc/letsencrypt/live/'
 RENEWAL_DIRECTORY = '/etc/letsencrypt/renewal/'
 AUTHENTICATOR = 'webroot'
 WEB_ROOT_PATH = '/var/www/html'
 APACHE_PREFIX = '/etc/apache2/sites-available/'
 APACHE_CONFIGURATION = '''
 <IfModule mod_gnutls.c>
@ -91,6 +97,33 @@ def parse_arguments():
    delete_parser.add_argument('--domain', required=True,
                               help='Domain name to delete certificate of')
    help_hooks = 'Plinth management of certificates (for current domain).'
    manage_hook_parser = subparsers.add_parser('manage_hooks', help=help_hooks)
    manage_hook_parser.add_argument('command', help=help_hooks,
                                    choices=('enable', 'disable', 'status'))
    manage_hook_parser.add_argument('--domain',
                                    help='Domain for hook management command.')
    help_domain_arg = 'Domain name to run the hook scripts with.'
    help_module_arg = 'Include hooks from the provided module names.'
    help_pre_hooks = 'Maintenance tasks before a cert is obtained or renewed.'
    run_pre_hooks_parser = subparsers.add_parser('run_pre_hooks',
                                                 help=help_pre_hooks)
    run_pre_hooks_parser.add_argument('--domain', help=help_domain_arg)
    run_pre_hooks_parser.add_argument('--modules', help=help_module_arg)
    help_renew_hooks = 'Maintenance tasks after a cert is actually renewed.'
    run_renew_hooks_parser = subparsers.add_parser('run_renew_hooks',
                                                   help=help_renew_hooks)
    run_renew_hooks_parser.add_argument('--domain', help=help_domain_arg)
    run_renew_hooks_parser.add_argument('--modules', help=help_module_arg)
    help_post_hooks = 'Maintenance tasks after a cert is obtained or renewed.'
    run_post_hooks_parser = subparsers.add_parser('run_post_hooks',
                                                  help=help_post_hooks)
    run_post_hooks_parser.add_argument('--domain', help=help_domain_arg)
    run_post_hooks_parser.add_argument('--modules', help=help_module_arg)
    subparsers.required = True
    return parser.parse_args()
@ -104,7 +137,7 @@ def get_certificate_expiry(domain):
 def get_validity_status(domain):
-    """Return validity status of a certificate, e.g. valid, revoked, expired."""
+    """Return validity status of a certificate, e.g. valid, revoked, expired"""
    output = subprocess.check_output(['certbot', 'certificates', '-d', domain])
    output = output.decode(sys.stdout.encoding)
@ -119,8 +152,11 @@ def get_validity_status(domain):
    return validity
-def subcommand_get_status(_):
+def get_status():
-    """Return a JSON dictionary of currently configured domains."""
+    """
    Return Python dictionary of currently configured domains.
    Should be run as root, otherwise might yield a wrong, empty answer.
    """
    try:
        domains = os.listdir(LIVE_DIRECTORY)
    except OSError:
@ -138,7 +174,12 @@ def subcommand_get_status(_):
            action_utils.webserver_is_enabled(domain, kind='site'),
            'validity': get_validity_status(domain)
        }
    return domain_status
 def subcommand_get_status(_):
    """Print a JSON dictionary of currently configured domains."""
    domain_status = get_status()
    print(json.dumps({'domains': domain_status}))
@ -168,7 +209,7 @@ def subcommand_obtain(arguments):
    command = [
        'certbot', 'certonly', '--text', '--agree-tos',
        '--register-unsafely-without-email', '--domain', arguments.domain,
-        '--authenticator', 'webroot', '--webroot-path', '/var/www/html/',
+        '--authenticator', AUTHENTICATOR, '--webroot-path', WEB_ROOT_PATH,
        '--renew-by-default']
    if TEST_MODE:
        command.append('--staging')
@ -185,6 +226,164 @@ def subcommand_obtain(arguments):
    action_utils.webserver_enable(domain, kind='site')
 def subcommand_manage_hooks(arguments):
    """
    Enable/disable/show status of certbot's pre-, renew-, and post-hooks.
    Command enable only edits current domain, RENEWAL_DIRECTORY/DOMAIN.config,
    and creates a backup beforehand that is restored if disable is called.
    Commands disable and status work without error on any domain string.
    """
    if arguments.command not in ('enable', 'disable', 'status'):
        print('Aborted: Unknown command "%s".' % arguments.command)
        sys.exit(1)
    cmd_is_enable = arguments.command == 'enable'
    current_domain = config.get_domainname()
    if not arguments.domain:
        arguments.domain = current_domain
    if cmd_is_enable:
        if not current_domain:
            print('Aborted: No current domain set.')
            sys.exit(2)
        if not arguments.domain == current_domain:
            print('Aborted: Passed domain (%s) is not current domain (%s).' %
                  (arguments.domain, current_domain))
            sys.exit(3)
        domain_status = get_status()
        if current_domain not in domain_status:
            print('Aborted: Current domain (%s) has no LE certificate.' %
                  current_domain)
            sys.exit(4)
    config_path = RENEWAL_DIRECTORY + arguments.domain + '.conf'
    if not os.path.exists(config_path):
        msg, code = ('Aborted', 5) if cmd_is_enable else ('Disabled', 0)
        print('%s: No certbot config file at %s.' % (msg, config_path))
        sys.exit(code)
    config_certbot = configobj.ConfigObj(config_path)
    if 'renewalparams' not in config_certbot:
        msg, code = ('Aborted', 6) if cmd_is_enable else ('Disabled', 0)
        print('%s: No section [renewalparams] in config file at %s.'
              % (msg, config_path))
        sys.exit(code)
    script_path = os.path.realpath(__file__)
    config_backup_path = config_path + '_plinth_backup'
    call_pre = script_path + ' run_pre_hooks --domain ' + arguments.domain
    call_renew = script_path + ' run_renew_hooks --domain ' + arguments.domain
    call_post = script_path + ' run_post_hooks --domain ' + arguments.domain
    config_plinth = {'renewalparams':
                     {'authenticator': AUTHENTICATOR,
                      'webroot_path': [WEB_ROOT_PATH],
                      'webroot_map': {arguments.domain: WEB_ROOT_PATH},
                      'installer': 'None',
                      'pre_hook': call_pre,
                      'renew_hook': call_renew,
                      'post_hook': call_post}}
    comment_plinth = '# This file was edited by Plinth.'
    config_edited_by_plinth = any(['edited by plinth' in line.lower()
                                   for line in config_certbot.initial_comment])
    if arguments.command == 'status':
        config_checks = [(entry in config_certbot['renewalparams']) and
                         (str(config_plinth['renewalparams'][entry]) in
                          str(config_certbot['renewalparams'][entry]))
                         for entry in config_plinth['renewalparams'].keys()]
        if all(config_checks):
            print('enabled')
        else:
            print('disabled')
    elif arguments.command == 'enable':
        if not config_edited_by_plinth:
            shutil.copy(config_path, config_backup_path)
            config_certbot.initial_comment.append(comment_plinth)
        config_certbot['renewalparams'].update(config_plinth['renewalparams'])
        config_certbot.write()
        print('enabled successfully')
    elif arguments.command == 'disable':
        # if changed, restore from backup; refuse disabling if no backup exists
        if not config_edited_by_plinth:
            print('Disabled: Nothing to do, hook management was not enabled.')
        elif os.path.exists(config_backup_path):
            shutil.move(config_backup_path, config_path)
            print('disabled successfully')
        else:
            print('Aborted: No backup config file at %s.' % config_backup_path)
            sys.exit(7)
    sys.exit(0)
 def subcommand_run_pre_hooks(arguments):
    """
    Execute all needed maintenance tasks BEFORE a cert is obtained/renewed.
    If registered as certbot's pre-hook, this script gets ALWAYS executed when
    certbot attempts a renewal, irrespective of necessity/success (2x per day).
    """
    # Require current domain, to avoid confusion (e.g. call from old cron job).
    if not arguments.domain:
        print('Aborted: You must specify the current domain.')
        sys.exit(1)
    current_domain = config.get_domainname()
    if not arguments.domain == current_domain:
        print('Aborted: Current domain is %s, but called for %s.' %
              (current_domain, arguments.domain))
        sys.exit(2)
    sys.exit(0)
 def subcommand_run_renew_hooks(arguments):
    """
    Execute all needed maintenance tasks when a cert is renewed.
    If registered as certbot's renew-hook, this script gets ONLY executed when
    certbot successfully renewed a certificate; with Debian default config,
    this means it would run about once every 60 days (renewals get executed
    if a cert is <30 days before expiry, and current default is 90 days).
    """
    # Require current domain, to avoid confusion (e.g. call from old cron job).
    if not arguments.domain:
        print('Aborted: You must specify the current domain.')
        sys.exit(1)
    current_domain = config.get_domainname()
    if not arguments.domain == current_domain:
        print('Aborted: Current domain is %s, but called for %s.' %
              (current_domain, arguments.domain))
        sys.exit(2)
    if action_utils.service_is_running('apache2'):
        action_utils.service_restart('apache2')
    sys.exit(0)
 def subcommand_run_post_hooks(arguments):
    """
    Execute all needed maintenance tasks AFTER a cert is obtained/renewed.
    If registered as certbot's post-hook, this script gets ALWAYS executed when
    certbot attempts a renewal, irrespective of necessity/success (2x per day).
    """
    # Require current domain, to avoid confusion (e.g. call from old cron job).
    if not arguments.domain:
        print('Aborted: You must specify the current domain.')
        sys.exit(1)
    current_domain = config.get_domainname()
    if not arguments.domain == current_domain:
        print('Aborted: Current domain is %s, but called for %s.' %
              (current_domain, arguments.domain))
        sys.exit(2)
    sys.exit(0)
 def subcommand_delete(arguments):
    """Disable a domain and delete the certificate."""
    domain = arguments.domain
--- a/plinth/modules/letsencrypt/init.py
+++ b/plinth/modules/letsencrypt/init.py
@ -20,12 +20,13 @@ Plinth module for using Let's Encrypt.
 """
 from django.utils.translation import ugettext_lazy as _
-
+from plinth import actions
 from plinth import action_utils
 from plinth import cfg
 from plinth.menu import main_menu
 from plinth.modules import names
 from plinth.utils import format_lazy
 from plinth.signals import domainname_change
 version = 1
@ -63,6 +64,7 @@ def init():
    menu = main_menu.get('system')
    menu.add_urlname(_('Certificates (Let\'s Encrypt)'),
                     'glyphicon-lock', 'letsencrypt:index')
    domainname_change.connect(on_domainname_change)
 def setup(helper, old_version=None):
@ -82,3 +84,14 @@ def diagnose():
            results.append(action_utils.diagnose_url('https://' + domain))
    return results
 def on_domainname_change(sender, old_domainname, new_domainname, **kwargs):
    """Disable renewal hook management after a domain name change."""
    del sender  # Unused
    del new_domainname  # Unused
    del kwargs  # Unused
    actions.superuser_run('letsencrypt', ['manage_hooks', 'disable',
                                          '--domain', old_domainname],
                          async=True)
--- a/plinth/modules/letsencrypt/templates/letsencrypt.html
+++ b/plinth/modules/letsencrypt/templates/letsencrypt.html
@ -49,7 +49,13 @@
          <tbody>
            {% for domain, domain_status in status.domains.items %}
              <tr>
-                <td>{{ domain }}</td>
+                <td>
                  {% if domain == status.current_domain.name %}
                    <b>{{ domain }}</b>
                  {% else %}
                    {{ domain }}
                  {% endif %}
                </td>
                <td>
                  {% if domain_status.certificate_available and domain_status.validity == "valid" %}
                    <span class="label label-success">
@ -128,6 +134,62 @@
      </div>
    </div>
    <form class="form" method="post"
          action="{% url 'letsencrypt:toggle_hooks' status.current_domain.name %}">
      {% csrf_token %}
      <div class="checkbox">
        <label>
          {% if status.current_domain.name and status.current_domain.has_cert %}
            <input type="checkbox" name="toggle_hooks" id="id_toggle_hooks"
                   {% if status.current_domain.manage_hooks_enabled %}checked{% endif %}
                   onchange="this.form.submit();">
            </input>
            <noscript>
              <button class="btn btn-sm btn-default" type="submit">
                {% trans "Update config" %}</button>
            </noscript>
          {% else %}
            <input type="checkbox" name="toggle_hooks" id="id_toggle_hooks"
                   class="disabled"></input>
            <noscript>
              <button class="btn btn-sm btn-default disabled" type="submit">
                {% trans "Update config" %}</button>
            </noscript>
          {% endif %}
          <span>
            {% if status.current_domain.name %}
              {% blocktrans with current_domain=status.current_domain.name %}
                Let Plinth manage certificate renewal of
                <b>{{ current_domain }}</b> (recommmended)
              {% endblocktrans %}
            {% else %}
              {% blocktrans with current_domain=status.current_domain.name %}
                Let Plinth manage certificate renewal of the current domain (recommmended)
              {% endblocktrans %}
            {% endif %}
          </span>
        </label>
      </div>
      <p class="help-block">
        {% if status.current_domain.name and status.current_domain.has_cert %}
          {% blocktrans trimmed %}
            If {{ box_name }} manages the certificate renewal for the current domain,
            it will ensure that all apps that use the certificate can use it, as soon
            as it gets renewed.
          {% endblocktrans %}
        {% elif not status.current_domain.has_cert %}
          {% blocktrans trimmed %}
            <b>No certificate available for the current domain.</b>
            First obtain a certificate to enable management of its renewal.
          {% endblocktrans %}
        {% else %}
          {% blocktrans trimmed %}
            <b>No current domain is configured.</b>
            First configure a domain to enable management of its certificates.
          {% endblocktrans %}
        {% endif %}
      </p>
    </form>
    {% include "diagnostics_button.html" with module="letsencrypt" enabled=True %}
  {% else %}
    {% blocktrans trimmed %}
--- a/plinth/modules/letsencrypt/urls.py
+++ b/plinth/modules/letsencrypt/urls.py
@ -31,4 +31,6 @@ urlpatterns = [
        name='obtain'),
    url(r'^sys/letsencrypt/delete/(?P<domain>[^/]+)/$', views.delete,
        name='delete'),
    url(r'^sys/letsencrypt/toggle_hooks/(?P<domain>[^/]+)/$',
        views.toggle_hooks, name='toggle_hooks'),
 ]
--- a/plinth/modules/letsencrypt/views.py
+++ b/plinth/modules/letsencrypt/views.py
@ -32,6 +32,7 @@ from plinth import actions
 from plinth.errors import ActionError
 from plinth.modules import letsencrypt
 from plinth.modules import names
 from plinth.modules.config import config
 logger = logging.getLogger(__name__)
@ -69,14 +70,48 @@ def obtain(request, domain):
    """Obtain and install a certificate for a given domain."""
    try:
        actions.superuser_run('letsencrypt', ['obtain', '--domain', domain])
        actions.superuser_run('letsencrypt', ['manage_hooks', 'enable'])
        messages.success(
            request, _('Certificate successfully obtained for domain {domain}')
            .format(domain=domain))
        successful_obtain = True
    except ActionError as exception:
        messages.error(
            request,
            _('Failed to obtain certificate for domain {domain}: {error}')
            .format(domain=domain, error=exception.args[2]))
        successful_obtain = False
    if domain == config.get_domainname() and successful_obtain:
        try:
            actions.superuser_run('letsencrypt', ['manage_hooks', 'enable'])
            messages.success(
                request, _('Certificate management enabled for {domain}.')
                .format(domain=domain))
        except ActionError as exception:
            messages.error(
                request,
                _('Failed to enable certificate management for {domain}: '
                  '{error}')
                .format(domain=domain, error=exception.args[2]))
    return redirect(reverse_lazy('letsencrypt:index'))
@require_POST
 def toggle_hooks(request, domain):
    """Toggle pointing of certbot's hooks to Plinth, for the current domain."""
    subcommand = 'disable' if _hooks_manage_enabled() else 'enable'
    try:
        actions.superuser_run('letsencrypt', ['manage_hooks', subcommand])
        messages.success(
            request, _('Certificate management changed for domain {domain}')
            .format(domain=domain))
    except ActionError as exception:
        messages.error(
            request,
            _('Failed to switch certificate management for {domain}: {error}')
            .format(domain=domain, error=exception.args[2]))
    return redirect(reverse_lazy('letsencrypt:index'))
@ -102,6 +137,12 @@ def get_status():
    """Get the current settings."""
    status = actions.superuser_run('letsencrypt', ['get-status'])
    status = json.loads(status)
    curr_dom = config.get_domainname()
    current_domain = {'name': curr_dom,
                      'has_cert': curr_dom in status['domains'] and
                      status['domains'][curr_dom]['certificate_available'],
                      'manage_hooks_enabled': _hooks_manage_enabled()}
    status['current_domain'] = current_domain
    for domain_type, domains in names.domains.items():
        # XXX: Remove when Let's Encrypt supports .onion addresses
@ -112,3 +153,13 @@ def get_status():
            status['domains'].setdefault(domain, {})
    return status
 def _hooks_manage_enabled():
        """Return status of hook management for current domain."""
        try:
            output = actions.superuser_run('letsencrypt',
                                           ['manage_hooks', 'status'])
        except ActionError:
            return False
        return output.strip() == 'enabled'
--- a/requirements.txt
+++ b/requirements.txt
@ -6,3 +6,4 @@ psutil
 python-apt
 python-augeas
 ruamel.yaml
 configobj