letsencrypt_webfaction 2.2.3 → 3.0.0

data/lib/letsencrypt_webfaction/application/init.rb

@@ -0,0 +1,55 @@
+require 'letsencrypt_webfaction/options'
+
+require 'pathname'
+require 'fileutils'
+require 'openssl'
+
+module LetsencryptWebfaction
+  module Application
+    class Init
+      def initialize(_); end # rubocop:disable Naming/UncommunicativeMethodParamName
+
+      def run!
+        copy_config_file
+        create_private_key
+        output_next_steps
+        # TODO: Create crontab entry
+        # TODO: Make sure that configuration file has a "this has been configured" flag
+        # TODO: Add a bash binary type thingy
+        # TODO: Add an installer command?
+      end
+
+      private
+
+      def copy_config_file
+        source = File.expand_path(File.join(__dir__, '../../../templates/letsencrypt_webfaction.toml'))
+        if Options.default_options_path.exist?
+          puts 'Config file already exists. Skipping copy...'
+        else
+          FileUtils.cp(source, Dir.home)
+          puts 'Copied configuration file'
+        end
+      end
+
+      def create_private_key
+        # Create config dir.
+        FileUtils.mkdir_p(Options.default_config_path)
+
+        key_path = Options.default_config_path.join('account_key.pem')
+        if key_path.exist?
+          puts 'Account private key already exists. Skipping generation...'
+        else
+          # Create private key
+          # TODO: Make key size configurable.
+          private_key = OpenSSL::PKey::RSA.new(4096)
+          Options.default_config_path.join('account_key.pem').write(private_key.to_pem)
+          puts 'Generated and stored account private key'
+        end
+      end
+
+      def output_next_steps
+        puts 'Your system is set up. Next, edit the config file: run `nano ~/letsencrypt_webfaction.yml`.'
+      end
+    end
+  end
+end

data/lib/letsencrypt_webfaction/application/run.rb

@@ -0,0 +1,133 @@
+require 'letsencrypt_webfaction/options'
+require 'letsencrypt_webfaction/errors'
+require 'letsencrypt_webfaction/webfaction_api_credentials'
+require 'letsencrypt_webfaction/certificate_issuer'
+require 'letsencrypt_webfaction/logger_output'
+
+require 'acme-client'
+require 'optparse'
+
+module LetsencryptWebfaction
+  module Application
+    class Run
+      RENEWAL_DELTA = 14 # days
+
+      def initialize(args)
+        parse_quiet(args)
+
+        # TODO: args should be supported: --config
+        unless Options.default_options_path.exist?
+          $stderr.puts 'The configuration file is missing.'
+          $stderr.puts 'You may need to run `letsencrypt_webfaction init`'
+          raise AppExitError, 'config missing'
+        end
+        @options = LetsencryptWebfaction::Options.from_toml(Options.default_options_path)
+      end
+
+      def run!
+        validate_options
+
+        # Check credentials
+        unless api_credentials.valid?
+          $stderr.puts 'WebFaction API username, password, and/or servername are incorrect. Login failed.'
+          raise AppExitError, 'WebFaction credentials failed'
+        end
+
+        register_key
+
+        process_certs
+      end
+
+      private
+
+      def parse_quiet(args)
+        OptionParser.new do |opts|
+          opts.banner = 'Usage: letsencrypt_webfaction run [options]'
+
+          opts.on('--quiet', 'Run with minimal output (useful for cron)') do |q|
+            Out.quiet = q
+          end
+        end.parse!(args)
+      end
+
+      def process_certs # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        wf_cert_list = api_credentials.call('list_certificates')
+        @options.certificates.each do |cert|
+          wf_cert = wf_cert_list.find { |c| c['name'] == cert.cert_name }
+          if wf_cert.nil?
+            # Issue because nonexistent
+            Out.puts "Issuing #{cert.cert_name} for the first time."
+          elsif wf_cert['domains'].split(',').map(&:strip).sort == cert.domains.sort
+            days_remaining = (Date.parse(wf_cert['expiry_date']) - Date.today).to_i
+            if days_remaining < RENEWAL_DELTA
+              # Renew because nearing expiration
+              Out.puts "#{days_remaining} days until expiration of #{cert.cert_name}. Renewing..."
+            else
+              # Ignore because active
+              Out.puts "#{days_remaining} days until expiration of #{cert.cert_name}. Skipping..."
+              next
+            end
+          else
+            # Reissue because different
+            Out.puts "Reissuing #{cert.cert_name} due to a change in the domain list."
+          end
+
+          CertificateIssuer.new(certificate: cert, api_credentials: api_credentials, client: client).call
+        end
+      end
+
+      def api_credentials
+        @_api_credentials ||= LetsencryptWebfaction::WebfactionApiCredentials.new username: @options.username, password: @options.password, servername: @options.servername, api_server: @options.api_url
+      end
+
+      def validate_options # rubocop:disable Metrics/MethodLength
+        return if @options.valid?
+        $stderr.puts 'The configuration file has an error:'
+        @options.errors.each do |field, error|
+          case error
+          when String
+            print_error(field, error)
+          when Array
+            error.each { |inner_field, inner_err| print_error("#{field} #{inner_field}", inner_err) }
+          else
+            # :nocov:
+            raise 'Unexpected internal error type'
+            # :nocov:
+          end
+        end
+        raise AppExitError, 'config invalid'
+      end
+
+      def print_error(field, error)
+        $stderr.puts "#{field} #{error}"
+      end
+
+      def private_key
+        @_private_key ||= begin
+          key_path = Options.default_config_path.join('account_key.pem')
+          unless key_path.exist?
+            $stderr.puts 'Account key missing'
+            raise AppExitError, 'Account key missing'
+          end
+          OpenSSL::PKey::RSA.new(Options.default_config_path.join('account_key.pem').read)
+        end
+      end
+
+      def client
+        @_client ||= Acme::Client.new(private_key: private_key, endpoint: @options.endpoint)
+      end
+
+      def register_key
+        # If the private key is not known to the server, we need to register it for the first time.
+        registration = client.register(contact: "mailto:#{@options.letsencrypt_account_email}")
+
+        # You'll may need to agree to the term (that's up the to the server to require it or not but boulder does by default)
+        registration.agree_terms
+      rescue Acme::Client::Error::Malformed => e
+        # Stupid hack if the registration already exists.
+        return if e.message == 'Registration key is already in use'
+        raise
+      end
+    end
+  end
+end

data/lib/letsencrypt_webfaction/certificate_installer.rb

@@ -2,8 +2,6 @@ require 'xmlrpc/client'
 
 module LetsencryptWebfaction
   class CertificateInstaller
-    WEBFACTION_API_VERSION = 2
-
     def initialize(cert_name, certificate, credentials)
       @cert_name = cert_name
       @certificate = certificate

data/lib/letsencrypt_webfaction/certificate_issuer.rb

@@ -0,0 +1,52 @@
+require 'acme-client'
+require 'letsencrypt_webfaction/domain_validator'
+require 'letsencrypt_webfaction/certificate_installer'
+
+module LetsencryptWebfaction
+  class CertificateIssuer
+    def initialize(certificate:, api_credentials:, client:)
+      @cert_config = certificate
+      @api_credentials = api_credentials
+      @client = client
+    end
+
+    def call
+      # Validate the domains.
+      return unless validator.validate!
+
+      # Write the obtained certificates.
+      certificate_installer.install!
+
+      output_success_help
+    end
+
+    private
+
+    def validator
+      @_validator ||= LetsencryptWebfaction::DomainValidator.new @cert_config.domains, @client, @cert_config.public_dirs
+    end
+
+    def certificate_installer
+      @_certificate_installer ||= LetsencryptWebfaction::CertificateInstaller.new(@cert_config.cert_name, certificate, @api_credentials)
+    end
+
+    def certificate
+      # We can now request a certificate, you can pass anything that returns
+      # a valid DER encoded CSR when calling to_der on it, for example a
+      # OpenSSL::X509::Request too.
+      @_certificate ||= @client.new_certificate(csr)
+    end
+
+    def csr
+      # We're going to need a certificate signing request. If not explicitly
+      # specified, the first name listed becomes the common name.
+      @_csr ||= Acme::Client::CertificateRequest.new(names: @cert_config.domains)
+    end
+
+    def output_success_help
+      Out.puts 'Your new certificate is now created and installed.'
+      Out.puts "You will need to change your application to use the #{@cert_config.cert_name} certificate."
+      Out.puts 'Add the `--quiet` parameter in your cron task to remove this message.'
+    end
+  end
+end

data/lib/letsencrypt_webfaction/domain_validator.rb

@@ -66,7 +66,7 @@ module LetsencryptWebfaction
         @challenge = challenge
       end
 
-      def print_error
+      def print_error # rubocop:disable Metrics/MethodLength
         case @challenge.authorization.verify_status
         when 'valid'
           $stderr.puts "#{@domain}: Success"

data/lib/letsencrypt_webfaction/errors.rb

@@ -0,0 +1,5 @@
+module LetsencryptWebfaction
+  class Error < StandardError; end
+  class InvalidConfigValueError < Error; end
+  class AppExitError < Error; end
+end

data/lib/letsencrypt_webfaction/logger_output.rb

@@ -0,0 +1,14 @@
+module LetsencryptWebfaction
+  class LoggerOutput
+    attr_accessor :quiet
+    def initialize(quiet: false)
+      @quiet = quiet
+    end
+
+    def puts(msg)
+      Kernel.puts msg unless @quiet
+    end
+  end
+
+  Out = LoggerOutput.new
+end

data/lib/letsencrypt_webfaction/options.rb

@@ -0,0 +1,72 @@
+require 'toml-rb'
+require 'socket'
+
+require 'letsencrypt_webfaction/options/certificate'
+
+module LetsencryptWebfaction
+  class Options
+    NON_BLANK_FIELDS = %i[username password letsencrypt_account_email endpoint api_url servername].freeze
+
+    WEBFACTION_API_URL = 'https://api.webfaction.com/'.freeze
+
+    def initialize(args)
+      @config = args
+      # Fetch options
+      # Validate options
+    end
+
+    def self.from_toml(path)
+      new TomlRB.parse(path.read)
+    end
+
+    def self.default_options_path
+      Pathname.new(Dir.home).join('letsencrypt_webfaction.toml')
+    end
+
+    def self.default_config_path
+      Pathname.new(Dir.home).join('.config', 'letsencrypt_webfaction')
+    end
+
+    def username
+      @config['username']
+    end
+
+    def password
+      @config['password']
+    end
+
+    def letsencrypt_account_email
+      @config['letsencrypt_account_email']
+    end
+
+    def endpoint
+      @config['endpoint']
+    end
+
+    def api_url
+      @config['api_url'] || WEBFACTION_API_URL
+    end
+
+    def servername
+      @config['servername'] || Socket.gethostname.split('.')[0].sub(/^./, &:upcase)
+    end
+
+    def certificates
+      @_certs ||= @config['certificate'].map { |cert| Certificate.new(cert) }
+    end
+
+    def errors
+      {}.tap do |e|
+        NON_BLANK_FIELDS.each do |field|
+          e[field] = "can't be blank" if public_send(field).nil? || public_send(field) == ''
+        end
+        cert_errors = certificates.map(&:errors).reject(&:empty?)
+        e[:certificate] = cert_errors if cert_errors.any?
+      end
+    end
+
+    def valid?
+      errors.none?
+    end
+  end
+end

data/lib/letsencrypt_webfaction/options/certificate.rb

@@ -0,0 +1,50 @@
+module LetsencryptWebfaction
+  class Options
+    class Certificate
+      SUPPORTED_VALIDATION_METHODS = ['http01'].freeze
+      VALID_CERT_NAME = /[^a-zA-Z\d_]/
+      VALID_KEY_SIZES = [2048, 4096].freeze
+
+      def initialize(args)
+        @args = args
+      end
+
+      def domains
+        return [] if @args['domains'].nil? || @args['domains'] == ''
+        Array(@args['domains'])
+      end
+
+      def validation_method
+        @args['method'] || 'http01'
+      end
+
+      def public_dirs
+        return [] if @args['public'].nil? || @args['public'] == ''
+        Array(@args['public'])
+      end
+
+      def cert_name
+        if @args['name'].nil? && domains.any?
+          domains[0].gsub(VALID_CERT_NAME, '_')
+        else
+          @args['name']
+        end
+      end
+
+      def key_size
+        @args['key_size'] || 4096
+      end
+
+      def errors # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+        {}.tap do |e|
+          e[:domains] = "can't be empty" if domains.none?
+          e[:method] = 'must be "http01"' unless SUPPORTED_VALIDATION_METHODS.include?(validation_method)
+          e[:public] = "can't be empty" if public_dirs.none?
+          e[:name] = "can't be blank" if cert_name.nil? || cert_name == ''
+          e[:name] = 'can only include letters, numbers, and underscores' if cert_name =~ VALID_CERT_NAME
+          e[:key_size] = "must be one of #{VALID_KEY_SIZES.join(', ')}" unless VALID_KEY_SIZES.include?(key_size)
+        end
+      end
+    end
+  end
+end

data/templates/letsencrypt_webfaction.toml

@@ -0,0 +1,58 @@
+# Your Webfaction username and password
+username = "myusername"
+password = "mypassword"
+
+# The email address which will be used to register with Let's Encrypt.
+letsencrypt_account_email = "me@example.com"
+
+# The ACME endpoint. Use the staging server until you get everything working.
+# Then switch to the production endpoint.
+endpoint = "https://acme-staging.api.letsencrypt.org/" # Staging
+#endpoint = "https://acme-v01.api.letsencrypt.org/" # Production
+
+# The URL to the WebFaction API. You should not change this under normal
+# circumstances.
+#api_url = "https://api.webfaction.com/"
+
+# The hostname of the server you are on. Should be autodetected and not need to
+# be changed.
+#servername = "web123"
+
+[[certificate]]
+# The list of domains for which the cert should be issued. The first will be
+# the common name.
+domains = [
+  "test.example.com",
+  "test1.example.com",
+]
+
+# Right now, only http01 is available. This is the default.
+#method = "http01"
+
+# The path to the root of your website. Can be an array as in the second example.
+public = "~/webapps/myapp/public_html"
+# public = [
+#   "~/webapps/myapp/public_html",
+#   "~/webapps/myapp/public_html1",
+# ]
+
+# The name of your cert in the WebFaction admin interface. Will default to
+# the cert common name with the dots replaced by underscores. (Optional)
+# NOTE: If you change this and do not also rename it in the webfaction admin,
+#       a new certificate will be issued.
+name = "mycertname1"
+
+# The size of the private key. 4096 is the default. You can use 2048.
+#key_size = 4096
+
+
+# A second certificate. All the same keys as above. You should create a
+# new [[certificate]] entry for every certificate you want issued. This is a
+# simplistic example.
+#[[certificate]]
+#domains = [
+#  "test2.example.com",
+#  "test3.example.com",
+#]
+#public = "~/webapps/myapp/public_html"
+#name = "mycertname1"