File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/__pycache__/acme.cpython-310.pyc
o
�����N�gK2�����������������������@���s����d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�m�Z���e���e ��Z
e�j�j��
g�d�����Z�d�Z�e�j�j�����r2d�e���Z�d�d���Z�d d
��Z�d�d���Z�d d
d���Z� � � � � � � � � � � � � � � � � � �d!d�d���Z�d�d���Z�d�d���Z�d�d���Z�d�d���Z�d d�d���Z�d d�d���Z�d�S�)"ar���
ACME / Let's Encrypt module
===========================
.. versionadded:: 2016.3.0
This module currently looks for certbot script in the $PATH as
- certbot,
- lestsencrypt,
- certbot-auto,
- letsencrypt-auto
eventually falls back to /opt/letsencrypt/letsencrypt-auto
.. note::
Installation & configuration of the Let's Encrypt client can for example be done using
https://github.com/saltstack-formulas/letsencrypt-formula
.. warning::
Be sure to set at least accept-tos = True in cli.ini!
Most parameters will fall back to cli.ini defaults if None is given.
DNS plugins
-----------
This module currently supports the CloudFlare certbot DNS plugin. The DNS
plugin credentials file needs to be passed in using the
``dns_plugin_credentials`` argument.
Make sure the appropriate certbot plugin for the wanted DNS provider is
installed before using this module.
�����N)���SaltInvocationError)�Z�certbotZ�letsencryptz�certbot-autoz�letsencrypt-autoz!/opt/letsencrypt/letsencrypt-autoz�/etc/letsencrypt/live/z
/usr/localc��������������������C���s����t�d�u�d�f�S�)�z6
Only work when letsencrypt-auto is installed
NzKThe ACME execution module cannot be loaded: letsencrypt-auto not installed.)���LEA��r����r�����E/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/acme.py��__virtual__=���s����������r����c��������������������C���s����t�j���t�|�|���d�����S�)�z;
Return expected path of a Let's Encrypt live cert
z�.pem)���os��path��join��LE_LIVE)���nameZ cert_typer����r����r�����
_cert_fileG���s������r����c��������������������C���s`���t�|�d���}�d�t�v�r�t�d���|�����d�d���}�n�d�|���d���}�d�|���d���}�t�t�d ��|�d
d�����}�t�j���|���S�)�zY
Return the expiry date of a cert
:rtype: datetime
:return: Expiry date
��cert�
tls.cert_info� not_afterr������openssl x509 -in z� -noout -enddatez�date --date="$(z� | cut -d= -f2)" +%sz cmd.shell��quiet��Z�output_loglevel)�r������__salt__��get��float��datetime�
fromtimestamp)�r����� cert_file��expiry��openssl_cmdZ�strptime_sux_cmdr����r����r������_expiresN���s����
�������������r����c��������������������C���s$���t�|���}�|�d�u�r�|�t�j�|�d�����}�|�S�)�z�
Date before a certificate should be renewed
:param str name: Name of the certificate
:param int window: days before expiry date to renew
:rtype: datetime
:return: First renewal date
N)���days)�r����r����� timedelta)�r������windowr����r����r����r����� _renew_byc���s����� ������r����F��root��0640c��������������������C���s����t�d�d�d�g�}�|�d�u�r�|�}�d�g�}�t�|�d���}�t�d���|���s#t���d�|�����d }�n�t�|�|���r5t���d
|�����|���d�����d�}�|�r?|���d
|���������|�rI|���d�|���������|�rW|�rRd d�d���S�|���d�����|�rk|���d�����|�d�u�rj|���d�|���������n$|�|�v�r�|�d�k�r�|���d�����|���d�|���������n�d d�|���d���d���S�|���d�����|�r�|���d�|���������|�r�|���d�|���������|���d�|���������|�d�u�r�|�D�]
}�|���d�|���������q�|�r�|���d�|���������|
r�|���d�|
��������|�r�|���d�|���������|�r�|���d�|���������|�r�|���d |���������t�d!��d"��|�����}�|�d#��d$k���r1d%|�d&��v���r&|���d'����t�d!��d"��|�����}�|�d#��d$k���r%d d(��|�|�d&����d���S�n�d d(��|�|�d&����d���S�d)|�d*��v���rAd+|���d,��}�d�}�n�|���rMd+|���d-��}�d�}�n�d+|���d.��}�d�}�|�t |���i�|�d/��}�t�d0��t�|�d1��|�|�| |
d�d2��\�}�}�|�S�)3aF ��
Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.
:param name: Common Name of the certificate (DNS name of certificate)
:param aliases: subjectAltNames (Additional DNS names on certificate)
:param email: e-mail address for interaction with ACME provider
:param webroot: True or a full path to use to use webroot. Otherwise use standalone mode
:param test_cert: Request a certificate from the Happy Hacker Fake CA (mutually
exclusive with 'server')
:param renew: True/'force' to force a renewal, or a window of renewal before
expiry in days
:param keysize: RSA key bits
:param server: API endpoint to talk to
:param owner: owner of the private key file
:param group: group of the private key file
:param mode: mode of the private key file
:param certname: Name of the certificate to save
:param preferred_challenges: A sorted, comma delimited list of the preferred
challenge to use during authorization with the most preferred challenge
listed first.
:param tls_sni_01_port: Port used during tls-sni-01 challenge. This only affects
the port Certbot listens on. A conforming ACME server will still attempt
to connect on port 443.
:param tls_sni_01_address: The address the server listens to during tls-sni-01
challenge.
:param http_01_port: Port used in the http-01 challenge. This only affects
the port Certbot listens on. A conforming ACME server will still attempt
to connect on port 80.
:param https_01_address: The address the server listens to during http-01 challenge.
:param dns_plugin: Name of a DNS plugin to use (currently only 'cloudflare'
or 'digitalocean')
:param dns_plugin_credentials: Path to the credentials file if required by
the specified DNS plugin
:param dns_plugin_propagate_seconds: Number of seconds to wait for DNS propogations
before asking ACME servers to verify the DNS record. (default 10)
:rtype: dict
:return: Dictionary with 'result' True/False/None, 'comment' and certificate's
expiry date ('not_after')
CLI Example:
.. code-block:: bash
salt 'gitlab.example.com' acme.cert dev.example.com "[gitlab.example.com]" test_cert=True renew=14 webroot=/opt/gitlab/embedded/service/gitlab-rails/public
Z�certonlyz�--non-interactivez�--agree-tosNZ
cloudflarer
�����file.file_existsz#Certificate %s does not exist (yet)Fz�Certificate %s will be renewedz�--renew-by-defaultTz --server z�--cert-name z(Use either server or test_cert, not both)���result��commentz�--test-certz�--authenticator webrootz�--webroot-path z�--dns-cloudflarez�--dns-cloudflare-credentials z�DNS plugin 'z�' is not supportedz�--authenticator standalonez�--email z�--rsa-key-size z
--domains z�--preferred-challenges z�--tls-sni-01-port z�--tls-sni-01-address z�--http-01-port z�--http-01-address z�cmd.run_all�� ��retcoder������expand��stderrz�--expandz&Certificate {} renewal failed with:
{}z�no action taken��stdoutz�Certificate z
unchangedz� renewedz obtained)�r$���r����Z�changesr#���z�file.check_permsZ�privkey)���follow_symlinks)
r����r����r������log��debug�
needs_renewal��appendr �����format��expires)�r������aliases��emailZ�webrootZ test_certZ�renewZ�keysizeZ�server��owner��group��modeZ�certnameZ�preferred_challengesZ�tls_sni_01_portZ�tls_sni_01_addressZ�http_01_portZ�http_01_addressZ
dns_pluginZ�dns_plugin_credentials��cmdZ�supported_dns_pluginsr����Z�dns��resr$���r#�����ret��_r����r����r����r
���s���s�����D������
�������
���
���������������������
���
�����������
�����
���
�������������������������������������������
������������������ ��������������������������������������
���r
���c��������������������C���s����d�d���t�d���t���d�d�����D���S�)�z�
Return a list of active certificates
CLI Example:
.. code-block:: bash
salt 'vhost.example.com' acme.certs
c��������������������S���s&���g�|�]�}�t�j���t�j���t�|�����r�|���q�S�r����)�r����r������isdirr ���r
���)���.0��itemr����r����r�����
<listcomp>0���s����������������z�certs.<locals>.<listcomp>z�file.readdir�����N)�r����r
���r����r����r����r������certs&���s�����
����r?���c��������������������C���sz���t�|���s�i�S�t�|�d���}�d�t�v�r�t�d���|���}�t�|�d�����|�d�<�|�S�d�t�v�r+t�d���|���}�|�S�d�|���d���}�d�t�d���|�d d
��i�}�|�S�)�a����
Return information about a certificate
:param str name: Name of certificate
:rtype: dict
:return: Dictionary with information about the certificate.
If neither the ``tls`` nor the ``x509`` module can be used to determine
the certificate information, the information will be retrieved as one
big text block under the key ``text`` using the openssl cli.
CLI Example:
.. code-block:: bash
salt 'gitlab.example.com' acme.info dev.example.com
r
���r�����
extensionsz�x509.read_certificater����z
-noout -text��textz�cmd.runr����r����)���hasr����r������list)�r����r����Z cert_infor����r����r����r������info7���s��������
���������������������rD���c��������������������C���s����t�|�������S�)�a����
The expiry date of a certificate in ISO format
:param str name: Name of certificate
:rtype: str
:return: Expiry date in ISO format.
CLI Example:
.. code-block:: bash
salt 'gitlab.example.com' acme.expires dev.example.com
)�r����� isoformat��r����r����r����r����r0���[���s������r0���c��������������������C���s����t�d���t�|�d�����S�)�a*���
Test if a certificate is in the Let's Encrypt Live directory
:param str name: Name of certificate
:rtype: bool
Code example:
.. code-block:: python
if __salt__['acme.has']('dev.example.com'):
log.info('That is one nice certificate you have there!')
r"���r
���)�r����r����rF���r����r����r����rB���l���s������rB���c��������������������C���s����t�|�|�������S�)�a����
Date in ISO format when a certificate should first be renewed
:param str name: Name of certificate
:param int window: number of days before expiry when renewal should take place
:rtype: str
:return: Date of certificate renewal in ISO format.
)�r����rE�����r����r����r����r����r������renew_by}���s����� rH���c��������������������C���sX���|�r"t�|�������d�v�r�d�S�t�|�t���s�t�|�d���r�|�����s�t�d�����t�|���}�t�|�|���t�j�� ��k�S�)�a����
Check if a certificate needs renewal
:param str name: Name of certificate
:param bool/str/int window: Window in days to renew earlier or True/force to just return True
:rtype: bool
:return: Whether or not the certificate needs to be renewed.
Code example:
.. code-block:: python
if __salt__['acme.needs_renewal']('dev.example.com'):
__salt__['acme.cert']('dev.example.com', **kwargs)
else:
log.info('Your certificate is still good')
)���force��trueT��isdigitz�The argument "window", if provided, must be one of the following : True (boolean), "force" or "Force" (str) or a numerical value in days.)
��str��lower�
isinstance��int��hasattrrK���r����r����r������todayrG���r����r����r����r-�������s��������������������������������r-���)�N)�NNNFNNNr ���r ���r!���NNNNNNNN)���__doc__r������loggingr����Z�salt.utils.path��saltZ�salt.exceptionsr����� getLogger��__name__r+�����utilsr����Z which_binr����r
�����platformZ
is_freebsdr����r����r����r����r
���r?���rD���r0���rB���rH���r-���r����r����r����r������<module>����sV������$��������
�������� �������
��
�������������������������������������
���4���$��
���