fixed some autorenew letsencrypt problems

files/acme-primitives.py

@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+import os
+import sys
+import subprocess
+import datetime
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from cryptography import x509
+from acme import client, messages, crypto_util, challenges
+from acme.errors import ConflictError, ValidationError
+import josepy
+import click
+
+@click.group()
+def cli():
+	pass
+
+@cli.command(name="extract_domains")
+@click.argument('csr_file', type=click.File('rb'))
+def extract_domains(csr_file):
+	csr = x509.load_pem_x509_csr(csr_file.read(), default_backend())
+	san_ext = csr.extensions.get_extension_for_oid(x509.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
+	sans = san_ext.value.get_values_for_type(x509.DNSName)
+	print(' '.join(sans))
+
+@cli.command(name="remaining_days")
+@click.argument('crt_file', type=click.File('rb'))
+def remaining_days(crt_file):
+	crt = x509.load_pem_x509_certificate(crt_file.read(), default_backend())
+	print((crt.not_valid_after - datetime.datetime.now()).days)
+
+@cli.command(name="get_cert")
+@click.option('--directory', default="https://acme-staging-v02.api.letsencrypt.org/directory")
+@click.option('--acc', required=True, type=click.File('rb'))
+@click.option('--csr', required=True, type=click.File('rb'))
+@click.argument('challenge_hook', nargs=-1)
+def get_cert(directory, acc, csr, challenge_hook):
+	acc_key = serialization.load_pem_private_key(acc.read(), None, default_backend())
+	jose = josepy.JWKRSA(key=acc_key)
+	net = client.ClientNetwork(jose, user_agent="acme-primitives")
+	directory = messages.Directory.from_json(net.get(directory).json())
+	client_acme = client.ClientV2(directory, net=net)
+	try:
+		regr = client_acme.new_account(messages.NewRegistration.from_data(terms_of_service_agreed=True))
+	except ConflictError as e:
+		regr = client_acme.update_registration(messages.RegistrationResource(body=messages.Registration.from_data(terms_of_service_agreed=True)))
+	csr_data = csr.read()
+	orderr = client_acme.new_order(csr_data)
+	for authz in orderr.authorizations:
+		domain = authz.body.identifier.value
+		for i in authz.body.challenges:
+			if isinstance(i.chall, challenges.DNS01):
+				response, validation = i.response_and_validation(jose)
+				subprocess.run([*challenge_hook, i.validation_domain_name(domain), validation], env=os.environ.copy(), check=True)
+				client_acme.answer_challenge(i, response)
+	try:
+		finalized_orderr = client_acme.poll_and_finalize(orderr)
+	except ValidationError as e:
+		for auth in e.failed_authzrs:
+			msg += '\n Authorization for identifier %s failed.' % (
+				auth.body.identifier)
+			msg += '\n Here are the challenges that were not fulfilled:'
+			for challenge in auth.body.challenges:
+				msg += \
+					'\n Challenge Type: %s' \
+					'\n Error information: ' \
+					'\n Type: %s' \
+					'\n Details: %s \n\n' % (
+						challenge.chall.typ,
+						challenge.error.typ if challenge.error else '',
+						challenge.error.detail if challenge.error else '',
+					)
+		print(msg, file=sys.stderr, flush=True)
+		sys.exit(1)
+	print(finalized_orderr.fullchain_pem)
+
+if __name__ == '__main__':
+	cli()

files/letsencrypt_deploy_challenge.sh

@@ -1,5 +1,13 @@
 #!/bin/bash
+set -euo pipefail
+
+CHALLENGE_RECORD="$1"
+CHALLENGE_VALUE="$2"
+
+logger -t letsencrypt "deploying challenge for record ${CHALLENGE_RECORD} with value ${CHALLENGE_VALUE}"
 
 for i in $LETSENCRYPT_CHALLENGE_SERVERS; do
-	ssh -i /etc/letsencrypt/renewkey -o "StrictHostKeyChecking no" letsencrypt@$i $(< $LETSENCRYPT_TOKEN ) $1 $2
+	logger -t letsencrypt "deploying to ${i}"
+	{ ssh -i /etc/letsencrypt/renewkey -o "StrictHostKeyChecking no" letsencrypt@$i "$(cat "$LETSENCRYPT_TOKEN")" "${CHALLENGE_RECORD}" "${CHALLENGE_VALUE}" | logger -t letsencrypt -e; } ||
+		{ logger -t letsencrypt "deploying failed with exit code $?"; exit 1; }
 done

files/letsencrypt_renew.sh

@@ -3,12 +3,14 @@ set -euo pipefail
 
 source $1
 
-daysleft=$(/usr/local/bin/acme-primitives.py remaining_days "$LETSENCRYPT_CRT" || echo "0") 2>/dev/null
-[ "$daysleft" -lt "$LETSENCRYPT_REMAININGDAYS" ] || exit 0
+logger -t letsencrypt "Checking certificate ${LETSENCRYPT_CRT}"
+daysleft=$(/usr/local/bin/acme-primitives.py remaining_days "${LETSENCRYPT_CRT}" || echo "0") 2>/dev/null
+[ "$daysleft" -lt "$LETSENCRYPT_REMAININGDAYS" ] || { logger -t letsencrypt "Cert has ${LETSENCRYPT_REMAININGDAYS} days remaining, not renewing" exit 0; }
 
 folder="$(mktemp -d)"
-cd "$folder"
-/usr/local/bin/acme-primitives.py get_cert --directory 'https://acme-v02.api.letsencrypt.org/directory' --acc /etc/ssl/letsencrypt_account.key --csr $LETSENCRYPT_CSR /usr/local/bin/letsencrypt_deploy_challenge.sh > chained.pem
+cd "${folder}"
+logger -t letsencrypt "Renewing certificate"
+/usr/local/bin/acme-primitives.py get_cert --directory 'https://acme-v02.api.letsencrypt.org/directory' --acc /etc/ssl/letsencrypt_account.key --csr "${LETSENCRYPT_CSR}" /usr/local/bin/letsencrypt_deploy_challenge.sh > chained.pem
 
 cat chained.pem "$LETSENCRYPT_KEY" > full.pem
 openssl x509 -in chained.pem > cert.pem
@@ -25,6 +27,10 @@ mv full.pem "$LETSENCRYPT_FULL"
 cd
 rm -r "$folder"
 
-for i in $LETSENCRYPT_SERVICES; do
-	/bin/systemctl "$i" restart
+logger -t letsencrypt "Success, restarting services ( ${LETSENCRYPT_SERVICES} )..."
+
+for i in ${LETSENCRYPT_SERVICES}; do
+	/bin/systemctl "${i}" restart
 done
+
+logger -t letsencrypt "done"