From 74e272727f9cc4c00f03b9e3212b777df5b8ebaa Mon Sep 17 00:00:00 2001 From: Nathan Woodburn Date: Fri, 23 Feb 2024 15:30:57 +1100 Subject: [PATCH] feat: Add ICANN certs --- .gitignore | 2 ++ install.sh | 6 +++++ sites.py | 74 ++++++++++++++++++++++++++++++++++++++++++++---------- 3 files changed, 69 insertions(+), 13 deletions(-) diff --git a/.gitignore b/.gitignore index 0f24e48..c162627 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ sites.json uploads/ certs/ + +icann.txt diff --git a/install.sh b/install.sh index 9e52754..1142427 100755 --- a/install.sh +++ b/install.sh @@ -20,3 +20,9 @@ python3 -m pip install -r requirements.txt sudo cp ./nginx-manager.service /etc/systemd/system/nginx-manager.service sudo systemctl start nginx-manager sudo systemctl enable nginx-manager + +# Install certbot +sudo snap install core; sudo snap refresh core +sudo apt remove certbot +sudo snap install --classic certbot +sudo ln -s /snap/bin/certbot /usr/bin/certbot \ No newline at end of file diff --git a/sites.py b/sites.py index 6678176..932b16d 100644 --- a/sites.py +++ b/sites.py @@ -51,11 +51,14 @@ def add_site(name, domain): if not os.path.isdir('certs'): os.mkdir('certs') - # Generate TLSA record - tlsa = os.popen(f'./tlsa.sh {domain}').read().strip() - print(tlsa) - if not tlsa: - return False + if is_icann(domain): + tlsa = "Not needed" + else: + # Generate TLSA record + tlsa = os.popen(f'./tlsa.sh {domain}').read().strip() + print(tlsa) + if not tlsa: + return False id = len(sites) for site in sites: @@ -82,10 +85,14 @@ def add_alt_domain(name, domain): site['alt_domains'] = [] site['alt_domains'].append(domain) - # Generate TLSA record - tlsa = os.popen(f'./tlsa.sh {domain}').read().strip() - if not tlsa: - return False + if is_icann(domain): + tlsa = "Not needed" + else: + # Generate TLSA record + tlsa = os.popen(f'./tlsa.sh {domain}').read().strip() + print(tlsa) + if not tlsa: + return False if 'alt_tlsa' not in site: site['alt_tlsa'] = {} @@ -164,6 +171,15 @@ def write_nginx_conf(site): id = site['id'] location = f'/var/www/{id}' + ssl = "" + if not is_icann(domain): + ssl = f''' + listen 443 ssl; + ssl_certificate /root/site-manager/certs/{domain}/cert.crt; + ssl_certificate_key /root/site-manager/certs/{domain}/cert.key; + ''' + + conf = f''' server {{ listen 80; @@ -191,15 +207,22 @@ def write_nginx_conf(site): add_header Cache-Control 'must-revalidate'; add_header Content-Type text/plain; }} - listen 443 ssl; - ssl_certificate /root/site-manager/certs/{domain}/cert.crt; - ssl_certificate_key /root/site-manager/certs/{domain}/cert.key; + {ssl} }} ''' # Add alt domains if 'alt_domains' in site: for alt in site['alt_domains']: + if not is_icann(alt): + ssl = f''' + listen 443 ssl; + ssl_certificate /root/site-manager/certs/{alt}/cert.crt; + ssl_certificate_key /root/site-manager/certs/{alt}/cert.key; + ''' + else: + ssl = "" + conf += f''' server {{ listen 80; @@ -237,4 +260,29 @@ def write_nginx_conf(site): # Restart nginx os.system('systemctl restart nginx') - return True \ No newline at end of file + + # Create certs for ICANN domains + icann_domains = [] + if is_icann(domain): + icann_domains.append(domain) + if 'alt_domains' in site: + for alt in site['alt_domains']: + if is_icann(alt): + icann_domains.append(alt) + + icann_domains = " -d ".join(icann_domains) + icann_domains = f'-d {icann_domains}' + os.system(f'certbot --nginx {icann_domains} --non-interactive --agree-tos --email admin@{domain} --redirect') + return True + + +def is_icann(domain): + # Check if domain list is downloaded yet + if not os.path.isfile('icann.txt'): + os.system('wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -O icann.txt') + + tlds = open('icann.txt', 'r').read().split('\n') + # Remove any comments + tlds = [tld for tld in tlds if not tld.startswith('#')] + if domain.split('.')[-1].upper() in tlds: + return True \ No newline at end of file