- Added printouts

- Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates
raph2i · Aug 4, 2018 · ae23efa · ae23efa
1 parent 49fe6f7
commit ae23efa
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 74 deletions.
diff --git a/extractor.py b/extractor.py
@@ -3,11 +3,110 @@
 import errno
 import time
 import json
+import docker
+
 from base64 import b64decode
 from watchdog.observers import Observer
 from watchdog.events import FileSystemEventHandler
+from pathlib import Path
+
+
+def restartContainerWithDomain(domain):
+    client = docker.from_env()
+    container = client.containers.list(filters = {"label" : "com.github.SnowMB.traefik-certificate-extractor.restart_domain"})
+    for c in container:
+#        print(c.labels['com.github.SnowMB.traefik-certificate-extractor.restart_domain'])
+        domains = str.split(c.labels["com.github.SnowMB.traefik-certificate-extractor.restart_domain"], ',')
+        if domain in domains:
+            print('restarting container ' + c.id)
+            c.restart()
+
+
+
+def createCerts(file):
+    # Read JSON file
+    data = json.loads(open(file).read())
+
+    # Determine ACME version
+    acme_version = 2 if 'acme-v02' in data['Account']['Registration']['uri'] else 1
+
+    # Find certificates
+    if acme_version == 1:
+        certs = data['DomainsCertificate']['Certs']
+    elif acme_version == 2:
+        certs = data['Certificates']
+
+    # Loop over all certificates
+    for c in certs:
+        if acme_version == 1:
+            name = c['Certificate']['Domain']
+            privatekey = c['Certificate']['PrivateKey']
+            fullchain = c['Certificate']['Certificate']
+            sans = c['Domains']['SANs']
+        elif acme_version == 2:
+            name = c['Domain']['Main']
+            privatekey = c['Key']
+            fullchain = c['Certificate']
+            sans = c['Domain']['SANs']
+
+        # Decode private key, certificate and chain
+        privatekey = b64decode(privatekey).decode('utf-8')
+        fullchain = b64decode(fullchain).decode('utf-8')
+        start = fullchain.find('-----BEGIN CERTIFICATE-----', 1)
+        cert = fullchain[0:start]
+        chain = fullchain[start:]
+
+        # Create domain directory if it doesn't exist
+        directory = 'certs/' + name + '/'
+        try:
+            os.makedirs(directory)
+        except OSError as error:
+            if error.errno != errno.EEXIST:
+                raise
+
+        # Write private key, certificate and chain to file
+        with open(directory + 'privkey.pem', 'w') as f:
+            f.write(privatekey)
+
+        with open(directory + 'cert.pem', 'w') as f:
+            f.write(cert)
+
+        with open(directory + 'chain.pem', 'w') as f:
+            f.write(chain)
+
+        with open(directory + 'fullchain.pem', 'w') as f:
+            f.write(fullchain)
+
+        # Write private key, certificate and chain to flat files
+        directory = 'certs_flat/'
+
+        with open(directory + name + '.key', 'w') as f:
+            f.write(privatekey)
+        with open(directory + name + '.crt', 'w') as f:
+            f.write(fullchain)
+        with open(directory + name + '.chain.pem', 'w') as f:
+            f.write(chain)
+
+        if sans:
+            for name in sans:
+                 with open(directory + name + '.key', 'w') as f:
+                    f.write(privatekey)
+                 with open(directory + name + '.crt', 'w') as f:
+                    f.write(fullchain)
+                 with open(directory + name + '.chain.pem', 'w') as f:
+                    f.write(chain)
+
+        print('Extracted certificate for: ' + name + (', ' + ', '.join(sans) if sans else ''))
+        restartContainerWithDomain(name)
+
+
+
 
 class Handler(FileSystemEventHandler):
+
+    def __init__(self):
+        self.filename = 'acme.json'
+
     def on_created(self, event):
         self.handle(event)
 
@@ -16,86 +115,24 @@ def on_modified(self, event):
 
     def handle(self, event):
         # Check if it's a JSON file
-        if not event.is_directory and event.src_path.endswith('.json'):
+        print ('DEBUG : event fired')
+        if not event.is_directory and event.src_path.endswith(self.filename):
             print('Certificates changed')
 
-            # Read JSON file
-            data = json.loads(open(event.src_path).read())
-
-            # Determine ACME version
-            acme_version = 2 if 'acme-v02' in data['Account']['Registration']['uri'] else 1
-
-            # Find certificates
-            if acme_version == 1:
-                certs = data['DomainsCertificate']['Certs']
-            elif acme_version == 2:
-                certs = data['Certificates']
-
-            # Loop over all certificates
-            for c in certs:
-                if acme_version == 1:
-                    name = c['Certificate']['Domain']
-                    privatekey = c['Certificate']['PrivateKey']
-                    fullchain = c['Certificate']['Certificate']
-                    sans = c['Domains']['SANs']
-                elif acme_version == 2:
-                    name = c['Domain']['Main']
-                    privatekey = c['Key']
-                    fullchain = c['Certificate']
-                    sans = c['Domain']['SANs']
-
-                # Decode private key, certificate and chain
-                privatekey = b64decode(privatekey).decode('utf-8')
-                fullchain = b64decode(fullchain).decode('utf-8')
-                start = fullchain.find('-----BEGIN CERTIFICATE-----', 1)
-                cert = fullchain[0:start]
-                chain = fullchain[start:]
-
-                # Create domain directory if it doesn't exist
-                directory = 'certs/' + name + '/'
-                try:
-                    os.makedirs(directory)
-                except OSError as error:
-                    if error.errno != errno.EEXIST:
-                        raise
-
-                # Write private key, certificate and chain to file
-                with open(directory + 'privkey.pem', 'w') as f:
-                    f.write(privatekey)
-
-                with open(directory + 'cert.pem', 'w') as f:
-                    f.write(cert)
+            createCerts(event.src_path)
 
-                with open(directory + 'chain.pem', 'w') as f:
-                    f.write(chain)
 
-                with open(directory + 'fullchain.pem', 'w') as f:
-                    f.write(fullchain)
-
-                # Write private key, certificate and chain to flat files
-                directory = 'certs_flat/'
-
-                with open(directory + name + '.key', 'w') as f:
-                    f.write(privatekey)
-                with open(directory + name + '.crt', 'w') as f:
-                    f.write(fullchain)
-                with open(directory + name + '.chain.pem', 'w') as f:
-                    f.write(chain)
+if __name__ == "__main__":
+    # Determine path to watch
+    val = sys.argv[1] if len(sys.argv) > 1 else './data/acme.json'
 
-                if sans:
-                    for name in sans:
-                        with open(directory + name + '.key', 'w') as f:
-                            f.write(privatekey)
-                        with open(directory + name + '.crt', 'w') as f:
-                            f.write(fullchain)
-                        with open(directory + name + '.chain.pem', 'w') as f:
-                            f.write(chain)
+    path = Path(val)
 
-                print('Extracted certificate for: ' + name + (', ' + ', '.join(sans) if sans else ''))
+    if not path.exists() or path.is_dir():
+        print ('ERROR ' + str(path) + ' does not exist.')
+        sys.exit(1)
 
-if __name__ == "__main__":
-    # Determine path to watch
-    path = sys.argv[1] if len(sys.argv) > 1 else './data'
+    print('watching path: ' + str(path))
 
     # Create output directories if it doesn't exist
     try:
@@ -109,12 +146,15 @@ def handle(self, event):
         if error.errno != errno.EEXIST:
             raise
 
+
+
     # Create event handler and observer
     event_handler = Handler()
+    event_handler.filename = str(path.name)
     observer = Observer()
 
     # Register the directory to watch
-    observer.schedule(event_handler, path)
+    observer.schedule(event_handler, str(path.parent))
 
     # Main loop to watch the directory
     observer.start()

diff --git a/requirements.txt b/requirements.txt
@@ -1 +1,2 @@
 watchdog
+docker