Merge branch '4-remove-installer-code-and-make-python3-and-new-certbot-compatible' into 'develop'

Resolve "remove installer code and make python3 and new certbot compatible"

Closes #4

See merge request open/certbot-haproxy!1

Author: Maarten de Waard

README.rst

@@ -32,6 +32,21 @@ configure HAProxy for use with the plugin. If you have a good idea on how we can
 implement automatic HAProxy configuration, you are welcome to create a merge
 request or an issue.
 
+Dropped installer support in version 0.2.0+
+------------------------------------------
+
+In version 0.2.0 the installer component is dropped. Originally the installer
+component made sure to place the certificates in the right directory for haproxy
+by combining the key and the crt. This was done because original versions of
+certbot executed the hooks after every domain renewal.
+
+New versions of certbot have move fine grained post install hooks. With those
+hooks more flexibility is added for installation. An example script and command
+is added in version 0.2.0+
+
+The example script for deploy is `certbot-deploy-hook-example`
+
+
 Installing: Requirements
 ------------------------
 
@@ -40,24 +55,25 @@ work on Ubuntu 14.04+ too. If you are running Debian Wheezy, you may need to
 take additional steps during the installation. Thus, the requirements are:
 
 - Debian Jessie (or higher) or Ubuntu Trusty (or higher).
-- Python 2.7 (2.6 is supported by certbot and our goal is to be compatible but
+- Python 3.0+ (Python 2.7 is still supported to be compatible with older
+  operating systems)
   it has not been tested yet).
-- HAProxy 1.6+ (we will configure SNI, which is not strictly required)
-- Certbot 0.8+
+- HAProxy 1.6+
+- Certbot 0.19+
 
 Installing: Getting started
 ---------------------------
 
-The installation below assumes you are running Debian Jessie but it should be
+The installation below assumes you are running Debian Stretch but it should be
 almost entirely the same process on Ubuntu.
 
-First add the backports repo for Jessie to your apt sources.
+If you are still using Jessie, you have to add the backports repo for Jessie.
 
 .. note::
 
     This will not work for Ubuntu, you will need to use another source,
     check which version comes with your version of Ubuntu, if it is a version
-    below 0.8, you need to find a back port PPA or download certbot from source.
+    below 0.19, you need to find a back port PPA or download certbot from source.
 
 .. code:: bash
 
@@ -82,7 +98,7 @@ Now update, upgrade and install some requirements:
         openssl ca-certificates \
         build-essential libffi-dev libssl-dev python-dev \
         python python-setuptools \
-        haproxy
+        haproxy python3-pip python3-setuptools
 
     easy_install pip
     pip install --upgrade setuptools
@@ -302,23 +318,22 @@ together a configuration that works for you.
 
     systemctl restart haproxy
 
-Now you can try to run Certbot with the plugin as the Authenticator and
-Installer, if you already have websites configured in your HAProxy setup, you
+Now you can try to run Certbot with the plugin as the Authenticator.
+If you already have websites configured in your HAProxy setup, you
 may try to install a certificate now.
 
 .. code:: bash
 
-    certbot run --authenticator certbot-haproxy:haproxy-authenticator \
-        --installer certbot-haproxy:haproxy-installer
+    certbot certonly --authenticator certbot-haproxy:haproxy-authenticator \
+        --deploy-hook /path/to/your/install/script
 
-If you want your ``certbot`` to always use our Installer and Authenticator, you
+If you want your ``certbot`` to always use our Authenticator, you
 can add this to your configuration file:
 
 .. code:: bash
 
     cat <<EOF >> $HOME/.config/letsencrypt/cli.ini
     authenticator=certbot-haproxy:haproxy-authenticator
-    installer=certbot-haproxy:haproxy-installer
     EOF
 
 If you need to run in unattended mode, there are a bunch of arguments you need
@@ -367,7 +382,7 @@ after the server has been offline for a long time.
     [Service]
     Type=simple
     User=certbot
-    ExecStart=/usr/bin/certbot renew -q
+    ExecStart=/usr/bin/certbot renew -q --deploy-hook /path/to/deploy/script
     EOF
 
     # Enable the timer and start it, this is not necessary for the service,
@@ -446,7 +461,6 @@ reasons.
     text=True
     domain=example.org
     authenticator=certbot-haproxy:haproxy-authenticator
-    installer=certbot-haproxy:haproxy-installer
     EOF
 
 Setuptools version conflict
@@ -476,11 +490,11 @@ Run the following commands in your vagrant machine:
 .. code:: bash
 
     apt-file update
-    python setup.py sdist
+    python3 setup.py sdist
     # py2dsc has a problem with vbox mounted folders
     mv dist/certbot-haproxy-<version>.tar.gz ~
     cd ~
-    py2dsc certbot-haproxy-<version>.tar.gz
+    py2dsc --with-python3=True certbot-haproxy-<version>.tar.gz
     cd deb_dist/certbot-haproxy-<version>
     # NOTE: Not signed, no signed changes (with -uc and -us)
     # NOTE: Add the package to the ghtools repo

certbot-deploy-hook-example

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+
+import os
+import re
+import sys
+
+# Certbot sets an environment variable RENEWED_LINEAGE, which points to the
+# path of the renewed certificate. We use that path to determine and find
+# the files for the currently renewed certificated
+lineage=os.environ.get('RENEWED_LINEAGE')
+
+# If nothing renewed, exit
+if not lineage:
+    sys.exit()
+
+# From the linage, we strip the 'domain name', which is the last part
+# of the path.
+result = re.match(r'.*/live/(.+)$', lineage)
+
+# If we can not recognize the path, we exit with 1
+if not result:
+    sys.exit(1)
+
+# Extract the domain name
+domain = result.group(1)
+
+# Define a path for HAproxy where you want to write the .pem file.
+deploy_path="/etc/haproxy/ssl/" + domain + ".pem"
+
+# The source files can be found in below paths, constructed with the lineage
+# path
+source_key = lineage + "/privkey.pem"
+source_chain = lineage + "/fullchain.pem"
+
+# HAproxy requires to combine the key and chain in one .pem file
+with open(deploy_path, "w") as deploy, \
+        open(source_key, "r") as key, \
+        open(source_chain, "r") as chain:
+    deploy.write(key.read())
+    deploy.write(chain.read())
+
+# Here you can add your service reload command. Which will be executed after
+# every renewal, which is fine if you only have a few domains.
+
+# Alternative is to add the reload to the --post-hook. In that case it is only
+# run once after all renewals. That would be the use-case if you have a large
+# number of different certificates served by HAproxy.
+
+

certbot_haproxy/constants.py

@@ -90,18 +90,25 @@
 CLI_DEFAULTS = {
     "debian": {
         '_min_version': '7',
-        '_max_version': '8',
+        '_max_version': '9',
         '7': CLI_DEFAULTS_DEBIAN_BASED_PRE_SYSTEMD_OS,
-        '8': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS
+        '8': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
+        '9': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS
     },
     "ubuntu": {
         '_min_version': '14.04',
-        '_max_version': '16.04',
+        '_max_version': '18.04',
         '14.04': CLI_DEFAULTS_DEBIAN_BASED_PRE_SYSTEMD_OS,
         '14.10': CLI_DEFAULTS_DEBIAN_BASED_PRE_SYSTEMD_OS,
         '15.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
         '15.10': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
-        '16.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS
+        '16.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
+        '16.10': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
+        '17.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
+        '17.10': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
+        '18.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
+        '18.10': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS,
+        '19.04': CLI_DEFAULTS_DEBIAN_BASED_SYSTEMD_OS
     }
 }