From 629f3464a96e8102eb7a06d8f55839a62194930d Mon Sep 17 00:00:00 2001 From: James Kasten Date: Sun, 12 Aug 2012 22:57:13 -0400 Subject: [PATCH 1/4] Fixed deploy cert --- trustify/client/configurator.py | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/trustify/client/configurator.py b/trustify/client/configurator.py index e805e01d3..8dc43835c 100644 --- a/trustify/client/configurator.py +++ b/trustify/client/configurator.py @@ -63,21 +63,23 @@ class Configurator(object): if cert_chain is not None: path["cert_chain"] = self.find_directive("SSLCertificateChainFile", None, vhost.path) - for k in path.iterkeys(): - if len(path[k]) == 0: - # Throw some "can't find all of the directives error" - print "DEBUG - Error: cannot find ", search[k] - print "DEBUG - in ", vhost.path - print "VirtualHost was not modified" - # Presumably break here so that the virtualhost is not modified - return False + if len(path["cert_file"]) == 0 or len(path["cert_key"]) == 0: + # Throw some "can't find all of the directives error" + print "DEBUG - Error: cannot find a cert or key directive" + print "DEBUG - in ", vhost.path + print "VirtualHost was not modified" + # Presumably break here so that the virtualhost is not modified + return False #print "Deploying Certificate to VirtualHost" self.aug.set(path["cert_file"][0], cert) self.aug.set(path["cert_key"][0], key) if cert_chain is not None: - self.aug.set(path["cert_chain"][0], cert_chain) + if len(path["cert_chain"]) == 0: + self.add_dir(vhost.path, "SSLCertificateChainFile", cert_chain) + else: + self.aug.set(path["cert_chain"][0], cert_chain) return self.save("Virtual Server - deploying certificate") @@ -366,7 +368,6 @@ class Configurator(object): Checks apache2ctl to get loaded module list """ try: - #p = subprocess.check_output(["sudo", "/usr/sbin/apache2ctl", "-M"], stderr=open("/dev/null", 'w')) p = subprocess.Popen(['sudo', '/usr/sbin/apache2ctl', '-M'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0] except: print "Error accessing apache2ctl for loaded modules!" @@ -626,11 +627,11 @@ def main(): config.redirect_all_ssl(vh, ["localhost"]) config.save() """ - """ + for vh in config.vhosts: if len(vh.names) > 0: - config.deploy_cert(vh, "/home/james/Documents/apache_choc/req.pem", "/home/james/Documents/apache_choc/key.pem") - """ + config.deploy_cert(vh, "/home/james/Documents/apache_choc/req.pem", "/home/james/Documents/apache_choc/key.pem", "/home/james/Downloads/sub.class1.server.ca.pem") + if __name__ == "__main__": main() From 0a56ff651f9d707a748d8b87e8c35827782ef15c Mon Sep 17 00:00:00 2001 From: James Kasten Date: Sun, 12 Aug 2012 23:41:31 -0400 Subject: [PATCH 2/4] Reverted back to check_output due to race conditions with Popen... it will need a lock --- trustify/client/configurator.py | 10 ++++++---- trustify/client/sni_challenge.py | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/trustify/client/configurator.py b/trustify/client/configurator.py index 8dc43835c..ae63a101b 100644 --- a/trustify/client/configurator.py +++ b/trustify/client/configurator.py @@ -368,7 +368,9 @@ class Configurator(object): Checks apache2ctl to get loaded module list """ try: - p = subprocess.Popen(['sudo', '/usr/sbin/apache2ctl', '-M'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0] + p = subprocess.check_output(['sudo', '/usr/sbin/apache2ctl', '-M'],\ + stderr=open("/dev/null", 'w')) + #p = subprocess.Popen(['sudo', '/usr/sbin/apache2ctl', '-M'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0] except: print "Error accessing apache2ctl for loaded modules!" print "This may be caused by an Apache Configuration Error" @@ -520,10 +522,10 @@ class Configurator(object): TODO: TEST """ # Use check_output so the command will finish before reloading - #subprocess.check_output(["sudo", "a2enmod", "ssl"], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w')) + subprocess.check_output(["sudo", "a2enmod", "ssl"], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w')) # Hopefully this waits for output - text = subprocess.Popen(['sudo', 'a2enmod', 'ssl'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0] - subprocess.call(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null", 'w')) + #text = subprocess.Popen(['sudo', 'a2enmod', 'ssl'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0] + subprocess.check_output(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null", 'w')) def fnmatch_to_re(self, cleanFNmatch): """ diff --git a/trustify/client/sni_challenge.py b/trustify/client/sni_challenge.py index 8fcde01d0..1d3c071f4 100644 --- a/trustify/client/sni_challenge.py +++ b/trustify/client/sni_challenge.py @@ -181,9 +181,9 @@ def apache_restart(quiet=False): Restarts apache server """ if quiet: - subprocess.call(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null","w"), stderr=open("/dev/null", "w")) + subprocess.check_output(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null","w"), stderr=open("/dev/null", "w")) else: - subprocess.call(["sudo", "/etc/init.d/apache2", "reload"]) + subprocess.check_output(["sudo", "/etc/init.d/apache2", "reload"]) # TODO: This function is insufficient as the user could edit the files # before the challenge is completed. It is safer to log all of the changes From 525e8d39e43c6f4bea3c20ae1113a81cc1245743 Mon Sep 17 00:00:00 2001 From: James Kasten Date: Mon, 13 Aug 2012 00:34:57 -0400 Subject: [PATCH 3/4] Got rid of check_output, added better error support --- trustify/client/client.py | 5 +++-- trustify/client/configurator.py | 20 ++++++++++++-------- trustify/client/sni_challenge.py | 13 +++++++++---- 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/trustify/client/client.py b/trustify/client/client.py index e1e8481e9..83bd53a13 100644 --- a/trustify/client/client.py +++ b/trustify/client/client.py @@ -170,9 +170,10 @@ def make_request(server, m, csr, quiet=False): m.request.csr = csr hashcash_cmd = ["hashcash", "-P", "-m", "-z", "12", "-b", `difficulty`, "-r", server] if quiet: - hashcash = subprocess.check_output(hashcash_cmd, preexec_fn=drop_privs, shell=False, stderr=open("/dev/null", "w")).rstrip() + hashcash = subprocess.Popen(hashcash_cmd, preexec_fn=drop_privs, shell= False, stdout=subprocess.PIPE, stderr=open("/dev/null", "w")).communicate()[0].rstrip() else: - hashcash = subprocess.check_output(hashcash_cmd, preexec_fn=drop_privs, shell=False).rstrip() + hashcash = subprocess.Popen(hashcash_cmd, preexec_fn=drop_privs, shell= False, stdout=subprocess.PIPE).communicate()[0].rstrip() + if hashcash: m.request.clientpuzzle = hashcash def sign(key, m): diff --git a/trustify/client/configurator.py b/trustify/client/configurator.py index ae63a101b..c2edee0e6 100644 --- a/trustify/client/configurator.py +++ b/trustify/client/configurator.py @@ -368,9 +368,8 @@ class Configurator(object): Checks apache2ctl to get loaded module list """ try: - p = subprocess.check_output(['sudo', '/usr/sbin/apache2ctl', '-M'],\ - stderr=open("/dev/null", 'w')) - #p = subprocess.Popen(['sudo', '/usr/sbin/apache2ctl', '-M'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0] + #p = subprocess.check_output(['sudo', '/usr/sbin/apache2ctl', '-M'], stderr=open("/dev/null", 'w')) + p = subprocess.Popen(['sudo', '/usr/sbin/apache2ctl', '-M'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0] except: print "Error accessing apache2ctl for loaded modules!" print "This may be caused by an Apache Configuration Error" @@ -521,11 +520,16 @@ class Configurator(object): Enables mod_ssl TODO: TEST """ - # Use check_output so the command will finish before reloading - subprocess.check_output(["sudo", "a2enmod", "ssl"], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w')) - # Hopefully this waits for output - #text = subprocess.Popen(['sudo', 'a2enmod', 'ssl'], stdout=subprocess.PIPE, stderr=open("/dev/null", 'w')).communicate()[0] - subprocess.check_output(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null", 'w')) + try: + # Use check_output so the command will finish before reloading + subprocess.check_call(["sudo", "a2enmod", "ssl"], stdout=open("/dev\ +/null", 'w'), stderr=open("/dev/null", 'w')) + # Hopefully this waits for output + subprocess.check_call(["sudo", "/etc/init.d/apache2", "reload"], st\ +dout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w')) + except: + print "Error enabling mod_ssl" + sys.exit(1) def fnmatch_to_re(self, cleanFNmatch): """ diff --git a/trustify/client/sni_challenge.py b/trustify/client/sni_challenge.py index 1d3c071f4..ebaf23d74 100644 --- a/trustify/client/sni_challenge.py +++ b/trustify/client/sni_challenge.py @@ -7,6 +7,7 @@ import hmac import hashlib from shutil import move from os import remove, close, path +import sys import binascii import augeas @@ -180,10 +181,14 @@ def apache_restart(quiet=False): """ Restarts apache server """ - if quiet: - subprocess.check_output(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null","w"), stderr=open("/dev/null", "w")) - else: - subprocess.check_output(["sudo", "/etc/init.d/apache2", "reload"]) + try: + if quiet: + subprocess.check_call(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null","w"), stderr=open("/dev/null", "w")) + else: + subprocess.check_call(["sudo", "/etc/init.d/apache2", "reload"]) + except: + print "Apache Restart Failed - Please Check the Configuration" + sys.exit(1) # TODO: This function is insufficient as the user could edit the files # before the challenge is completed. It is safer to log all of the changes From 25fc6233bc518e814dd8d5e5cb701b5f86e210ea Mon Sep 17 00:00:00 2001 From: James Kasten Date: Mon, 13 Aug 2012 00:39:06 -0400 Subject: [PATCH 4/4] fix syntax error --- trustify/client/configurator.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/trustify/client/configurator.py b/trustify/client/configurator.py index c2edee0e6..ac45fb56b 100644 --- a/trustify/client/configurator.py +++ b/trustify/client/configurator.py @@ -522,11 +522,9 @@ class Configurator(object): """ try: # Use check_output so the command will finish before reloading - subprocess.check_call(["sudo", "a2enmod", "ssl"], stdout=open("/dev\ -/null", 'w'), stderr=open("/dev/null", 'w')) + subprocess.check_call(["sudo", "a2enmod", "ssl"], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w')) # Hopefully this waits for output - subprocess.check_call(["sudo", "/etc/init.d/apache2", "reload"], st\ -dout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w')) + subprocess.check_call(["sudo", "/etc/init.d/apache2", "reload"], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w')) except: print "Error enabling mod_ssl" sys.exit(1)