Skip to content

Instantly share code, notes, and snippets.

@ari
Created August 26, 2015 10:30
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ari/17ce731dc883f8b9c025 to your computer and use it in GitHub Desktop.
Save ari/17ce731dc883f8b9c025 to your computer and use it in GitHub Desktop.
'''
SSL/TLS certificate generator
This script will either create a new key + csr for a new ssl domain or just a new csr, if you already have a key and
you are just renewing a cert
'''
from __future__ import absolute_import
import salt.pillar
import salt.utils.minions
from subprocess import Popen, PIPE, call
from email.mime.text import MIMEText
openssl = "/usr/bin/openssl"
import os.path
baseDir = "/usr/local/etc/salt/data/ssl-in-progress"
def createCSR(domain):
if domain is None:
raise ValueError("Error: you must pass a domain.")
if '.' not in domain:
raise ValueError("Error: domain '{0}' invalid.".format(domain) )
keyFile = os.path.join( baseDir, domain + ".key" )
csrFile = os.path.join( baseDir, domain + ".csr" )
_generateKey(keyFile)
call([openssl, "req", "-new", "-key", keyFile, "-out", csrFile, "-subj", getSubject(domain)])
email = "Go to this link and get the certificate signed: https://products.geotrust.com/geocenter/reseller/logon.do\n\n"
csrFilePtr = open(csrFile, "r+")
email = email + csrFilePtr.read();
csrFilePtr.close()
sendMail("SSL Certificate signing request for " + domain, email)
'''
Create a new keyfile using entropy from the system
'''
def _generateKey(keyfile):
if keyfile is None:
raise ValueError("Error: you must pass a path to the keyfile.")
if os.path.isfile(keyfile):
raise ValueError("Error: there is already a file in the path you passed. Aborting.")
call([openssl, "genrsa", "-out", keyfile, "2048"])
'''
Get the subject of the SSL csr from pillar data
'''
def getSubject(domain):
minion = "smash01"
saltenv = 'base'
id_, grains, _ = salt.utils.minions.get_minion_data(minion, __opts__)
if grains is None:
grains = {'fqdn': minion}
pillar = salt.pillar.Pillar( __opts__, grains, id_, saltenv).compile_pillar()
sites = pillar['haproxy']['sites']
for key in sites:
if sites[key].get('hostname') == domain:
site_ssl = sites[key].get('ssl')
break
if site_ssl is None:
raise ValueError("Error: The domain you passed isn't in the haproxy pillar yet.")
subject = {}
subject['C'] = site_ssl.get('country') or "AU"
subject['ST'] = site_ssl.get('state') or "NSW"
subject['L'] = site_ssl.get('location') or "Sydney"
subject['O'] = site_ssl.get('organisation')
subject['OU'] = site_ssl.get('department') or "website"
subject['CN'] = domain
subject['emailAddress'] = "***"
s = ""
for key in subject:
s = s + "/" + key + "=" + subject[key]
return s
def sendMail(subject, content):
msg = MIMEText(content)
msg["From"] = "***"
msg["To"] = "***"
msg["Subject"] = subject
p = Popen(["/usr/sbin/sendmail", "-t", "-oi"], stdin=PIPE)
p.communicate(msg.as_string())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment