Last active
August 15, 2022 10:16
-
-
Save yike5460/7ab902a0e2702cdb2fdbe412a55e9ea7 to your computer and use it in GitHub Desktop.
auto generate ssl certs for dns managed in godaddy/aliyun/route53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# script to auto generate ssl certs and upload to s3 bucket | |
import os | |
import boto3 | |
import logging | |
import subprocess | |
import sys | |
import time | |
from multiprocessing import Pool | |
# set logging to stdout | |
logger = logging.getLogger() | |
logger.setLevel(logging.INFO) | |
logger.addHandler(logging.StreamHandler(sys.stdout)) | |
s3_client = boto3.client('s3') | |
s3_bucket = 'ssl-certs-for-uat' | |
# generate domain txt file to import into dns provider for dns batch purchasing | |
def generate_domain_list(root_domain, cert_num): | |
"""_summary_ | |
Args: | |
root_domain (_type_): _description_ | |
cert_num (_type_): _description_ | |
Returns: | |
_type_: _description_ | |
""" | |
domain_list = [] | |
for i in range(int(cert_num)): | |
# add random suffix to domain name | |
domain_list.append('{}{}{}'.format(str(root_domain), i, '.cn')) | |
with open('domain_list.txt', 'w') as f: | |
for domain in domain_list: | |
f.write(domain + '\n') | |
logger.info('Generated domain list: {}'.format(domain_list)) | |
# using certbot godaddy plugin to generate ssl certs | |
def generate_ssl_certs_by_aliyun(domain_name): | |
"""_summary_ | |
Args: | |
domain_name (_type_): _description_ | |
""" | |
logger.info('Generating ssl certs for domain: %s', domain_name) | |
try: | |
resp = subprocess.run(['certbot', 'certonly', '--authenticator', 'certbot-dns-aliyun:dns-aliyun', '--certbot-dns-aliyun:dns-aliyun-credentials', './aliyun.ini', '-d', domain_name]) | |
logger.info('Certs generated: %s', resp) | |
upload_ssl_certs(domain_name) | |
except Exception as e: | |
logger.error('error validating certificate: %s', e) | |
logger.info('Generated ssl certs for domain: %s', domain_name) | |
# using certbot godaddy plugin to generate ssl certs | |
def generate_ssl_certs_by_godaddy(domain_name): | |
logger.info('Generating ssl certs for domain: %s', domain_name) | |
try: | |
resp = subprocess.run(['certbot', 'certonly', '--authenticator', 'dns-godaddy', '--dns-godaddy-credentials', './godaddy.ini', '--dns-godaddy-propagation-seconds', '60', '--keep-until-expiring', '--non-interactive', '--force-renewal', '--expand', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '-d', domain_name]) | |
logger.info('Certs generated: %s', resp) | |
upload_ssl_certs(domain_name) | |
except Exception as e: | |
logger.error('error validating certificate: %s', e) | |
logger.info('Generated ssl certs for domain: %s', domain_name) | |
# using certbot route53 plugin to generate ssl certs | |
def generate_ssl_certs_by_route53(domain_name): | |
logger.info('Generating ssl certs for domain: %s', domain_name) | |
try: | |
resp = subprocess.run(['certbot', 'certonly', '--dns-route53', '--dns-route53-propagation-seconds', '30', '--non-interactive', '--force-renewal', '-d', domain_name]) | |
logger.info('Certs generated: %s', resp) | |
upload_ssl_certs(domain_name) | |
except Exception as e: | |
logger.error('error validating certificate: %s', e) | |
logger.info('Generated ssl certs for domain: %s', domain_name) | |
# upload ssl certs to s3 bucket | |
def upload_ssl_certs(domain_name): | |
logger.info('Uploading ssl certs for domain: %s', domain_name) | |
ssl_cert_path = '/etc/letsencrypt/live/{}/cert.pem'.format(domain_name) | |
ssl_chain_path = '/etc/letsencrypt/live/{}/chain.pem'.format(domain_name) | |
ssl_fullchain_path = '/etc/letsencrypt/live/{}/fullchain.pem'.format(domain_name) | |
ssl_privkey_path = '/etc/letsencrypt/live/{}/privkey.pem'.format(domain_name) | |
ssl_cert_content = open(ssl_cert_path, 'rb').read() | |
ssl_chain_content = open(ssl_chain_path, 'rb').read() | |
ssl_fullchain_content = open(ssl_fullchain_path, 'rb').read() | |
ssl_privkey_content = open(ssl_privkey_path, 'rb').read() | |
# check if s3 bucket exists and create if not | |
try: | |
s3_client.head_bucket(Bucket=s3_bucket) | |
except Exception as e: | |
logger.info('Creating ssl bucket: %s', domain_name) | |
# create s3 bucket with acl public-read | |
s3_client.create_bucket(Bucket=s3_bucket, CreateBucketConfiguration={'LocationConstraint': 'us-west-2'}) | |
# upload ssl certs to s3 bucket, include cert.pem, chain.pem, fullchain.pem, privkey.pem | |
s3_client.put_object(Body=ssl_cert_content, Bucket=s3_bucket, Key='{}/cert.pem'.format(domain_name)) | |
s3_client.put_object(Body=ssl_chain_content, Bucket=s3_bucket, Key='{}/chain.pem'.format(domain_name)) | |
s3_client.put_object(Body=ssl_fullchain_content, Bucket=s3_bucket, Key='{}/fullchain.pem'.format(domain_name)) | |
s3_client.put_object(Body=ssl_privkey_content, Bucket=s3_bucket, Key='{}/privkey.pem'.format(domain_name)) | |
logger.info('Uploaded ssl certs for domain: %s', domain_name) | |
def main(): | |
if len(sys.argv) <= 3: | |
logger.info('Usage: ssl_generate.py <root_domain> <cert_num> <plugin_name>') | |
sys.exit(1) | |
# parse the option | |
logger.info("Generating ssl certs for domain: {}".format(sys.argv[1])) | |
# use multiprocessing to generate ssl certs and upload to s3 bucket | |
pool = Pool(processes=int(sys.argv[2])) | |
for i in range(int(sys.argv[2])): | |
domain_name = '{}.{}'.format(i, sys.argv[1]) | |
if sys.argv[3] == 'godaddy': | |
pool.apply(generate_ssl_certs_by_godaddy, (domain_name,)) | |
elif sys.argv[3] == 'route53': | |
pool.apply(generate_ssl_certs_by_route53, (domain_name,)) | |
elif sys.argv[3] == 'aliyun': | |
pool.apply(generate_ssl_certs_by_aliyun, (domain_name,)) | |
logger.info("Generated ssl certs for domain: {}".format(sys.argv[1])) | |
if __name__ == '__main__': | |
main() | |
sys.exit(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment