initial commit

Author: Jörg Herzinger

.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

Gemfile

@@ -0,0 +1,3 @@
+source 'https://rcrs.rbinternational.com/artifactory/api/gems/gems/'
+
+gem 'mixlib-shellout', '~> 2.3.2'

Jenkinsfile

@@ -0,0 +1,89 @@
+pipeline {
+  agent { label 'master' }
+
+  options {
+    buildDiscarder(logRotator(numToKeepStr:'20'))
+    disableConcurrentBuilds()
+    timeout(time: 30, unit: 'MINUTES')
+  }
+  triggers {
+    // pollSCM('H/4 * * * *')
+  }
+
+  // parameters {
+  //   string(name: 'workspaces', defaultValue: '', description: 'The workspaces separated by a space to check, plan and apply.')
+  // }
+
+  stages {
+    stage('Init') {
+      steps {
+        script  {
+          ansiColor('xterm') {
+            sh("rake23 init")
+          }
+        }
+      }
+    }
+
+    stage('Certbot') {
+      steps {
+        script {
+          try {
+            ansiColor('xterm') {
+              sh("rake23 certbot:renew")
+            }
+          } catch(err) {
+            currentBuild.result = 'UNSTABLE'
+          }
+        }
+      }
+    }
+
+    stage('Chef Vault') {
+      steps {
+        ansiColor('xterm') {
+          sh("rake23 chef_vault:upload")
+        }
+      }
+    }
+
+    stage('Hashicorp Vault') {
+      // when {
+      //   allOf {
+      //     branch 'master'
+      //     expression { return resultSuccess() }
+      //   }
+      // }
+      steps {
+        ansiColor('xterm') {
+          sh("rake23 hashicorp_vault:upload")
+        }
+      }
+    }
+
+    stage('Git push') {
+      steps {
+        ansiColor('xterm') {
+          sh("rake23 git:push")
+        }
+      }
+    }
+
+    stage('Cleanup') {
+      // when {
+      //   allOf {
+      //     branch 'master'
+      //     expression { return resultSuccess() }
+      //     expression { return approved }
+      //   }
+      // }
+      steps {
+        script {
+          ansiColor('xterm') {
+            sh("rake23 cleanup")
+          }
+        }
+      }
+    }
+  }
+}

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 ByteSource Technology Consulting GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,100 @@
+# Letsencrypt automation wrapper
+
+## Using it
+
+Clone this repository and change the origin to an internal private git repo of your choice. This repo will in the end contain the certificates you register. Make sure adequate permissions are set up!
+
+### Requirements
+
+To run this you need at least:
+
+  * Git
+  * Docker
+  * Ruby (>= 2)
+
+### Config
+
+Create a file called `config.json` alongside the `config.default.json` and fill in the changes you want. An example of all available config settings is given here:
+
+```
+{
+  "docker_environment": {
+    "https_proxy": "http://proxy.service.com:5678",
+    "http_proxy": "http://proxy.service.com:5678",
+    "no_proxy": ".service.com"
+  },
+  "certbot": {
+    "docker_image": "docker.local/certbot/dns-route53:v0.22.0",
+    "docker_container": "certbot",
+    "aws_credentials": "~/.aws/credentials",
+    "email": "[email protected]",
+    "server": "https://acme-staging-v02.api.letsencrypt.org/directory"
+  },
+  "chef": {
+    "docker_image": "docker.local/chef/chefdk:v2",
+    "data_bag": "letsencrypt",
+    "admins": ["admin1", "admin2"]
+  },
+  "backends": [
+    "chef_vault"
+  ],
+  "certificates": {
+    "_star_.my.domain.com": {
+      "domains": ["*.my.domain.com", "my.domain.com"],
+      "chef_vault": {
+        "clients": ["client1", "client2"],
+        "search": "search term"
+      }
+    },
+    "sometest.domain.com": {
+      "domains": ["sometest.domain.com", "some-test.domain.com"],
+      "hashicorp_vault": {
+        "permissions_to_set": "a"
+      }
+    }
+  }
+}
+```
+
+The two public ACME Servers are:
+
+  * https://acme-staging-v02.api.letsencrypt.org/directory
+  * https://acme-v02.api.letsencrypt.org/directory
+
+### Run manually
+
+To run the tasks manually check out the available rake tasks with `rake -T`. To initialize the project you have to register an account at LetsEncrypt once. To do so run:
+
+```
+rake init
+rake certbot:register
+```
+
+once and commit the changes.
+
+### Running in Jenkins
+
+There is a Jenkinsfile available in this repo which should do everything for you once you are set up.
+
+## Updating
+
+Add this repo as a remote
+
+```
+git remote add update https://github.com/bytesourceoss/letsencrypt-automation.git
+```
+
+And fetch the changes you want
+
+```
+git fetch update master # Fetch changes from master
+git fetch update refs/tags/1.0.0 # Fetch a specific tag
+```
+
+# ToDo
+
+Pretty much everything I guess...
+
+  * How to upload only changed certificates
+    * Read state from git?
+    * Keep state file with changes?

Rakefile

@@ -0,0 +1,66 @@
+require 'date'
+sh '/bin/bash lib/init.sh' if !File.exist?('Gemfile.lock') || (Date.today - File.mtime('Gemfile.lock').to_date).to_i > 20
+
+require 'bundler/setup'
+require_relative 'lib/helpers'
+require_relative 'lib/git'
+require_relative 'lib/certbot'
+require_relative 'lib/chef_vault'
+
+Rake.application.options.suppress_backtrace_pattern = %r{/} # Suppress trace when running. Using --trace still works
+
+desc 'Initialize project'
+task :init do
+  Helpers.log Certbot.init
+  # ChefVault.init if Helpers.config['backends'].key?('chef_vault')
+  # HashicorpVault.init if Helpers.config['backends'].key?('hashicorp_vault')
+end
+
+desc 'Displays Help'
+task :help do
+  puts 'How to use these rake taks:
+Check the available tasks with rake23 -T.'
+end
+
+namespace :git do
+  desc 'Commit and push repository'
+  task :push do
+    Git.push
+  end
+end
+
+namespace :certbot do
+  desc 'Register Certbot account'
+  task :register do
+    Helpers.log Certbot.register
+  end
+
+  desc 'Run arbitrary certbot command passed as parameter'
+  task :run, [:cmd] do |_t, args|
+    Helpers.log Certbot.run(args[:cmd])
+  end
+
+  desc 'Run certbot to obtain or renew certificates'
+  task :renew do
+    Helpers.config['certificates'].each do |name, props|
+      Helpers.log Certbot.renew(name, props['domains'])
+    end
+  end
+
+  desc 'Run certbot to revoke a certificate'
+  task :revoke, [:cert] do |_t, args|
+    Helpers.log Certbot.revoke(args[:cert])
+  end
+end
+
+namespace :chef_vault do
+  desc 'Upload all changed certificates as chef vaults'
+  task :upload do
+    ChefVault.upload
+  end
+end
+
+desc 'Cleanup all temporary files, docker containers etc'
+task :cleanup do
+  Helpers.log Certbot.cleanup
+end

config.default.json

@@ -0,0 +1,21 @@
+{
+  "docker_environment": {
+  },
+  "certbot": {
+    "docker_image": "certbot/dns-route53:v0.22.0",
+    "docker_container": "certbot",
+    "aws_credentials": "~/.aws/credentials",
+    "email": "[email protected]",
+    "server": "https://acme-staging-v02.api.letsencrypt.org/directory"
+  },
+  "chef": {
+    "docker_image": "chef/chefdk:2",
+    "data_bag": "letsencrypt",
+    "admins": ["admin1", "admin2"]
+  },
+  "backends": [
+    "chef_vault"
+  ],
+  "certificates": {
+  }
+}

lib/certbot.rb

@@ -0,0 +1,33 @@
+require_relative 'helpers'
+
+# Cerbot module
+module Certbot
+  extend self
+
+  def init
+    Helpers.run_command("docker run -itd #{Helpers.environment} --name #{Helpers.config['certbot']['docker_container']} -v `pwd`/etc_letsencrypt:/etc/letsencrypt -v #{Helpers.config['certbot']['aws_credentials']}:/root/.aws/credentials --entrypoint '/bin/sh' #{Helpers.config['certbot']['docker_image']}")
+  end
+
+  def cleanup
+    Helpers.run_command("docker rm -f #{Helpers.config['certbot']['docker_container']}")
+  end
+
+  def register
+    run("register --agree-tos -m #{Helpers.config['certbot']['email']}")
+  end
+
+  # Renew a certificate if necessary. Parameters are usually ready from the config file
+  #
+  # @param name [String] The name of the certificate
+  #
+  # @param domains [Array] The domains for this certificate
+  #
+  def renew(name, domains)
+    Helpers.info_log("Registering/Renewing certificate #{name} for domains #{domains.join(',')}")
+    run("certonly --non-interactive --dns-route53 --cert-name #{name} --domains #{domains.join(',')}")
+  end
+
+  def run(cmd)
+    Helpers.run_command("docker exec -i #{Helpers.config['certbot']['docker_container']} certbot --server #{Helpers.config['certbot']['server']} --debug #{cmd}")
+  end
+end

lib/chef_vault.rb

@@ -0,0 +1,8 @@
+# Chef Vault module
+module ChefVault
+  extend self
+
+  def init
+
+  end
+end