WIP

kobotoolbox · Sep 13, 2023 · f243754 · f243754
1 parent 9eb6ecd
commit f243754
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 9 deletions.
diff --git a/helpers/command.py b/helpers/command.py
@@ -370,7 +370,7 @@ def start(cls, frontend_only=False, force_setup=False):
 
             # Start reverse proxy if user uses it.
             if config.use_letsencrypt:
-                if force_setup:
+                if force_setup or not config.is_certs_path_updated:
                     # Let's Encrypt NGINX container needs kobo-docker NGINX
                     # container to be started first
                     config.init_letsencrypt()

diff --git a/helpers/config.py b/helpers/config.py
@@ -230,6 +230,10 @@ def get_upgraded_dict(self):
 
         upgraded_dict = Upgrading.set_compose_version(upgraded_dict)
 
+        upgraded_dict = Upgrading.letsencrypt_certs_path(
+            upgraded_dict, self.use_letsencrypt
+        )
+
         return upgraded_dict
 
     @property
@@ -358,6 +362,7 @@ def get_template(cls):
             'local_interface': Network.get_primary_interface(),
             'local_interface_ip': primary_ip,
             'letsencrypt_email': '[email protected]',
+            'letsencrypt_certs_path_updated': False,
             'maintenance_date_iso': '',
             'maintenance_date_str': '',
             'maintenance_email': '[email protected]',
@@ -458,6 +463,14 @@ def get_template(cls):
     def is_secure(self):
         return self.__dict['https'] is True
 
+    @property
+    def is_letsencrypt_certs_path_updated(self):
+        value = self.__dict['letsencrypt_certs_path_updated']
+        if not value:
+            print('IS_LETSENCRYPT PATH UPDATED', flush=True)
+            self.__dict['letsencrypt_certs_path_updated'] = True
+        return value
+
     def init_letsencrypt(self):
         if self.frontend and self.use_letsencrypt:
             reverse_proxy_path = self.get_letsencrypt_repo_path()
@@ -675,6 +688,9 @@ def write_config(self):
         """
         Writes config to file `Config.CONFIG_FILE`.
         """
+
+        print('WRITE CONFIG', flush=True)
+
         # Adds `date_created`. This field will be use to determine
         # first usage of the setup option.
         if self.__dict.get('date_created') is None:

diff --git a/helpers/upgrading.py b/helpers/upgrading.py
@@ -11,6 +11,17 @@
 
 class Upgrading:
 
+    # @staticmethod
+    # def letsencrypt_certs_path(upgraded_dict: dict, use_letsencrypt) -> dict:
+    #     if not use_letsencrypt:
+    #         upgraded_dict['letsencrypt_certs_path'] = False
+    #         return upgraded_dict
+    #
+    #     if 'letsencrypt_certs_path_upgraded' not in upgraded_dict:
+    #         upgraded_dict['letsencrypt_certs_path'] = False
+    #
+    #     return upgraded_dict
+
     @staticmethod
     def migrate_single_to_two_databases(config: 'helpers.Config'):
         """

diff --git a/templates/nginx-certbot/data/nginx/app.conf.tpl b/templates/nginx-certbot/data/nginx/app.conf.tpl
@@ -17,8 +17,8 @@ server {
     server_name ${KOBOFORM_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME} ${KOBOCAT_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME} ${ENKETO_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME};
     server_tokens off;
 
-    ssl_certificate /etc/letsencrypt/live/${KOBOFORM_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${KOBOFORM_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/${KOBOFORM_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${KOBOFORM_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}/privkey.pem;
     include /etc/letsencrypt/options-ssl-nginx.conf;
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 

diff --git a/templates/nginx-certbot/init-letsencrypt.sh.tpl b/templates/nginx-certbot/init-letsencrypt.sh.tpl
@@ -4,6 +4,7 @@ function join_by { local d=$$1; shift; echo -n "$$1"; shift; printf "%s" "$${@/#
 
 DOMAINS=(${KOBOFORM_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME} ${KOBOCAT_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME} ${ENKETO_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME})
 DOMAINS_CSV=$$(join_by , "$${DOMAINS[@]}")
+DOMAINS_FOLDER="${KOBOFORM_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}-${ENKETO_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}"
 RSA_KEY_SIZE=4096
 DATA_PATH="./data/certbot"
 EMAIL="" # Adding a valid address is strongly recommended
@@ -13,7 +14,7 @@ DOCKER_COMPOSE_CMD="$$(which ${DOCKER_COMPOSE_CMD})"
 CURL_CMD=$$(which curl)
 
 
-if [ -d "$$DATA_PATH" ]; then
+if [ -d "$$DATA_PATH/conf/live/$$DOMAINS_FOLDER" ]; then
   read -p "Existing data found for $$DOMAINS_CSV. Continue and replace existing certificate? (y/N) " decision
   if [ "$$decision" != "Y" ] && [ "$$decision" != "y" ]; then
     exit
@@ -29,8 +30,8 @@ if [ ! -e "$$DATA_PATH/conf/options-ssl-nginx.conf" ] || [ ! -e "$$DATA_PATH/con
 fi
 
 echo "### Creating dummy certificate for $${DOMAINS_CSV} ..."
-DOMAINS_PATH="/etc/letsencrypt/live/$$DOMAINS"
-$$MKDIR_CMD -p "$$DATA_PATH/conf/live/$$DOMAINS"
+DOMAINS_PATH="/etc/letsencrypt/live/$$DOMAINS_FOLDER"
+$$MKDIR_CMD -p "$$DATA_PATH/conf/live/$$DOMAINS_FOLDER"
 $$DOCKER_COMPOSE_CMD ${DOCKER_COMPOSE_SUFFIX} run --rm --entrypoint "\
   openssl req -x509 -nodes -newkey rsa:1024 -days 1\
     -keyout '$$DOMAINS_PATH/privkey.pem' \
@@ -45,9 +46,9 @@ echo
 
 echo "### Deleting dummy certificate for $${DOMAINS_CSV} ..."
 $$DOCKER_COMPOSE_CMD ${DOCKER_COMPOSE_SUFFIX} run --rm --entrypoint "\
-  rm -Rf /etc/letsencrypt/live/$$DOMAINS && \
-  rm -Rf /etc/letsencrypt/archive/$$DOMAINS && \
-  rm -Rf /etc/letsencrypt/renewal/$$DOMAINS.conf" certbot
+  rm -Rf /etc/letsencrypt/live/$$DOMAINS_FOLDER && \
+  rm -Rf /etc/letsencrypt/archive/$$DOMAINS_FOLDER && \
+  rm -Rf /etc/letsencrypt/renewal/$$DOMAINS_FOLDER.conf" certbot
 echo