a }|ge@sndZddlZddlZddlZddlZddlZddlZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z ddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z ddlm!Z!ddlm"Z"ddlm#Z#ddl$m%Z&ddl'm(Z)ddl*m+Z+ddl,mZ-e.e/Z0gdZ1ddgZ2gdZ3e4e5e3e2e1d Z6ej7e8ee"j9d!d"d#Z:ej7e e8e fdd$d%d&Z;ej7e e8e fdd$d'd(Ze8ee e8e8fe e8d.d/d0Z?e8e8e@d1d2d3ZAe8e8eBd1d4d5ZCe8e8ee8d1d6d7ZDej7e"j9e@d8d9d:ZEej7e"j9e8dd;dd?ZGej7ee e8ejHe"j9dd@dAdBZIe e8e8e8dCdDdEZJej7e e8e e8e e8e e8ddFdGdHZKej7eeLeLfdIdJdKZMe8ej7ddLdMdNZNdS)OzGFunctionality for autorenewal and associated juggling of configurationsN)Any)Dict)Iterable)List)Mapping)Optional)Tuple)Union)default_backend)ec)rsa)load_pem_private_key) configuration) crypto_util)errors)util)cli)client) constants)hooks)storage)updater)obj)disco)os)Z config_dirZlogs_dirZwork_dirZ user_agentserverZaccount authenticator installer renew_hookpre_hook post_hookZhttp01_addressZpreferred_chainkey_typeelliptic_curve rsa_key_size http01_port)Z must_stapleZallow_subset_of_names reuse_keyZ autorenew) pref_challs)config full_pathreturnc Cs~zt||}WnXttjfyh}z:td|tdt|tdt WYd}~dSd}~00d|j vrtd|dS|j d}d|vrtd|dS| d d |d <t |}zt||t||WnPttjfy&}z0td |t|tdt WYd}~dSd}~00zd d |D|_Wn8tjyx}ztd||WYd}~dSd}~00|S)aTry to instantiate a RenewableCert, updating config with relevant items. This is specifically for use in renewal and enforces several checks and policies to ensure that we can try to proceed with the renewal request. The config argument is modified by including relevant options read from the renewal configuration file. :param configuration.NamespaceConfig config: configuration for the current lineage :param str full_path: Absolute path to the configuration file that defines this lineage :returns: the RenewableCert object or None if a fatal error occurred :rtype: `storage.RenewableCert` or NoneType z(Renewal configuration file %s is broken.zThe error was: %s Skipping.Traceback was: %sN renewalparamszqsz reconstitute..z{Renewal configuration file %s references a certificate that contains an invalid domain name. The problem was: %s. Skipping.)r RenewableCertOSErrorrZCertStorageErrorloggererrorstrdebug traceback format_excrget"_remove_deprecated_config_elements restore_required_config_elements_restore_plugin_configs ValueErrorErrornamesdomainsZConfigurationError)r'r(renewal_candidater4r+r,r,r/ reconstitute9sP     rB)r'r+r)cCsPd|vr|ds|d|_d|vrL|dsL|d}t|trF|g}||_dS)z webroot_map is, uniquely, a dict, and the general-purpose configuration restoring logic is not able to correctly parse it from the serialized form. webroot_map webroot_pathN) set_by_userrC isinstancer5rD)r'r+Zwpr,r,r/_restore_webroot_config|s  rGcCsg}|ddkrt||n||d|ddurF||dt|D]n}|dd}|D]T\}}||drf||sf|dvrt||t |qft |}t||||qfqNdS)aSets plugin specific values in config from renewalparams :param configuration.NamespaceConfig config: configuration for the current lineage :param configobj.Section renewalparams: Parameters from the renewal configuration file that defines this lineage rZwebrootrN-_)NoneTrueFalse) rGappendr9setreplaceitems startswithrEsetattrevalrZ argparse_type)r'r+Zplugin_prefixesZ plugin_prefixZ config_itemZ config_valuecastr,r,r/r<s     r<c Csi}tdtfftttttttttt tt }|D]0\}}||vrB| |sB||||}|||<qB| D]\}}t |||q|dS)aSets non-plugin specific values in config from renewalparams :param configuration.NamespaceConfig config: configuration for the current lineage :param configobj.Section renewalparams: parameters from the renewal configuration file that defines this lineage r&N) itertoolschain_restore_pref_challszipBOOL_CONFIG_ITEMSrepeat _restore_boolINT_CONFIG_ITEMS _restore_intSTR_CONFIG_ITEMS _restore_strrErPrR)r'r+Zupdated_valuesZrequired_itemsZ item_nameZ restore_funcvaluekeyr,r,r/r;s   r;)r+r)cCsdd|DS)zRemoves deprecated config options from the parsed renewalparams. :param dict renewalparams: list of parsed renewalparams :returns: list of renewalparams with deprecated config options removed :rtype: dict cSs i|]\}}|tjvr||qSr,)rZDEPRECATED_OPTIONS)r-Z option_namevr,r,r/ s  z6_remove_deprecated_config_elements..)rP)r+r,r,r/r:s r:) unused_namer`r)cCst|tr|gn|}t|S)aRestores preferred challenges from a renewal config file. If value is a `str`, it should be a single challenge type. :param str unused_name: option name :param value: option value :type value: `list` of `str` or `str` :returns: converted option value to be stored in the runtime config :rtype: `list` of `str` :raises errors.Error: if value can't be converted to a bool )rFr5rZparse_preferred_challenges)rdr`r,r,r/rWsrW)namer`r)cCs.|}|dvr&td|d||dkS)a#Restores a boolean key-value pair from a renewal config file. :param str name: option name :param str value: option value :returns: converted option value to be stored in the runtime config :rtype: bool :raises errors.Error: if value can't be converted to a bool )trueZfalsezExpected True or False for z but found rf)lowerrr>)rer`Zlowercase_valuer,r,r/r[s r[cCsV|dkr$|dkr$tdtdSz t|WStyPtd|Yn0dS)a#Restores an integer key-value pair from a renewal config file. :param str name: option name :param str value: option value :returns: converted option value to be stored in the runtime config :rtype: int :raises errors.Error: if value can't be converted to an int r$rJz!updating legacy http01_port valuezExpected a numeric value for N)r3infor flag_defaultintr=rr>rer`r,r,r/r]s     r]cCs@|dkr0|tjkr0tdtjd|tjdS|dkrtddStddS)zDReturn true if any of the circumstances for automatic renewal apply.z+Auto-renewal forced with --force-renewal...Tz0Certificate is due for renewal, auto-renewing...zCCertificate not due for renewal, but simulating renewal for dry runz#Certificate not yet due for renewalF)Zrenew_by_defaultr3r6Zshould_autorenewrhdry_run display_utilnotify)r'rlr,r,r/ should_renew7s    rp)r'rloriginal_serverr)cCs@t|jr)r'rlrqr?r,r,r/_avoid_invalidating_lineageFs  rscsdrjsdSjs$js$dSjr.dSjdfddfdfddfdfd dfg}|D]$}|d rttd |d d qtdS)zDon't allow combining --reuse-key with any flags that would conflict with key reuse (--key-type, --rsa-key-size, --elliptic-curve), unless --new-key is also set. r%Nz --key-typecsjkSN)Zprivate_key_typergr,)ktrlr,r/nz,_avoid_reuse_key_conflicts..z--rsa-key-sizecsdkojjkS)Nr )r#r,r'rurlr,r/rvprwz--elliptic-curvecs"dko jo jjkS)Necdsa)r"rgr,rxr,r/rvrszUnable to change the rz of this certificate because --reuse-key is set. To stop reusing the private key, specify --no-reuse-key. To change the private key this one time and then reuse it in future, add --new-key.)rEr%new_keyr!rgrr>)r'rlZpotential_conflictsZconflictr,rxr/_avoid_reuse_key_conflictsSs,     r|)r'r@ le_clientrlr)c Cs|jd}|dtd}t|||t|||s>|}|jrd|jsdt j |j }t ||nd}|||\}}}} |jrtdt j |jn2|} || ||j|||||t|||jdS)zRenew a certificate lineage.r+rNz(Dry run: skipping updating lineage at %s)rr9rrirsr|r?r%r{rpathnormpathZprivkey_update_renewal_params_from_keyZobtain_certificatermr3r6dirnamecertlatest_common_versionZsave_successorZpemZupdate_all_links_totruncaterrZlive_dir) r'r@r}rlZrenewal_paramsrqr{Znew_certZ new_chainrIZ prior_versionr,r,r/ renew_certs$     r)msgscategoryr)cs fdd|D}dd|S)z:Format a results report for a category of renewal outcomesc3s|]}d|fVqdS)z%s (%s)Nr,)r-mrr,r/ rwzreport..z z )rr)rrlinesr,rr/reportsr)r'renew_successesrenew_failures renew_skippedparse_failuresr)cCs>tj}tj}|dtj|jr&dnd}|rD|d|t|d|s|s|d|d|jdusz|j dusz|j dur|d n|r|s|d |d |t|d nh|r|s|d ||t|dnF|r|r|d|d|t|d d|d||t|d|r0|d|t|d|tjdS)a Print a report to the terminal about the results of the renewal process. :param configuration.NamespaceConfiguration config: Configuration :param list renew_successes: list of fullchain paths which were renewed :param list renew_failures: list of fullchain paths which failed to be renewed :param list renew_skipped: list of messages to print about skipped certificates :param list parse_failures: list of renewal parameter paths which had errors  zsimulated renewalZrenewalz7The following certificates are not due for renewal yet:ZskippedzNo zs were attempted.NzNo hooks were run.zCongratulations, all z s succeeded: successz@All %ss failed. The following certificates could not be renewed:ZfailurezThe following z s succeeded:zThe following %ss failed:zB Additionally, the following renewal configurations were invalid: Z parsefail) rnror3r4 display_objZ SIDE_FRAMErmrrrr )r'rrrrroZ notify_errorZ renewal_nounr,r,r/_renew_describe_resultss@     r)r'r)c stfddjDr"tdjr:tjg}n t}g}g}g}g}g}g}tj olj }|D]} t j d| ddt} t| } zt| | } Wn\ty} zBtd| | | tdt|| WYd } ~ qrWYd } ~ n d } ~ 00z| s|| n| d d lm}tj}t| | r|rtt !d d }t"d|t#$|d}|%| || || j&|'| (n0t)*| +d| ,}|d| j&|-dft./| | |WqrtyB} zJtd| | tdt| r.|| j&|'| (WYd } ~ qrd } ~ 00qrt0|||||sb|rtt1|dt1|dtd||fS)z5Examine each lineage; renew if due and report resultsc3s|]}|jvVqdSrt)rC)r-domainr'r,r/rrwz)handle_renewal_request..afCurrently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.z Processing F)pausezTRenewal configuration file %s (cert: %s) produced an unexpected error: %s. Skipping.r*Nr)mainrziz3Non-interactive renewal: random delay of %s secondsrz%s expires on %sz%Y-%m-%dz-Failed to renew certificate %s with error: %sz renew failure(s), z parse failure(s)zno renewal failures)2anyr@rr>ZcertnamerZrenewal_file_for_certnameZrenewal_conf_filessysstdinisattyZrandom_sleep_on_renewrnZ notificationcopydeepcopyZlineagename_for_filenamerB Exceptionr3r4r6r7r8rMZensure_deployedcertbot._internalr plugins_discoZPluginsRegistryZfind_allrprandomZuniformrhtimesleeprZ fullchainextendr?rZnotAfterversionrstrftimerZrun_generic_updatersrlen)r'Z conf_filesrrrrZrenewed_domainsZfailed_domainsZapply_random_sleepZ renewal_fileZlineage_configZ lineagenamerAerZpluginsZ sleep_timeZexpiryr,rr/handle_renewal_requests      "         &  r)key_pathr'r)cCst|d$}t|dtd}Wdn1s40Yt|tjrZd|_|j|_ n:t|t j rxd|_|j j |_ntd|dt|ddS)Nrb)passwordZbackendr ryzKey at z is of an unsupported type: .)openr readr rFr Z RSAPrivateKeyr!Zkey_sizer#r ZEllipticCurvePrivateKeyZcurverer"rr>type)rr'Zfile_hrar,r,r/r@s 2    r)O__doc__rrUZloggingrrrr7typingrrrrrrrr Zcryptography.hazmat.backendsr Z)cryptography.hazmat.primitives.asymmetricr r Z,cryptography.hazmat.primitives.serializationr ZcertbotrrrrrrrrrrrZcertbot._internal.displayrrZcertbot._internal.pluginsrrZcertbot.compatrZcertbot.displayrnZ getLogger__name__r3r^r\rYrNrVZ CONFIG_ITEMSZNamespaceConfigr5r1rBrGr<r;r:rWboolr[rjr]r_rprsr|ZClientrrrlistrrr,r,r,r/s                            C  ,  "  ,    0n