├── .gitignore ├── LICENSE ├── Makefile ├── NOTICE ├── README.md ├── docs └── images │ └── overview.png ├── event.json ├── src ├── main.py └── requirements.txt ├── template.yml └── tools └── download_cert_and_reload_nginx.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .aws-sam 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | BASE := $(shell /bin/pwd) 2 | PIPENV ?= pipenv 3 | 4 | SERVICE := src 5 | 6 | AWS_PROFILE=default 7 | SERVICE_NAME=certupdater 8 | BUCKET_NAME=example-$(SERVICE_NAME)-artifacts 9 | CFN_CMD=aws --profile $(AWS_PROFILE) $$(if [ -n "$(AWS_REGION)" ]; then echo "--region $(AWS_REGION)"; fi) cloudformation 10 | TMP_TEMPLATE=tmp_template.yml 11 | STACK_NAME=$(SERVICE_NAME)-stack 12 | 13 | build: 14 | sam build --use-container 15 | 16 | deploy: 17 | $(CFN_CMD) package \ 18 | --template-file .aws-sam/build/template.yaml \ 19 | --output-template-file tmp_template.yml \ 20 | --s3-bucket $(BUCKET_NAME) 21 | $(CFN_CMD) deploy \ 22 | --template-file tmp_template.yml \ 23 | --stack-name $(STACK_NAME) \ 24 | --capabilities CAPABILITY_NAMED_IAM 25 | rm tmp_template.yml 26 | 27 | invoke: 28 | sam local invoke --event event.json 29 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | CertUpdater 2 | Copyright 2018 cohalz / Hatena Co., Ltd. 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CertUpdater 2 | 3 | Lambda implementation for automatically getting and uploading to S3 for Let's Encrypt certificates. 4 | 5 | ## Architecture 6 | 7 | ![Overview](./docs/images/overview.png "Overview of Architecture") 8 | 9 | ## To Use 10 | 11 | ### Build 12 | 13 | `make build` 14 | 15 | ### Deploy 16 | 17 | `make deploy AWS_PROFILE=default BUCKET_NAME=example-certupdater-artifacts` 18 | 19 | ### Delete Stack 20 | 21 | `make delete` 22 | 23 | ### Local invoke 24 | 25 | `make invoke` 26 | 27 | ## Presentations (Japanese) 28 | 29 | - [Let's Encrypt 証明書の自動更新システムを作る](http://developer.hatenastaff.com/entry/2018/12/11/133000) 30 | 31 | ## Author 32 | 33 | [cohalz](https://github.com/cohalz) -------------------------------------------------------------------------------- /docs/images/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cohalz/CertUpdater/b841df6dc9d1ccb67d209a0f4d2d9148e6401f02/docs/images/overview.png -------------------------------------------------------------------------------- /event.json: -------------------------------------------------------------------------------- 1 | { 2 | "domains": [ 3 | "*.example.com", 4 | "example.com" 5 | ], 6 | "is_production": false, 7 | "bucket": "certs-example-bucket", 8 | "email": "cert@example.com", 9 | "slack": { 10 | "webhook": "https://hooks.slack.com/services/XXXXXXXXX/XXXXXXXXX/xxxxxxxxxxxxxxxxxxxxxxxx", 11 | "channel": "#random" 12 | } 13 | } -------------------------------------------------------------------------------- /src/main.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | import certbot.main 3 | import logging 4 | import os 5 | import shutil 6 | import json 7 | import urllib.request 8 | from botocore.exceptions import ClientError 9 | from acme import messages 10 | import jsonschema 11 | 12 | schema = { 13 | 'definitions': {}, 14 | '$schema': 'http://json-schema.org/draft-07/schema#', 15 | 'type': 'object', 16 | 'required': [ 17 | 'domains', 18 | 'is_production', 19 | 'bucket', 20 | 'email', 21 | ], 22 | 'properties': { 23 | 'domains': { 24 | 'type': 'array', 25 | 'items': { 26 | 'type': 'string' 27 | } 28 | }, 29 | 'is_production': { 30 | 'type': 'boolean' 31 | }, 32 | 'bucket': { 33 | 'type': 'string' 34 | }, 35 | 'email': { 36 | 'type': 'string' 37 | }, 38 | 'slack': { 39 | 'type': 'object', 40 | 'required': [ 41 | 'webhook', 42 | 'channel' 43 | ], 44 | 'properties': { 45 | 'webhook': { 46 | 'type': 'string' 47 | }, 48 | 'channel': { 49 | 'type': 'string' 50 | }, 51 | 'icon_emoji': { 52 | 'type': 'string' 53 | }, 54 | 'username': { 55 | 'type': 'string' 56 | }, 57 | } 58 | }, 59 | 'log_level': { 60 | "type": "string", 61 | "enum": [ 62 | "CRITICAL", 63 | "ERROR", 64 | "WARNING", 65 | "INFO", 66 | "DEBUG", 67 | "NOTSET", 68 | ] 69 | }, 70 | } 71 | } 72 | 73 | 74 | def load_cert(domains): 75 | first_domain_name = domains[0].replace('*.', '', 1) 76 | 77 | path = '/tmp/config-dir/live/' + first_domain_name 78 | return { 79 | 'domains': domains, 80 | 'certificate': read_file(path + '/cert.pem'), 81 | 'private_key': read_file(path + '/privkey.pem'), 82 | 'certificate_chain': read_file(path + '/chain.pem'), 83 | 'certificate_fullchain': read_file(path + '/fullchain.pem') 84 | } 85 | 86 | 87 | def read_file(path): 88 | with open(path, 'r') as file: 89 | return file.read() 90 | 91 | 92 | def provision_cert(domains, is_production, email): 93 | input_array = [ 94 | 'certonly', 95 | '-n', 96 | '--agree-tos', 97 | '--email', email, 98 | '--dns-route53', 99 | '-d', ','.join(domains), 100 | '--config-dir', '/tmp/config-dir/', 101 | '--work-dir', '/tmp/work-dir/', 102 | '--logs-dir', '/tmp/logs-dir/' 103 | ] 104 | 105 | if is_production: 106 | input_array.append('--server') 107 | input_array.append('https://acme-v02.api.letsencrypt.org/directory') 108 | else: 109 | input_array.append('--staging') 110 | 111 | certbot.main.main(input_array) 112 | return load_cert(domains) 113 | 114 | 115 | def upload_cert_to_s3(cert, bucket_name, is_production): 116 | s3_urls = [] 117 | for domain in cert['domains']: 118 | normalized_domain_name = domain.replace('*.', 'asterisk.', 1) 119 | 120 | path = normalized_domain_name 121 | 122 | if not is_production: 123 | path += '/staging' 124 | 125 | s3 = boto3.resource('s3') 126 | bucket = s3.Bucket(bucket_name) 127 | 128 | bucket.put_object(Key=path+'/privkey.pem', 129 | Body=cert['private_key']) 130 | 131 | bucket.put_object(Key=path+'/cert.pem', 132 | Body=cert['certificate']) 133 | 134 | bucket.put_object(Key=path+'/chain.pem', 135 | Body=cert['certificate_chain']) 136 | 137 | bucket.put_object(Key=path+'/fullchain.pem', 138 | Body=cert['certificate_fullchain']) 139 | 140 | s3_urls.append('https://s3.console.aws.amazon.com/s3/buckets/' + 141 | bucket_name + '/' + path + '/') 142 | return s3_urls 143 | 144 | 145 | def clear_work_dir(): 146 | if os.path.exists('/tmp/config-dir'): 147 | shutil.rmtree('/tmp/config-dir') 148 | if os.path.exists('/tmp/work-dir'): 149 | shutil.rmtree('/tmp/work-dir') 150 | if os.path.exists('/tmp/logs-dir'): 151 | shutil.rmtree('/tmp/logs-dir') 152 | 153 | 154 | def post_to_slack(slack, text): 155 | payload = { 156 | 'username': slack.get('username', 'CertUpdater'), 157 | 'icon_emoji': slack.get('icon_emoji', ':letsencrypt:'), 158 | 'text': text, 159 | 'channel': slack['channel'] 160 | } 161 | 162 | json_data = json.dumps(payload).encode('utf-8') 163 | request = urllib.request.Request( 164 | slack['webhook'], data=json_data, method='POST' 165 | ) 166 | with urllib.request.urlopen(request) as response: 167 | return response.read().decode('utf-8') 168 | 169 | 170 | def validate_bucket_name(bucket_name): 171 | s3 = boto3.resource('s3') 172 | bucket = s3.Bucket(bucket_name) 173 | bucket.put_object(Key='tmp', Body='') 174 | response = bucket.delete_objects( 175 | Delete={ 176 | 'Objects': [ 177 | { 178 | 'Key': 'tmp' 179 | }, 180 | ] 181 | } 182 | ) 183 | 184 | return response 185 | 186 | 187 | def send_logs(text, slack=None): 188 | print(text) 189 | if slack is not None: 190 | post_to_slack(slack, text) 191 | 192 | 193 | def handler(event, context): 194 | clear_work_dir() 195 | 196 | slack = None 197 | 198 | try: 199 | 200 | jsonschema.validate(event, schema) 201 | 202 | log_level = event.get('log_level') 203 | if log_level: 204 | level = logging.getLevelName(log_level) 205 | for name in logging.Logger.manager.loggerDict.keys(): 206 | logging.getLogger(name).setLevel(level) 207 | 208 | domains = event.get('domains') 209 | is_production = event.get('is_production') 210 | bucket_name = event.get('bucket') 211 | email = event.get('email') 212 | slack = event.get('slack') 213 | 214 | if is_production: 215 | stage = 'production' 216 | else: 217 | stage = 'staging' 218 | 219 | start_text = f'Updating {stage} certificates: {str(domains)}' 220 | send_logs(start_text, slack) 221 | 222 | validate_bucket_name(bucket_name) 223 | 224 | cert = provision_cert(domains, is_production, email) 225 | 226 | s3_urls = upload_cert_to_s3(cert, bucket_name, is_production) 227 | 228 | end_text = 'Finished uploading to S3:\n' + '\n'.join(s3_urls) 229 | send_logs(end_text, slack) 230 | return end_text 231 | 232 | # input 233 | except jsonschema.exceptions.ValidationError as e: 234 | error_message = '[failed] ' + str(e.message) 235 | send_logs(error_message, slack) 236 | raise Exception(error_message) 237 | 238 | # boto 239 | except ClientError as e: 240 | error_message = '[failed] ' + e.response['Error']['Message'] + ': ' + \ 241 | bucket_name 242 | send_logs(error_message, slack) 243 | raise Exception(error_message) 244 | 245 | # rate limit 246 | except messages.Error as e: 247 | error_message = '[failed] ' + str(e) 248 | send_logs(error_message, slack) 249 | raise Exception(error_message) 250 | 251 | # certbot 252 | except certbot.errors.Error as e: 253 | error_message = '[failed] ' + str(e) 254 | send_logs(error_message, slack) 255 | raise Exception(error_message) 256 | -------------------------------------------------------------------------------- /src/requirements.txt: -------------------------------------------------------------------------------- 1 | boto3 2 | certbot 3 | certbot-dns-route53 4 | acme 5 | jsonschema 6 | -------------------------------------------------------------------------------- /template.yml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: "2010-09-09" 2 | Transform: AWS::Serverless-2016-10-31 3 | Description: CertUpdater 4 | 5 | Resources: 6 | CertUpdater: 7 | Type: AWS::Serverless::Function 8 | Properties: 9 | FunctionName: CertUpdater 10 | CodeUri: src 11 | Handler: main.handler 12 | Runtime: python3.9 13 | AutoPublishAlias: live 14 | Timeout: 240 15 | MemorySize: 128 16 | Role: !GetAtt RoleForCertUpdater.Arn 17 | 18 | RoleForCertUpdater: 19 | Type: "AWS::IAM::Role" 20 | Properties: 21 | RoleName: "role-for-CertUpdater" 22 | AssumeRolePolicyDocument: 23 | Version: "2012-10-17" 24 | Statement: 25 | - Effect: Allow 26 | Principal: 27 | Service: lambda.amazonaws.com 28 | Action: "sts:AssumeRole" 29 | Policies: 30 | - PolicyName: PolicyForCertUpdater 31 | PolicyDocument: 32 | Version: "2012-10-17" 33 | Statement: 34 | - Effect: Allow 35 | Action: 36 | - "logs:CreateLogGroup" 37 | - "logs:CreateLogStream" 38 | - "logs:PutLogEvents" 39 | Resource: "*" 40 | - Effect: "Allow" 41 | Action: 42 | - "route53:ListHostedZones" 43 | - "route53:ChangeResourceRecordSets" 44 | - "route53:GetChange" 45 | Resource: 46 | - "*" 47 | - Effect: "Allow" 48 | Action: 49 | - "s3:PutObject" 50 | - "s3:PutObjectAcl" 51 | - "s3:DeleteObject" 52 | Resource: 53 | - "*" 54 | 55 | LogGroupForCertUpdater: 56 | Type: AWS::Logs::LogGroup 57 | Properties: 58 | LogGroupName: !Sub /aws/lambda/${CertUpdater} 59 | RetentionInDays: 120 60 | -------------------------------------------------------------------------------- /tools/download_cert_and_reload_nginx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Downloading cert from S3 ,to /etc/nginx/ssl/ and reload nginx. 3 | # 1. Rename old cert to .bak. 4 | # 2. Downloading cert named .tmp from S3. 5 | # 3. Remove the name .tmp. 6 | # 4. Reload nginx. 7 | 8 | set -e 9 | 10 | CMDNAME=$(basename "$0") 11 | 12 | myhelp() { 13 | echo "Usage: $CMDNAME -b BUCKET -d DOMAIN" 1>&2 14 | } 15 | 16 | while getopts b:d: OPT; do 17 | case $OPT in 18 | "b" ) BUCKET=${OPTARG} ;; 19 | "d" ) DOMAIN=${OPTARG} ;; 20 | * ) myhelp; 21 | exit 1 ;; 22 | esac 23 | done 24 | 25 | if [ -z "$BUCKET" ]; then 26 | myhelp 27 | echo "Error: BUCKET must be specified." 28 | exit 1 29 | fi 30 | 31 | if [ -z "$DOMAIN" ]; then 32 | myhelp 33 | echo "Error: DOMAIN must be specified." 34 | exit 1 35 | fi 36 | 37 | # rename old certs. 38 | if [ -e /etc/nginx/ssl/"$DOMAIN" ]; then 39 | if [ -e /etc/nginx/ssl/"$DOMAIN".bak ]; then 40 | rm -rf /etc/nginx/ssl/"$DOMAIN".bak 41 | fi 42 | cp -r /etc/nginx/ssl/"$DOMAIN" /etc/nginx/ssl/"$DOMAIN".bak 43 | fi 44 | 45 | sudo aws s3 cp s3://"$BUCKET"/"$DOMAIN" /etc/nginx/ssl/"$DOMAIN".tmp --recursive 46 | 47 | # If downloading from S3 succeeded, reload nginx. 48 | if [ -e /etc/nginx/ssl/"$DOMAIN".tmp ]; then 49 | mkdir -p /etc/nginx/ssl/"$DOMAIN" 50 | cp -r /etc/nginx/ssl/"$DOMAIN".tmp/* /etc/nginx/ssl/"$DOMAIN" 51 | rm -rf /etc/nginx/ssl/"$DOMAIN".tmp 52 | sudo service nginx reload 53 | fi 54 | 55 | --------------------------------------------------------------------------------