require 'net/ssh' require 'pathname' require 'json' namespace :create_site do desc "Change Site Cert" task :change_site_cert,[:id,:is_certbot,:id_is_server] => :environment do |task,args| begin site_server = nil site_constructs = [] @is_multithread = false @thread = nil if args.id_is_server site_server = SiteServer.find(args.id) site_constructs = site_server.site_constructs.to_a @is_multithread = true Multithread.where(:key=>'install_certbot_certs').each{|thread| thread.destroy if (thread.status["status"] == "error" || thread.status["status"] == "finish")} Multithread.where(:key=>'install_certbot_certs').destroy @thread = Multithread.where(:key=>'install_certbot_certs').first if @thread.nil? @thread = Multithread.create(:key=>'install_certbot_certs',:status=>{"infos"=>[],"status"=>"execing"}) else return false end else @site_construct = SiteConstruct.find(args.id) site_server = @site_construct.site_server @site_construct.update(:infos=>[],:status=>"changing") site_constructs << @site_construct end tmp_is_certbot = (args.is_certbot == "true") if !site_server.nil? @password = site_server.password Net::SSH.start(site_server.ip , site_server.account , password: site_server.password) do |ssh| if tmp_is_certbot || (@site_cert.is_certbot rescue false) domain_names = site_constructs.flat_map{|site_construct| site_construct.domain_name.strip.split(" ")}.select{|d| d.present? && d.match(/^[\d\.]+$/).nil?} domain_names = domain_names.select{|d| `dig #{d} +short`.strip == site_server.ip} if domain_names.count != 0 certbot_path = exec_ssh_command_by_sudo_and_see_output(ssh,"bash -l -c 'which certbot certbot-auto'",false,true).strip.split("\n")[0] if certbot_path.present? auto_update_infos("Using certbot to update cert setting...") if site_constructs.count > 1 auto_update_infos("Generating single cert for multiple domain names...") end redirect_to_https = (@site_construct.redirect_to_https rescue false) exec_ssh_command_by_sudo_and_see_output(ssh,"sudo -p 'sudo password:' #{certbot_path} --nginx #{domain_names.map{|d| "-d " + d}.join(" ")} -n --#{redirect_to_https ? 'redirect' : 'no-redirect'}",true,false) site_constructs.each do |site_construct| @site_construct = site_construct auto_update_infos("Checking cert for #{site_construct.site_name}...") nginx_file = site_construct.nginx_file nginx_file_content = exec_ssh_command_by_sudo_and_see_output(ssh,"cat #{nginx_file}",false,true) crt_file_path = nginx_file_content.match(/(?<=!#|^)\s*ssl_certificate\s+(.*)/)[1].split(';').first rescue '' private_key_path = nginx_file_content.match(/(?<=!#|^)\s*ssl_certificate_key\s+(.*)/)[1].split(';').first rescue '' site_cert = site_construct.site_cert if crt_file_path.present? && private_key_path.present? if site_cert.nil? || !site_cert.is_certbot site_cert = SiteCert.where(:source_paths=>[crt_file_path,private_key_path]).first site_cert = SiteCert.new if site_cert.nil? end if true #site_cert.source_paths.count == 0 site_cert["cert_file"] = File.basename(crt_file_path) cert_file_store_path = site_cert.cert_file.file.file crt_file_content = exec_ssh_command_by_sudo_and_see_output(ssh,"cat #{crt_file_path}",false).select{|s| s.present?}.join("\n").strip.split(/(\r\n|\n)/).select{|s| s.present?}.join("\n") FileUtils.mkdir_p(File.dirname(cert_file_store_path)) unless Dir.exist?(File.dirname(cert_file_store_path)) File.open(site_cert.cert_file.file.file,'w+'){|f| f.write(crt_file_content)} site_cert["private_key"] = File.basename(private_key_path) private_key_store_path = site_cert.private_key.file.file private_key_content = exec_ssh_command_by_sudo_and_see_output(ssh,"cat #{private_key_path}",false).select{|s| s.present?}.join("\n").strip.split(/(\r\n|\n)/).select{|s| s.present?}.join("\n") FileUtils.mkdir_p(File.dirname(private_key_store_path)) unless Dir.exist?(File.dirname(private_key_path)) File.open(site_cert.private_key.file.file,'w+'){|f| f.write(private_key_content)} site_cert.source_paths = [crt_file_path,private_key_path] site_cert.is_certbot = private_key_path.include?("letsencrypt") site_cert.save site_construct.update(:site_cert=>site_cert) end all_ports = (site_construct.port + ["443"]).uniq site_construct.update(:port=> all_ports ) auto_update_infos("Finish installing cert with certbot in #{site_construct.site_name} !") else auto_update_infos("Certbot generate cert failed!") auto_update_infos("Please check your domain dns setting(A record)!") site_construct.update(:status=>"error") end end else auto_update_infos("Please install certbot first!") end else auto_update_infos("Please set domain name first!") end else site_constructs.each do |site_construct| @site_cert = @site_construct.site_cert next if @site_cert.nil? is_certbot = tmp_is_certbot || (@site_cert.is_certbot rescue false) @site_construct = site_construct @site_cert.change_data if @site_cert.is_valid auto_update_infos("Copying Cert to #{@site_construct.server_type}...") cert_file_content = [(@site_cert.cert_file.file.read.strip rescue ""),(@site_cert.ca_bundle.file.read.strip rescue "")].join("\n").strip private_key_content = @site_cert.private_key.file.read cert_file_store_path = @site_construct.cert_file_remote_store_path exec_ssh_command_by_sudo(ssh,"mkdir -p #{File.dirname(cert_file_store_path)}") exec_command_by_user(ssh,"x='#{cert_file_content}'; echo '#{@password}' | sudo -S sh -c \"echo '$x' > #{cert_file_store_path}\"") private_key_store_path = @site_construct.private_key_remote_store_path exec_ssh_command_by_sudo(ssh,"mkdir -p #{File.dirname(private_key_store_path)}") exec_command_by_user(ssh,"x='#{private_key_content}'; echo '#{@password}' | sudo -S sh -c \"echo '$x' > #{private_key_store_path}\"") auto_update_infos("Finish copy.") auto_update_infos("Setting Cert...") nginx_file_content = exec_command_by_user(ssh,"cat #{@site_construct.nginx_file}") all_ports = (@site_construct.port + ["443"]).uniq @site_construct.update(:port=> all_ports ) nginx_file_content = @site_construct.generate_nginx_text(nginx_file_content) cmd = "x='#{nginx_file_content}'; echo '#{@password}' | sudo -S sh -c \"echo '$x' > #{@site_construct.nginx_file}\"" exec_command_by_user(ssh,cmd) end end end exec_ssh_command_by_sudo(ssh,"service nginx restart") auto_update_infos("Finish!") if @is_multithread @thread.update(:status=>@thread.status.merge({"status"=>"finish"})) else @site_construct.update(:status=>"finish") end end else auto_update_infos("Cert not found!") @site_construct.update(:status=>"error") end rescue => e puts [e,e.backtrace] auto_update_infos(e.to_s) @site_construct.update(:status=>"error") end end def exec_command_by_user(session,command) output = session.exec!(command) return output[0...-1].gsub(/^\n[\n]+/,'') end def exec_ssh_command_by_sudo(session,command) output = session.exec!("echo '#{@password}' | sudo -S #{command}") if output.include?("sudo:") && output.include?("command not found") output = session.exec!(command) end return output end def auto_update_infos(info) if @is_multithread update_thread_infos(info) if @site_construct update_infos(info) end else update_infos(info) end end end