606 lines
24 KiB
Python
606 lines
24 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
CertPusher - Automated SSL Certificate Distribution Tool
|
|
Distributes SSL certificates to remote servers via SSH/SCP
|
|
Supports standard Linux servers and MikroTik RouterOS devices
|
|
"""
|
|
|
|
import configparser
|
|
import logging
|
|
import sys
|
|
import os
|
|
import ssl
|
|
import socket
|
|
from datetime import datetime
|
|
from pathlib import Path
|
|
from typing import Dict, Optional, Tuple
|
|
import paramiko
|
|
from scp import SCPClient
|
|
import requests
|
|
from cryptography import x509
|
|
from cryptography.hazmat.backends import default_backend
|
|
|
|
# Logging configuration
|
|
LOG_FORMAT = '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
|
|
logging.basicConfig(
|
|
level=logging.DEBUG,
|
|
format=LOG_FORMAT,
|
|
handlers=[
|
|
logging.FileHandler(f'certpusher_{datetime.now().strftime("%Y%m%d_%H%M%S")}.log'),
|
|
logging.StreamHandler(sys.stdout)
|
|
]
|
|
)
|
|
logger = logging.getLogger('CertPusher')
|
|
|
|
|
|
class CertificateManager:
|
|
"""Manages certificate comparison and validation"""
|
|
|
|
@staticmethod
|
|
def get_cert_from_file(cert_path: str) -> Optional[x509.Certificate]:
|
|
"""Load certificate from file"""
|
|
try:
|
|
with open(cert_path, 'rb') as f:
|
|
cert_data = f.read()
|
|
cert = x509.load_pem_x509_certificate(cert_data, default_backend())
|
|
logger.debug(f"Loaded certificate from {cert_path}")
|
|
logger.debug(f"Certificate subject: {cert.subject}")
|
|
logger.debug(f"Certificate expires: {cert.not_valid_after}")
|
|
return cert
|
|
except Exception as e:
|
|
logger.error(f"Failed to load certificate from {cert_path}: {e}")
|
|
return None
|
|
|
|
@staticmethod
|
|
def get_cert_from_url(url: str, timeout: int = 10) -> Optional[x509.Certificate]:
|
|
"""Retrieve certificate from HTTPS URL"""
|
|
try:
|
|
hostname = url.replace('https://', '').replace('http://', '').split('/')[0].split(':')[0]
|
|
port = 443
|
|
|
|
if ':' in url.replace('https://', '').replace('http://', '').split('/')[0]:
|
|
port = int(url.replace('https://', '').replace('http://', '').split('/')[0].split(':')[1])
|
|
|
|
logger.debug(f"Connecting to {hostname}:{port} to retrieve certificate")
|
|
|
|
context = ssl.create_default_context()
|
|
context.check_hostname = False
|
|
context.verify_mode = ssl.CERT_NONE
|
|
|
|
with socket.create_connection((hostname, port), timeout=timeout) as sock:
|
|
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
|
|
der_cert = ssock.getpeercert(binary_form=True)
|
|
cert = x509.load_der_x509_certificate(der_cert, default_backend())
|
|
logger.debug(f"Retrieved certificate from {url}")
|
|
logger.debug(f"Certificate expires: {cert.not_valid_after}")
|
|
return cert
|
|
except Exception as e:
|
|
logger.warning(f"Failed to retrieve certificate from {url}: {e}")
|
|
return None
|
|
|
|
@staticmethod
|
|
def compare_certificates(cert1: x509.Certificate, cert2: x509.Certificate) -> bool:
|
|
"""Compare two certificates by serial number and fingerprint"""
|
|
try:
|
|
same_serial = cert1.serial_number == cert2.serial_number
|
|
|
|
# Compare fingerprints
|
|
from cryptography.hazmat.primitives import hashes
|
|
fingerprint1 = cert1.fingerprint(hashes.SHA256())
|
|
fingerprint2 = cert2.fingerprint(hashes.SHA256())
|
|
same_fingerprint = fingerprint1 == fingerprint2
|
|
|
|
logger.debug(f"Certificate comparison - Serial match: {same_serial}, Fingerprint match: {same_fingerprint}")
|
|
return same_serial and same_fingerprint
|
|
except Exception as e:
|
|
logger.error(f"Failed to compare certificates: {e}")
|
|
return False
|
|
|
|
@staticmethod
|
|
def get_certificate_info(cert: x509.Certificate) -> str:
|
|
"""Get human-readable certificate information"""
|
|
try:
|
|
subject = cert.subject.rfc4514_string()
|
|
issuer = cert.issuer.rfc4514_string()
|
|
valid_from = cert.not_valid_before
|
|
valid_to = cert.not_valid_after
|
|
|
|
return f"""
|
|
Certificate Info:
|
|
Subject: {subject}
|
|
Issuer: {issuer}
|
|
Valid From: {valid_from}
|
|
Valid To: {valid_to}
|
|
Days Until Expiry: {(valid_to - datetime.now()).days}
|
|
"""
|
|
except Exception as e:
|
|
return f"Unable to extract certificate info: {e}"
|
|
|
|
|
|
class SSHManager:
|
|
"""Manages SSH connections and file transfers"""
|
|
|
|
def __init__(self, hostname: str, port: int, username: str, key_path: str):
|
|
self.hostname = hostname
|
|
self.port = port
|
|
self.username = username
|
|
self.key_path = key_path
|
|
self.ssh_client = None
|
|
|
|
def connect(self) -> bool:
|
|
"""Establish SSH connection"""
|
|
try:
|
|
self.ssh_client = paramiko.SSHClient()
|
|
self.ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
|
|
|
logger.debug(f"Connecting to {self.username}@{self.hostname}:{self.port}")
|
|
logger.debug(f"Using SSH key: {self.key_path}")
|
|
|
|
# Try to load different key types
|
|
private_key = None
|
|
key_types = [
|
|
('RSA', paramiko.RSAKey),
|
|
('Ed25519', paramiko.Ed25519Key),
|
|
('ECDSA', paramiko.ECDSAKey),
|
|
('DSS', paramiko.DSSKey),
|
|
]
|
|
|
|
for key_name, key_class in key_types:
|
|
try:
|
|
private_key = key_class.from_private_key_file(self.key_path)
|
|
logger.debug(f"Successfully loaded {key_name} key")
|
|
break
|
|
except Exception as e:
|
|
logger.debug(f"Not a {key_name} key: {e}")
|
|
continue
|
|
|
|
if not private_key:
|
|
logger.error(f"Could not load SSH key from {self.key_path}")
|
|
return False
|
|
|
|
self.ssh_client.connect(
|
|
hostname=self.hostname,
|
|
port=self.port,
|
|
username=self.username,
|
|
pkey=private_key,
|
|
timeout=30,
|
|
banner_timeout=30,
|
|
auth_timeout=30
|
|
)
|
|
|
|
logger.info(f"✓ Successfully connected to {self.hostname}:{self.port}")
|
|
return True
|
|
|
|
except Exception as e:
|
|
logger.error(f"SSH connection failed to {self.hostname}:{self.port}: {e}")
|
|
return False
|
|
|
|
def upload_file(self, local_path: str, remote_path: str) -> bool:
|
|
"""Upload file via SCP"""
|
|
try:
|
|
logger.debug(f"Uploading {local_path} to {self.hostname}:{remote_path}")
|
|
|
|
# Ensure remote directory exists
|
|
remote_dir = os.path.dirname(remote_path)
|
|
if remote_dir:
|
|
self.execute_command(f"mkdir -p {remote_dir}", ignore_error=True)
|
|
|
|
with SCPClient(self.ssh_client.get_transport()) as scp:
|
|
scp.put(local_path, remote_path)
|
|
|
|
logger.info(f"✓ Successfully uploaded {local_path} to {self.hostname}:{remote_path}")
|
|
return True
|
|
|
|
except Exception as e:
|
|
logger.error(f"File upload failed: {e}")
|
|
return False
|
|
|
|
def execute_command(self, command: str, timeout: int = 60, ignore_error: bool = False) -> Tuple[bool, str, str]:
|
|
"""Execute command on remote server"""
|
|
try:
|
|
logger.debug(f"Executing command on {self.hostname}: {command}")
|
|
|
|
stdin, stdout, stderr = self.ssh_client.exec_command(command, timeout=timeout)
|
|
exit_status = stdout.channel.recv_exit_status()
|
|
|
|
stdout_text = stdout.read().decode('utf-8', errors='ignore')
|
|
stderr_text = stderr.read().decode('utf-8', errors='ignore')
|
|
|
|
if exit_status == 0:
|
|
logger.info(f"✓ Command executed successfully on {self.hostname}")
|
|
if stdout_text:
|
|
logger.debug(f"STDOUT: {stdout_text}")
|
|
else:
|
|
if not ignore_error:
|
|
logger.error(f"Command failed with exit code {exit_status}")
|
|
logger.error(f"STDERR: {stderr_text}")
|
|
else:
|
|
logger.debug(f"Command failed (ignored): {stderr_text}")
|
|
|
|
return exit_status == 0, stdout_text, stderr_text
|
|
|
|
except Exception as e:
|
|
logger.error(f"Command execution failed: {e}")
|
|
return False, "", str(e)
|
|
|
|
def disconnect(self):
|
|
"""Close SSH connection"""
|
|
if self.ssh_client:
|
|
self.ssh_client.close()
|
|
logger.debug(f"Disconnected from {self.hostname}")
|
|
|
|
|
|
class MikroTikManager(SSHManager):
|
|
"""Specialized manager for MikroTik RouterOS devices"""
|
|
|
|
def __init__(self, hostname: str, port: int, username: str, key_path: str):
|
|
super().__init__(hostname, port, username, key_path)
|
|
self.cert_name = "ssl-cert"
|
|
self.key_name = "ssl-key"
|
|
|
|
def upload_certificate(self, cert_path: str, key_path: str = None) -> bool:
|
|
"""
|
|
Upload and import certificate to MikroTik RouterOS
|
|
|
|
Args:
|
|
cert_path: Path to certificate file (PEM format, can be fullchain)
|
|
key_path: Optional path to private key file
|
|
"""
|
|
try:
|
|
logger.info(f"Starting MikroTik certificate deployment to {self.hostname}")
|
|
|
|
# Step 1: Disable www-ssl service
|
|
logger.debug("Disabling www-ssl service")
|
|
self.execute_command('/ip service disable www-ssl', ignore_error=True)
|
|
|
|
# Step 2: Remove old certificates
|
|
logger.debug("Removing old certificates")
|
|
cleanup_commands = [
|
|
f'/certificate remove [find name~"{self.cert_name}"]',
|
|
f'/file remove "{self.cert_name}.pem"',
|
|
]
|
|
|
|
if key_path:
|
|
cleanup_commands.append(f'/file remove "{self.key_name}.pem"')
|
|
|
|
for cmd in cleanup_commands:
|
|
self.execute_command(cmd, ignore_error=True)
|
|
|
|
# Step 3: Upload certificate file
|
|
logger.debug(f"Uploading certificate to MikroTik")
|
|
with SCPClient(self.ssh_client.get_transport()) as scp:
|
|
scp.put(cert_path, f'{self.cert_name}.pem')
|
|
logger.info(f"✓ Certificate file uploaded")
|
|
|
|
# Step 4: Upload private key if provided
|
|
if key_path:
|
|
logger.debug(f"Uploading private key to MikroTik")
|
|
with SCPClient(self.ssh_client.get_transport()) as scp:
|
|
scp.put(key_path, f'{self.key_name}.pem')
|
|
logger.info(f"✓ Private key file uploaded")
|
|
|
|
# Step 5: Import certificate
|
|
logger.debug("Importing certificate into RouterOS")
|
|
import_cmd = f'/certificate import file-name={self.cert_name}.pem passphrase=""'
|
|
success, stdout, stderr = self.execute_command(import_cmd, timeout=30)
|
|
|
|
if not success and "failure" in stderr.lower():
|
|
logger.error(f"Certificate import failed: {stderr}")
|
|
return False
|
|
|
|
# Give RouterOS time to process
|
|
import time
|
|
time.sleep(2)
|
|
|
|
# Step 6: Verify certificate was imported
|
|
success, stdout, stderr = self.execute_command(
|
|
f'/certificate print where name~"{self.cert_name}"'
|
|
)
|
|
|
|
if success and stdout:
|
|
logger.debug(f"Certificates after import:\n{stdout}")
|
|
|
|
# Step 7: Configure services to use new certificate
|
|
# RouterOS typically names imported certs as certname_0, certname_1, etc.
|
|
logger.info("Configuring www-ssl service to use new certificate")
|
|
|
|
# Find the certificate name (usually ssl-cert_0 for cert, ssl-cert_1 for key)
|
|
config_commands = [
|
|
f'/ip service set www-ssl certificate={self.cert_name}_0',
|
|
'/ip service enable www-ssl',
|
|
]
|
|
|
|
for cmd in config_commands:
|
|
success, stdout, stderr = self.execute_command(cmd, ignore_error=True)
|
|
|
|
logger.info(f"✓ Successfully deployed certificate to MikroTik {self.hostname}")
|
|
return True
|
|
|
|
except Exception as e:
|
|
logger.error(f"MikroTik certificate deployment failed: {e}", exc_info=True)
|
|
return False
|
|
|
|
def verify_certificate(self) -> bool:
|
|
"""Verify certificate is properly installed"""
|
|
try:
|
|
logger.debug("Verifying certificate installation")
|
|
success, stdout, stderr = self.execute_command(
|
|
'/certificate print detail where name~"ssl-cert"'
|
|
)
|
|
|
|
if success and stdout:
|
|
logger.info(f"Certificate verification:\n{stdout}")
|
|
return True
|
|
|
|
logger.warning("Could not verify certificate installation")
|
|
return False
|
|
|
|
except Exception as e:
|
|
logger.error(f"Certificate verification failed: {e}")
|
|
return False
|
|
|
|
|
|
class CertPusher:
|
|
"""Main application class"""
|
|
|
|
def __init__(self, config_file: str):
|
|
self.config_file = config_file
|
|
self.config = configparser.ConfigParser()
|
|
self.cert_manager = CertificateManager()
|
|
self.stats = {
|
|
'total': 0,
|
|
'uploaded': 0,
|
|
'skipped': 0,
|
|
'failed': 0
|
|
}
|
|
|
|
def load_config(self) -> bool:
|
|
"""Load configuration from INI file"""
|
|
try:
|
|
logger.info(f"Loading configuration from {self.config_file}")
|
|
self.config.read(self.config_file)
|
|
|
|
if 'global' not in self.config:
|
|
logger.error("Missing [global] section in config file")
|
|
return False
|
|
|
|
required_global = ['source_cert_path', 'default_ssh_key']
|
|
for key in required_global:
|
|
if not self.config.has_option('global', key):
|
|
logger.error(f"Missing required global option: {key}")
|
|
return False
|
|
|
|
logger.info(f"✓ Configuration loaded successfully")
|
|
logger.debug(f"Found {len(self.config.sections()) - 1} host(s) in configuration")
|
|
return True
|
|
|
|
except Exception as e:
|
|
logger.error(f"Failed to load configuration: {e}")
|
|
return False
|
|
|
|
def process_mikrotik(self, section: str, hostname: str, port: int,
|
|
username: str, ssh_key: str, source_cert_path: str) -> bool:
|
|
"""Process MikroTik device specifically"""
|
|
try:
|
|
logger.info("Using MikroTik-specific deployment method")
|
|
|
|
# Get optional private key path
|
|
source_key_path = self.config.get(section, 'source_key_path', fallback=None)
|
|
|
|
if source_key_path:
|
|
logger.info(f"Private key: {source_key_path}")
|
|
if not os.path.exists(source_key_path):
|
|
logger.error(f"Private key file not found: {source_key_path}")
|
|
return False
|
|
|
|
# Connect
|
|
mikrotik = MikroTikManager(hostname, port, username, ssh_key)
|
|
|
|
if not mikrotik.connect():
|
|
self.stats['failed'] += 1
|
|
return False
|
|
|
|
# Upload and import certificate
|
|
if not mikrotik.upload_certificate(source_cert_path, source_key_path):
|
|
mikrotik.disconnect()
|
|
self.stats['failed'] += 1
|
|
return False
|
|
|
|
# Verify installation
|
|
mikrotik.verify_certificate()
|
|
|
|
mikrotik.disconnect()
|
|
self.stats['uploaded'] += 1
|
|
logger.info(f"✓ Successfully processed MikroTik {section}")
|
|
return True
|
|
|
|
except Exception as e:
|
|
logger.error(f"MikroTik processing failed: {e}", exc_info=True)
|
|
self.stats['failed'] += 1
|
|
return False
|
|
|
|
def process_host(self, section: str) -> bool:
|
|
"""Process certificate deployment for a single host"""
|
|
try:
|
|
logger.info(f"\n{'='*60}")
|
|
logger.info(f"Processing host: {section}")
|
|
logger.info(f"{'='*60}")
|
|
|
|
self.stats['total'] += 1
|
|
|
|
# Get configuration
|
|
hostname = self.config.get(section, 'hostname')
|
|
port = self.config.getint(section, 'port', fallback=22)
|
|
username = self.config.get(section, 'username', fallback='root')
|
|
device_type = self.config.get(section, 'type', fallback='standard')
|
|
|
|
# Determine SSH key to use
|
|
if self.config.has_option(section, 'ssh_key_path'):
|
|
ssh_key = self.config.get(section, 'ssh_key_path')
|
|
else:
|
|
ssh_key = self.config.get('global', 'default_ssh_key')
|
|
|
|
source_cert_path = self.config.get('global', 'source_cert_path')
|
|
|
|
logger.info(f"Host: {hostname}:{port}")
|
|
logger.info(f"Type: {device_type}")
|
|
logger.info(f"Username: {username}")
|
|
logger.info(f"SSH Key: {ssh_key}")
|
|
|
|
# Handle MikroTik devices specially
|
|
if device_type.lower() == 'mikrotik':
|
|
return self.process_mikrotik(section, hostname, port, username, ssh_key, source_cert_path)
|
|
|
|
# Standard processing for other devices
|
|
remote_cert_path = self.config.get(section, 'remote_cert_path')
|
|
post_upload_command = self.config.get(section, 'post_upload_command', fallback='')
|
|
check_url = self.config.get(section, 'check_url', fallback='')
|
|
|
|
logger.info(f"Remote path: {remote_cert_path}")
|
|
|
|
# Check if upload is needed
|
|
if check_url:
|
|
logger.info(f"Checking current certificate at: {check_url}")
|
|
source_cert = self.cert_manager.get_cert_from_file(source_cert_path)
|
|
remote_cert = self.cert_manager.get_cert_from_url(check_url)
|
|
|
|
if source_cert and remote_cert:
|
|
if self.cert_manager.compare_certificates(source_cert, remote_cert):
|
|
logger.info(f"✓ Certificate on {hostname} is already up to date. Skipping upload.")
|
|
self.stats['skipped'] += 1
|
|
return True
|
|
else:
|
|
logger.info(f"Certificate on {hostname} is outdated. Upload needed.")
|
|
logger.debug(self.cert_manager.get_certificate_info(source_cert))
|
|
else:
|
|
logger.warning(f"Could not compare certificates. Proceeding with upload.")
|
|
|
|
# Connect and upload
|
|
ssh = SSHManager(hostname, port, username, ssh_key)
|
|
|
|
if not ssh.connect():
|
|
self.stats['failed'] += 1
|
|
return False
|
|
|
|
if not ssh.upload_file(source_cert_path, remote_cert_path):
|
|
ssh.disconnect()
|
|
self.stats['failed'] += 1
|
|
return False
|
|
|
|
# Upload additional files if specified
|
|
if self.config.has_option(section, 'additional_files'):
|
|
additional_files = self.config.get(section, 'additional_files')
|
|
# Format: local_path:remote_path,local_path:remote_path
|
|
for file_pair in additional_files.split(','):
|
|
if ':' in file_pair:
|
|
local, remote = file_pair.strip().split(':', 1)
|
|
logger.info(f"Uploading additional file: {local} -> {remote}")
|
|
if not ssh.upload_file(local, remote):
|
|
logger.warning(f"Failed to upload additional file: {local}")
|
|
|
|
# Execute post-upload command
|
|
if post_upload_command:
|
|
logger.info(f"Executing post-upload command: {post_upload_command}")
|
|
success, stdout, stderr = ssh.execute_command(post_upload_command)
|
|
|
|
if not success:
|
|
logger.warning(f"Post-upload command failed, but file was uploaded successfully")
|
|
else:
|
|
logger.info(f"✓ Post-upload command completed successfully")
|
|
|
|
ssh.disconnect()
|
|
self.stats['uploaded'] += 1
|
|
logger.info(f"✓ Successfully processed {section}")
|
|
return True
|
|
|
|
except Exception as e:
|
|
logger.error(f"Failed to process host {section}: {e}", exc_info=True)
|
|
self.stats['failed'] += 1
|
|
return False
|
|
|
|
def run(self):
|
|
"""Main execution method"""
|
|
logger.info("="*60)
|
|
logger.info(" CertPusher - SSL Certificate Distribution Tool")
|
|
logger.info("="*60)
|
|
logger.info(f"Started at: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
|
|
logger.info("")
|
|
|
|
if not self.load_config():
|
|
logger.error("Configuration loading failed. Exiting.")
|
|
sys.exit(1)
|
|
|
|
# Verify source certificate exists
|
|
source_cert = self.config.get('global', 'source_cert_path')
|
|
if not os.path.exists(source_cert):
|
|
logger.error(f"Source certificate not found: {source_cert}")
|
|
sys.exit(1)
|
|
|
|
logger.info(f"Source certificate: {source_cert}")
|
|
|
|
# Display certificate info
|
|
cert = self.cert_manager.get_cert_from_file(source_cert)
|
|
if cert:
|
|
logger.info(self.cert_manager.get_certificate_info(cert))
|
|
|
|
# Process each host
|
|
for section in self.config.sections():
|
|
if section == 'global':
|
|
continue
|
|
|
|
try:
|
|
self.process_host(section)
|
|
except Exception as e:
|
|
logger.error(f"Unexpected error processing {section}: {e}", exc_info=True)
|
|
self.stats['failed'] += 1
|
|
|
|
# Print summary
|
|
logger.info("\n" + "="*60)
|
|
logger.info(" DEPLOYMENT SUMMARY")
|
|
logger.info("="*60)
|
|
logger.info(f"Total hosts: {self.stats['total']}")
|
|
logger.info(f"✓ Uploaded: {self.stats['uploaded']}")
|
|
logger.info(f"○ Skipped (up to date): {self.stats['skipped']}")
|
|
logger.info(f"✗ Failed: {self.stats['failed']}")
|
|
logger.info("="*60)
|
|
logger.info(f"Finished at: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
|
|
|
|
if self.stats['failed'] > 0:
|
|
sys.exit(1)
|
|
|
|
|
|
def main():
|
|
"""Entry point"""
|
|
print("""
|
|
╔═══════════════════════════════════════════════════════════╗
|
|
║ CertPusher v1.0 ║
|
|
║ Automated SSL Certificate Distribution Tool ║
|
|
╚═══════════════════════════════════════════════════════════╝
|
|
""")
|
|
|
|
if len(sys.argv) < 2:
|
|
print("Usage: python certpusher.py <config_file>")
|
|
print("Example: python certpusher.py config.ini")
|
|
print("")
|
|
sys.exit(1)
|
|
|
|
config_file = sys.argv[1]
|
|
|
|
if not os.path.exists(config_file):
|
|
print(f"Error: Configuration file '{config_file}' not found")
|
|
sys.exit(1)
|
|
|
|
try:
|
|
pusher = CertPusher(config_file)
|
|
pusher.run()
|
|
except KeyboardInterrupt:
|
|
print("\n\nInterrupted by user. Exiting...")
|
|
sys.exit(130)
|
|
except Exception as e:
|
|
logger.error(f"Fatal error: {e}", exc_info=True)
|
|
sys.exit(1)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|