Added celery task for updating certificate. Added crontab with job fir this.

Author: AleksandrLeonov

conf_templates/crontab

@@ -0,0 +1,29 @@
+# Edit this file to introduce tasks to be run by cron.
+#
+# Each task to run has to be defined through a single line
+# indicating with different fields when the task will be run
+# and what command to run for the task
+#
+# To define the time you can provide concrete values for
+# minute (m), hour (h), day of month (dom), month (mon),
+# and day of week (dow) or use '*' in these fields (for 'any').#
+# Notice that tasks will be started based on the cron's system
+# daemon's notion of time and timezones.
+#
+# Output of the crontab jobs (including errors) is sent through
+# email to the user the crontab file belongs to (unless redirected).
+#
+# For example, you can run a backup of all your user accounts
+# at 5 a.m every week with:
+# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
+#
+# For more information see the manual pages of crontab(5) and cron(8)
+#
+# m h  dom mon dow   command
+SHELL=/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+MAILTO=[email protected]
+HOME_DIR=/home/steepshot_io/steepshot_io
+ACTIVATE_SCRIPT=/home/steepshot_io/.virtualenvs/steepshot_io/bin/activate
+POSTACTIVATE_SCRIPT=/home/steepshot_io/.virtualenvs/steepshot_io/bin/postactivate
+0 1    * * 1   cd $HOME_DIR && source $ACTIVATE_SCRIPT && source $POSTACTIVATE_SCRIPT && export DJANGO_SETTINGS_MODULE="steepshot_io.prod_settings" && python manage.py check_cert_expiration_date

conf_templates/postactivate

@@ -5,4 +5,5 @@ export DJANGO_SETTINGS_MODULE=%(SETTINGS_MODULE)s
 export DATABASE_URL=%(DATABASE_URL)s
 export DJANGO_DEBUG=False
 export DJANGO_LOCAL=False
+export DJANGO_DOMAIN=%(DOMAIN_NAME)s
 export DJANGO_CERTBOT_CERT=%(IS_CERTBOT_CERT)s

fabfile.py

@@ -1,6 +1,10 @@
-import os
-import logging
 import datetime
+import logging
+import os
+
+from fabric.api import env, task, sudo, prefix, cd, settings, require
+from fabric.contrib.files import upload_template, contains, append, exists
+from fabric.operations import put
 
 from steepshot_io.deploy_settings import (
     USER, HOST, REMOTE_DEPLOY_DIR, PROJECT_NAME, REPOSITORY,
@@ -13,9 +17,6 @@
     BACKEND_SERVICE, CELERY_SERVICE
 )
 
-from fabric.api import env, task, sudo, prefix, run, cd, settings, local, require
-from fabric.contrib.files import upload_template, contains, append, exists
-
 # This allows us to have .profile to be read when calling sudo
 # and virtualenvwrapper being activated using non-SSH user
 SUDO_PREFIX = 'sudo -i'
@@ -188,6 +189,7 @@ def config_virtualenv():
         'DATABASE_URL': DATABASE_URL,
         'SETTINGS_MODULE': env.settings_module,
         'IS_CERTBOT_CERT': env.is_certbot_cert,
+        'DOMAIN_NAME': env.current_host,
     }
     upload_template(os.path.join(LOCAL_CONF_DIR, 'postactivate'),
                     remote_postactivate_path, context=postactivate_context,
@@ -232,6 +234,22 @@ def deploy_files():
         sudo('git pull origin {}'.format(env.branch))
 
 
+@task
+def config_crontab():
+    crontab_file = os.path.join(LOCAL_CONF_DIR, 'crontab')
+
+    with settings(warn_only=True):
+        # There may be no previous crontab so
+        # crontab will fail
+        backup_file = '/tmp/crontab-%s' % _get_current_datetime()
+        logger.info("Backing up existing crontab")
+        sudo('crontab -l > %s' % backup_file)
+    logger.info("Uploading new crontab")
+    put(crontab_file, '/tmp/new-crontab')
+    logger.info("Setting new crontab")
+    sudo('crontab < /tmp/new-crontab')
+
+
 @task
 def clean_pyc():
     """
@@ -468,6 +486,7 @@ def first_time_deploy():
 def deploy():
     require('branch', 'user', 'hosts')
     deploy_files()
+    config_crontab()
     install_req()
     deploy_static()
     update_static_chmod()

requirements.txt

@@ -22,3 +22,6 @@ six==1.10.0
 asyncio==3.4.3
 aiohttp==1.3.5
 aiohttp-wsgi==0.6.6
+
+# For automation check of certificate expiration
+pyOpenSSL==17.2.0

steepshot_io/core/management/commands/check_cert_expiration_date.py

@@ -0,0 +1,10 @@
+from django.core.management import BaseCommand
+
+from steepshot_io.core import tasks
+
+
+class Command(BaseCommand):
+    help = "Get cert expiration date"
+
+    def handle(self, *args, **options):
+        tasks.check_cert_expiration_date.delay()

steepshot_io/core/tasks.py

@@ -1,3 +1,67 @@
-import datetime
+import os
+import ssl
+import subprocess
+from datetime import datetime, timedelta
+from ssl import SSLError, SSLZeroReturnError, SSLEOFError, CertificateError
 
+import OpenSSL
+import dateutil.parser
 from celery import task
+
+
+@task()
+def check_cert_expiration_date():
+    # WARNING: The user from which this task is launched should be added to the sudoers.
+    # For example:
+    # <username> ALL = (ALL:ALL) NOPASSWD: /bin/systemctl stop nginx.service
+    # <username> ALL = (ALL:ALL) NOPASSWD: /bin/systemctl start nginx.service
+    # <username> ALL = (ALL:ALL) NOPASSWD: /usr/bin/certbot renew
+
+    django_certbot_cert = os.getenv('DJANGO_CERTBOT_CERT')
+    if django_certbot_cert == 'False' or django_certbot_cert is None:
+        print("CertBot certificate not used!")
+        return
+    elif django_certbot_cert == 'True':
+        def get_days_left():
+            try:
+                cert = ssl.get_server_certificate((os.getenv('DJANGO_DOMAIN'), 443))
+                x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
+                days_left = dateutil.parser.parse(x509.get_notAfter()).date() - datetime.now().date()
+                return days_left
+            except (SSLError, SSLEOFError,
+                    SSLZeroReturnError, CertificateError,
+                    ConnectionAbortedError, ConnectionError,
+                    ConnectionRefusedError, ConnectionResetError) as e:
+                print('Got the following error during to get server certificate: {error}'.format(error=e))
+                return timedelta(days=100)
+
+        if get_days_left() < timedelta(days=7):
+            print("Certificate will expire soon! Performing certificate renewal.")
+
+            nginx_process = subprocess.run(['sudo', 'systemctl', 'stop', 'nginx.service'],
+                                           stdout=subprocess.PIPE)
+            if nginx_process.returncode != 0:
+                print("Nginx service has not been stopped successfully!")
+                print(nginx_process.stdout)
+                return
+
+            certbot_process = subprocess.run(['sudo', 'certbot', 'renew'],
+                                             stdout=subprocess.PIPE)
+            if certbot_process.returncode == 0:
+                print("Certificate has been renewed!")
+                print("{days} days left when certificate will expire.".format(days=get_days_left().days))
+            else:
+                print("Certificate has not been renewed for reason below!")
+                print(certbot_process.stdout)
+
+            nginx_process = subprocess.run(['sudo', 'systemctl', 'start', 'nginx.service'],
+                                           stdout=subprocess.PIPE)
+
+            if nginx_process.returncode != 0:
+                print("Nginx service has not been started successfully!")
+                print(nginx_process.stdout)
+                return
+
+            print("The 'check_cert_expiration_date' task has been successfully completed!")
+        else:
+            print("{days} days left when certificate will expire.".format(days=get_days_left().days))