scripts: renew certs automatically

Author: pulsejet

scripts/cert-check.py

@@ -0,0 +1,40 @@
+import base64
+import sys
+from datetime import datetime, timedelta
+
+from ndn.app_support.security_v2 import parse_certificate
+
+def main():
+    if len(sys.argv) != 2:
+        print(f"Usage: {sys.argv[0]} <cert_path>")
+        sys.exit(1)
+
+    file_path = sys.argv[1]
+    with open(file_path, 'r') as f:
+        b64_data = f.read()
+    text = ''.join(b64_data.split())
+
+    try:
+        cert_data = base64.standard_b64decode(text)
+        cert = parse_certificate(cert_data)
+    except (ValueError, IndexError):
+        print("Malformed certificate", file_path)
+        exit(1)
+
+    date_template = "%Y%m%dT%H%M%S"
+    not_before = bytes(cert.signature_info.validity_period.not_before).decode()
+    not_before = datetime.strptime(not_before, date_template)
+    not_after = bytes(cert.signature_info.validity_period.not_after).decode()
+    not_after = datetime.strptime(not_after, date_template)
+
+    print("Cert Status", file_path, not_before, not_after)
+
+    now = datetime.now()
+    if not_before <= now <= not_after - timedelta(days=91):
+        exit(0)
+    else:
+        print("Certificate is expired or will expire in less than 91 days")
+        exit(1)
+
+if __name__ == "__main__":
+    main()

scripts/cert-renew.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+source "$(pwd)/scripts/utils.sh"
+
+NDNCERT_CERTFILE="$(pwd)/dist/ndncert/site.ndncert"
+
+FORCE=""
+if [[ $(needs_renewal "${NDNCERT_CERTFILE}") ]]; then
+    FORCE="--force"
+fi
+
+# Check and reissue certificates
+bash "$(pwd)/dist/ndncert/renew.sh" "${FORCE}"
+bash "$(pwd)/dist/nlsr/renew.sh" "${FORCE}"
+bash "$(pwd)/dist/ndn-python-repo/renew.sh" "${FORCE}"

scripts/cron-master.sh

@@ -19,8 +19,13 @@ if [[ -z "$SKIP_SLEEP" ]]; then
     random_sleep 120
 fi
 
+# Remove git lock file if it exists and pull the latest changes
+rm -f .git/index.lock
 git pull
 
+# Renew certificates if needed
+bash $(pwd)/scripts/cert-renew.sh
+
 PWD="${ROOT_DIR}" python3 framework/main.py
 
 echo -e "Finished cron-master at $(date)" >&2

scripts/master.sh

@@ -23,9 +23,7 @@ if [[ -z "$DEBUG" ]]; then
     python3 framework/main.py --dry
 
     # Check and reissue certificates
-    bash dist/ndncert/renew.sh
-    bash dist/nlsr/renew.sh
-    bash dist/ndn-python-repo/renew.sh
+    bash $(pwd)/scripts/cert-renew.sh
 else
     echo -e "Skipping initial repo pull and bootstrap because DEBUG=1" >&2
 fi

scripts/utils.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 # Allow call to fail and return exit code
 allow_fail_status=0
 function allow_fail {
@@ -26,7 +28,7 @@ function get_csr {
 # Check if a certificate needs to be renewed
 function needs_renewal {
     local cert_path=$1
-    if [[ ! -f "${cert_path}" || -n "${HAS_FORCE}" ]]; then
+    if [[ ! -f "${cert_path}" || -n "${HAS_FORCE}" || python3 "${SCRIPT_DIR}/cert-check.py '${cert_path}'" -ne 0 ]]; then
         echo -e "1"
     else
         echo -e "${cert_path} exists, skipping ..." >&2