Merge pull request #8 from vincowl/patch-1

Error generating certs with acme v2 and SANs

.gitignore

@@ -1,4 +1,5 @@
 certs/
+certs_flat/
 data/
 
 # Python ignores

Dockerfile

@@ -15,4 +15,4 @@ RUN pip3 install -r requirements.txt
 COPY . /app
 
 # Define entrypoint of the app
-ENTRYPOINT ["python3", "extractor.py"]
+ENTRYPOINT ["python3", "-u", "extractor.py"]

README.md

@@ -5,6 +5,7 @@ Tool to extract Let's Encrypt certificates from Traefik's ACME storage file.
 ## Installation
 ```
 git clone https://github.com/DanielHuisman/traefik-certificate-extractor
+cd traefik-certificate-extractor
 ```
 
 ## Usage
@@ -13,6 +14,13 @@ python3 extractor.py [directory]
 ```
 Default directory is `./data`. The output directory is `./certs`.
 
+## Docker
+There is a Docker image available for this tool: [danielhuisman/traefik-certificate-extractor](https://hub.docker.com/r/danielhuisman/traefik-certificate-extractor/).
+Example run:
+```
+docker run --name extractor -d -v /srv/extractor/data:/app/data -v /srv/extractor/certs:/app/certs danielhuisman/traefik-certificate-extractor
+```
+
 ## Output
 ```
 certs/
@@ -26,4 +34,11 @@ certs/
         chain.pem
         fullchain.pem
         privkey.pem
+certs_flat/
+    example.com.crt
+    example.com.key
+    example.com.chain.pem
+    sub.example.nl.crt
+    sub.example.nl.key
+    sub.example.nl.chain.pem
 ```

extractor.py

@@ -21,19 +21,38 @@ class Handler(FileSystemEventHandler):
 
             # Read JSON file
             data = json.loads(open(event.src_path).read())
-            certs = data['DomainsCertificate']['Certs']
+
+            # Determine ACME version
+            acme_version = 2 if 'acme-v02' in data['Account']['Registration']['uri'] else 1
+
+            # Find certificates
+            if acme_version == 1:
+                certs = data['DomainsCertificate']['Certs']
+            elif acme_version == 2:
+                certs = data['Certificates']
 
             # Loop over all certificates
             for c in certs:
+                if acme_version == 1:
+                    name = c['Certificate']['Domain']
+                    privatekey = c['Certificate']['PrivateKey']
+                    fullchain = c['Certificate']['Certificate']
+                    sans = c['Domains']['SANs']
+                elif acme_version == 2:
+                    name = c['Domain']['Main']
+                    privatekey = c['Key']
+                    fullchain = c['Certificate']
+                    sans = c['Domain']['SANs']
+
                 # Decode private key, certificate and chain
-                privatekey = b64decode(c['Certificate']['PrivateKey']).decode('utf-8')
+                privatekey = b64decode(privatekey).decode('utf-8')
-                fullchain = b64decode(c['Certificate']['Certificate']).decode('utf-8')
+                fullchain = b64decode(fullchain).decode('utf-8')
                 start = fullchain.find('-----BEGIN CERTIFICATE-----', 1)
                 cert = fullchain[0:start]
                 chain = fullchain[start:]
 
                 # Create domain directory if it doesn't exist
-                directory = 'certs/' + c['Certificate']['Domain'] + '/'
+                directory = 'certs/' + name + '/'
                 try:
                     os.makedirs(directory)
                 except OSError as error:
@@ -53,18 +72,42 @@ class Handler(FileSystemEventHandler):
                 with open(directory + 'fullchain.pem', 'w') as f:
                     f.write(fullchain)
 
-                print('Extracted certificate for: ' + c['Domains']['Main'] + (', ' + ', '.join(c['Domains']['SANs']) if c['Domains']['SANs'] else ''))
+                # Write private key, certificate and chain to flat files
+                directory = 'certs_flat/'
+
+                with open(directory + name + '.key', 'w') as f:
+                    f.write(privatekey)
+                with open(directory + name + '.crt', 'w') as f:
+                    f.write(fullchain)
+                with open(directory + name + '.chain.pem', 'w') as f:
+                    f.write(chain)
+
+                if sans:
+                    for name in sans:
+                        with open(directory + name + '.key', 'w') as f:
+                            f.write(privatekey)
+                        with open(directory + name + '.crt', 'w') as f:
+                            f.write(fullchain)
+                        with open(directory + name + '.chain.pem', 'w') as f:
+                            f.write(chain)
+
+                print('Extracted certificate for: ' + name + (', ' + ', '.join(sans) if sans else ''))
 
 if __name__ == "__main__":
     # Determine path to watch
     path = sys.argv[1] if len(sys.argv) > 1 else './data'
 
-    # Create output directory if it doesn't exist
+    # Create output directories if it doesn't exist
     try:
         os.makedirs('certs')
     except OSError as error:
         if error.errno != errno.EEXIST:
             raise
+    try:
+        os.makedirs('certs_flat')
+    except OSError as error:
+        if error.errno != errno.EEXIST:
+            raise
 
     # Create event handler and observer
     event_handler = Handler()