# Helps you purchase a SSL certificate from Gandi.net using
# their API.
#
# Before you begin:
# 1) Create an account on Gandi.net.
# 2) Pre-pay $16 into your account at https://www.gandi.net/prepaid/operations. Wait until the payment goes through.
# 3) Activate your API key first on the test platform (wait a while, refresh the page) and then activate the production API at https://www.gandi.net/admin/api_key.
print("No certificate or order found yet. If you haven't yet purchased a certificate, run ths script again with the 'purchase' command. Otherwise wait a moment and try again.")
sys.exit(1)
else:
# Start an order for a single standard SSL certificate.
# Use DNS validation. Web-based validation won't work because they
# require a file on HTTP but not HTTPS w/o redirects and we don't
# serve anything plainly over HTTP. Email might be another way but
# DNS is easier to automate.
op=gandi.cert.create(api_key,{
"csr":open(ssl_csr_path).read(),
"dcv_method":"dns",
"duration":1,# year?
"package":"cert_std_1_0_0",
})
print("An SSL certificate has been ordered.")
print()
print(op)
print()
print("In a moment please run this script again with the 'setup' command.")
ifcert['status']=='pending':
# Get the information we need to update our DNS with a code so that
# Gandi can verify that we own the domain.
dcv=gandi.cert.get_dcv_params(api_key,{
"csr":open(ssl_csr_path).read(),
"cert_id":cert['id'],
"dcv_method":"dns",
"duration":1,# year?
"package":"cert_std_1_0_0",
})
ifdcv["dcv_method"]!="dns":
raiseException("Certificate ordered with an unknown validation method.")
# Update our DNS data.
dns_config=env['STORAGE_ROOT']+'/dns/custom.yaml'
ifos.path.exists(dns_config):
dns_records=rtyaml.load(open(dns_config))
else:
dns_records={}
qname=dcv['md5']+'.'+domain
value=dcv['sha1']+'.comodoca.com.'
dns_records[qname]={"CNAME":value}
withopen(dns_config,'w')asf:
f.write(rtyaml.dump(dns_records))
shell('check_call',['tools/dns_update'])
# Okay, done with this step.
print("DNS has been updated. Gandi will check within 60 minutes.")
print()
print("See https://www.gandi.net/admin/ssl/%d/details for the status of this order."%cert['id'])
elifcert['status']=='valid':
# The certificate is ready.
# Check before we overwrite something we shouldn't.
ifos.path.exists(ssl_certificate):
cert_status=check_certificate(ssl_certificate)
ifcert_status!="SELF-SIGNED":
print("Please back up and delete the file %s so I can save your new certificate."%ssl_certificate)
sys.exit(1)
# Form the certificate.
# The certificate comes as a long base64-encoded string. Break in