certdeploy.server.config package

Submodules

certdeploy.server.config.client module

CertDeploy Server client connection configs.

class certdeploy.server.config.client.ClientConnection(address: str, domains: list[str], pubkey: str, port: int = 22, username: str = 'certdeploy', path: PathLike | None = '/var/cache/certdeploy', needs_chain: bool = False, needs_fullchain: bool = True, needs_privkey: bool = True, push_retries: int | None = None, push_retry_interval: int | None = None)

Bases: object

CertDeploy client connection config.

address: str

Client address or hostname.

domains: list[str]

Domains the client needs certs for (eg ['www.example.com', 'example.com'])

hash: str | None

A hash of the client’s user, address, and port.

Used internally for indexing queues.

needs_chain: bool = False

If True the client needs the chain.pem for the domains in domains.

needs_fullchain: bool = True

If True the client needs the fullchain.pem for the domains in domains.

needs_privkey: bool = True

If True the client needs the privkey.pem for the domains in domains.

path: PathLike | None = '/var/cache/certdeploy'

The path on the client to sync the certs to.

port: int = 22

The port the client or an SFTP server on the client host is listening on.

pubkey: str

The text of the public key of the client.

pubkey_blob: Ed25519Key | None

The text of the public key formatted for paramiko. Set on instance creation.

This is automatically generated when the configs are loaded.

push_retries: int | None = None

The number of times to retry connecting to this client.

• None lets the global push_retries config control this value.

• 0 will cause the server to only try to push once (no retries).

• Any other positive integer will cause the server to try to push certs

  to this client and retry as many as that many times before giving up.

push_retry_interval: int | None = None

The interval to wait between retries for this client.

• None lets the global push_retry_interval control this value.

• 0 disables any delay between retries.

• Any other positive integer is used as the number of seconds between

  attempts to push certs to this client.

username: str = 'certdeploy'

The username to connect to the client with.

certdeploy.server.config.server module

CertDeploy Server config backend.

class certdeploy.server.config.server.PushMode(value)

Bases: Enum

Server push modes.

PARALLEL = 'parallel'

SERIAL = 'serial'

classmethod choices() → list[PushMode]

Return a list of available values.

class certdeploy.server.config.server.Server(privkey_filename: ~os.PathLike, client_configs: list[dict] = <factory>, client_config_directory: ~os.PathLike = None, fail_fast: bool = False, log_level: ~certdeploy.LogLevel | str = LogLevel.ERROR, log_filename: ~os.PathLike | None = None, sftp_log_level: ~certdeploy.LogLevel | str = LogLevel.ERROR, sftp_log_filename: ~os.PathLike | None = None, sftp_auth_timeout: float = None, sftp_banner_timeout: float = 60, sftp_tcp_timeout: float = None, renew_every: int = 1, renew_unit: str = 'day', renew_at: str | None = None, renew_exec: str = None, renew_args: list[str] = <factory>, renew_timeout: int | None = None, push_mode: ~certdeploy.server.config.server.PushMode = PushMode.SERIAL, push_interval: int = 0, push_retries: int = 1, push_retry_interval: int = 30, join_timeout: float | None = None, queue_dir: ~os.PathLike = '/var/run/certdeploy')

Bases: object

Base server configuration.

client_config_directory: PathLike = None

A directory containing individual client connection config `dict`s.

client_configs: list[dict]

A list of dict defining certbot.server.client.Client keyword arguments.

fail_fast: bool = False

Exit on the first failed action. Defaults to False.

join_timeout: float | None = None

The number of seconds to wait while joining PushWorker threads. Defaults to 60 seconds.

• Any positive number (float or int) will be used as the number of

  seconds.

• None will cause the join to wait indefinitely.

log_filename: PathLike | None = None

The path of the CertDeploy server log file.

log_level: LogLevel | str = 'ERROR'

The log level of the CertDeploy server. Valid values are DEBUG, INFO, WARNING, ERROR, and CRITICAL.

privkey_filename: PathLike

The path of the server’s private key file.

push_interval: int = 0

The interval between the beginning of parallel pushes. Defaults to 0.

• 0 disables any delay between the beginning or parallel pushes to

  clients.

• Any other positive integer is used as the number of seconds between

  beginning attempts to push certs to this client.

push_mode: PushMode = 'serial'

The type of deployment to use. Defaults to PushMode.SERIAL.

• PushMode.Serial causes the certs to be pushed to clients one client at

  a time.

• PushMode.PARALLEL causes the certs to be pushed to all clients all at

  once.

push_retries: int = 1

The number of times to retry pushing certs to clients. Defaults to 1.

This is overridden by the push_retries in client configs, on a per client basis.

• 0 will cause the server to only try to push once (no retries).

• Any other positive integer will cause the server to try to push certs

  to clients and retry for each client as many as that many times before giving up.

push_retry_interval: int = 30

The delay in seconds between retrying to push certs to clients. Defaults to 30.

This is overridden by the push_retry_interval in client configs, on a per client basis.

• 0 disables any delay between retries.

• Any other positive integer is used as the number of seconds between

  attempts to push certs to this client.

queue_dir: PathLike = '/var/run/certdeploy'

The directory where runtime files will be stored.

The queue and its lockfile are stored here.

renew_args: list[str]

Arguments for the Certbot executable.

renew_at: str | None = None

The time of day to try to renew certs. Formatted HH:MM for renew_unit more than hour and :MM for minutes within an hour.

renew_every: int = 1

The interval to try to renew certs on. Valid values are integers greater than 0.

renew_exec: str = None

The path of the Certbot executable.

renew_timeout: int | None = None

Timeout for the certbot renew command. None means wait indefinitely.

renew_unit: str = 'day'

The type of interval to try to renew certs on. Valid values are minute, hour, day, week and weekday names.

sftp_auth_timeout: float = None

This sets the SFTP auth step timeout in seconds. paramiko.SSHClient.connect() auth_timeout argument.

sftp_banner_timeout: float = 60

This sets the SFTP banner timeout in seconds. paramiko.SSHClient.connect() banner_timeout argument.

sftp_log_filename: PathLike | None = None

The path of the paramiko log file.

sftp_log_level: LogLevel | str = 'ERROR'

The paramiko log level. This is separate from the CertDeploy log level. The valid values are the same as log_level.

sftp_tcp_timeout: float = None

This sets the TCP timeout for SFTP in seconds. paramiko.SSHClient.connect() tcp_timeout argument.

Module contents

The CertDeploy server config.

class certdeploy.server.config.ServerConfig(*args, **kwargs)

Bases: Server

Server configuration.

See certdeploy.server.config.server.Server for arguments and keyword arguments.

classmethod load(filename: PathLike, override_log_filename: PathLike | None = None, override_log_level: LogLevel | None = None, override_sftp_log_filename: PathLike | None = None, override_sftp_log_level: LogLevel | None = None) → ServerConfig

Load the ServerConfig from a file.

Parameters:

• filename – The path of the CertDeploy server config.

• override_log_filename – The path of the CertDeploy log file as given by the command line arguments. Defaults to the log_filename option in the config.

• override_log_level – The CertDeploy log level as given by the command line arguments. Defaults to the log_level option in the config.

• override_sftp_log_filename – The path of the SFTP client log file as given by the command line arguments. Defaults to the sftp_log_level option in the config.

• override_sftp_log_level – The SFTP client log level as given by the command line arguments. Defaults to the log_level option in the config.