From be889d379437be18ce1c0518b2cfec15f6b8dd6a Mon Sep 17 00:00:00 2001
From: Jakub Warmuz <jakub@warmuz.org>
Date: Sat, 27 Jun 2015 08:19:16 +0000
Subject: [PATCH] letsencrypt_nginx: generate snakeoil cert/key (fixes #481).

---
 letsencrypt_nginx/configurator.py            | 20 ++++++++++++++++----
 letsencrypt_nginx/tests/configurator_test.py | 14 ++++++++++++++
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/letsencrypt_nginx/configurator.py b/letsencrypt_nginx/configurator.py
index b1dfdca31..852ff82ac 100644
--- a/letsencrypt_nginx/configurator.py
+++ b/letsencrypt_nginx/configurator.py
@@ -13,6 +13,7 @@ from acme import challenges
 
 from letsencrypt import achallenges
 from letsencrypt import constants as core_constants
+from letsencrypt import crypto_util
 from letsencrypt import errors
 from letsencrypt import interfaces
 from letsencrypt import le_util
@@ -263,6 +264,18 @@ class NginxConfigurator(common.Plugin):
 
         return all_names
 
+    def _get_snakeoil_paths(self):
+        # TODO: generate only once
+        tmp_dir = os.path.join(self.config.work_dir, "snakeoil")
+        key = crypto_util.init_save_key(
+            key_size=1024, key_dir=tmp_dir, keyname="key.pem")
+        cert_pem = crypto_util.make_ss_cert(
+            key.pem, domains=[socket.gethostname()])
+        cert = os.path.join(tmp_dir, "cert.pem")
+        with open(cert, 'w') as cert_file:
+            cert_file.write(cert_pem)
+        return cert, key.file
+
     def _make_server_ssl(self, vhost):
         """Makes a server SSL based on server_name and filename by adding
         a 'listen 443 ssl' directive to the server block.
@@ -274,11 +287,10 @@ class NginxConfigurator(common.Plugin):
         :type vhost: :class:`~letsencrypt_nginx.obj.VirtualHost`
 
         """
+        snakeoil_cert, snakeoil_key = self._get_snakeoil_paths()
         ssl_block = [['listen', '443 ssl'],
-                     ['ssl_certificate',
-                      '/etc/ssl/certs/ssl-cert-snakeoil.pem'],
-                     ['ssl_certificate_key',
-                      '/etc/ssl/private/ssl-cert-snakeoil.key'],
+                     ['ssl_certificate', snakeoil_cert],
+                     ['ssl_certificate_key', snakeoil_key],
                      ['include', self.parser.loc["ssl_options"]]]
         self.parser.add_server_directives(
             vhost.filep, vhost.names, ssl_block)
diff --git a/letsencrypt_nginx/tests/configurator_test.py b/letsencrypt_nginx/tests/configurator_test.py
index 83085cc9f..48d71e27d 100644
--- a/letsencrypt_nginx/tests/configurator_test.py
+++ b/letsencrypt_nginx/tests/configurator_test.py
@@ -1,8 +1,10 @@
 """Test for letsencrypt_nginx.configurator."""
+import os
 import shutil
 import unittest
 
 import mock
+import OpenSSL
 
 from acme import challenges
 from acme import messages
@@ -266,6 +268,18 @@ class NginxConfiguratorTest(util.NginxTest):
         mocked.returncode = 0
         self.assertTrue(self.config.config_test())
 
+    def test_get_snakeoil_paths(self):
+        # pylint: disable=protected-access
+        cert, key = self.config._get_snakeoil_paths()
+        self.assertTrue(os.path.exists(cert))
+        self.assertTrue(os.path.exists(key))
+        with open(cert) as cert_file:
+            OpenSSL.crypto.load_certificate(
+                OpenSSL.crypto.FILETYPE_PEM, cert_file.read())
+        with open(key) as key_file:
+            OpenSSL.crypto.load_privatekey(
+                OpenSSL.crypto.FILETYPE_PEM, key_file.read())
+
 
 if __name__ == "__main__":
     unittest.main()  # pragma: no cover