-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathssl_setup.py
More file actions
536 lines (433 loc) · 19 KB
/
ssl_setup.py
File metadata and controls
536 lines (433 loc) · 19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
"""
SSL/TLS Certificate Management and Server Runner
PURPOSE:
This module provides SSL/TLS certificate management for Flask applications, supporting
both development and production environments. It handles:
- Self-signed certificate generation for development/testing
- Let's Encrypt certificate setup guidance for production
- Secure server startup with proper SSL/TLS configuration
- Certificate validation and verification
- Secure key generation with appropriate algorithms and key sizes
ARCHITECTURE:
- SSLManager: Handles certificate generation and Let's Encrypt setup
- run_server(): Orchestrates Flask server startup with SSL/TLS
- Command-line interface for certificate management operations
SECURITY CONSIDERATIONS:
- Strong cryptographic parameters (RSA 4096-bit minimum)
- Secure private key generation and storage
- Input validation on all user-provided data
- Protection against command injection attacks
- Secure file permissions on certificates and keys
- Certificate expiration warnings
- Validation of certificate paths and domains
- Prevention of path traversal attacks
- Secure subprocess execution
- No hardcoded credentials or secrets
PRODUCTION NOTES:
- Self-signed certificates should NEVER be used in production
- Let's Encrypt is recommended for production deployments
- Certificate rotation and renewal should be automated
- Private keys must be protected with appropriate file permissions
- Monitor certificate expiration dates
"""
import os
import subprocess
import sys
import re
import logging
from datetime import datetime, timedelta
from pathlib import Path
from typing import Optional, Tuple
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)
class SSLConfigError(Exception):
"""Custom exception for SSL configuration errors"""
pass
class SSLManager:
"""Manage SSL/TLS certificates for secure connections"""
MIN_KEY_SIZE = 4096
MAX_CERT_DAYS = 825
@staticmethod
def _validate_domain(domain: str) -> bool:
"""Validate domain name format"""
if not domain or not isinstance(domain, str):
return False
if len(domain) > 253:
return False
domain_pattern = re.compile(
r'^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)*'
r'[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$'
)
if domain == 'localhost':
return True
return bool(domain_pattern.match(domain))
@staticmethod
def _validate_email(email: str) -> bool:
"""Validate email address format"""
if not email or not isinstance(email, str):
return False
if len(email) > 254:
return False
email_pattern = re.compile(
r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
)
return bool(email_pattern.match(email))
@staticmethod
def _sanitize_filename(filename: str) -> str:
"""Sanitize filename to prevent path traversal"""
if not filename or not isinstance(filename, str):
raise ValueError("Invalid filename")
filename = os.path.basename(filename)
filename = re.sub(r'[^a-zA-Z0-9._-]', '', filename)
if not filename or filename.startswith('.'):
raise ValueError("Invalid filename after sanitization")
return filename
@staticmethod
def _validate_cert_path(cert_path: str, key_path: str) -> Tuple[bool, str]:
"""Validate certificate and key paths"""
try:
cert_path = os.path.abspath(cert_path)
key_path = os.path.abspath(key_path)
cert_dir = os.path.dirname(cert_path)
key_dir = os.path.dirname(key_path)
if not os.access(cert_dir, os.W_OK):
return False, f"Cannot write to certificate directory: {cert_dir}"
if not os.access(key_dir, os.W_OK):
return False, f"Cannot write to key directory: {key_dir}"
if os.path.exists(cert_path) and not os.access(cert_path, os.W_OK):
return False, f"Certificate file exists but is not writable: {cert_path}"
if os.path.exists(key_path) and not os.access(key_path, os.W_OK):
return False, f"Key file exists but is not writable: {key_path}"
return True, ""
except Exception as e:
return False, f"Path validation error: {type(e).__name__}"
@staticmethod
def _set_secure_permissions(key_path: str) -> bool:
"""Set secure permissions on private key file"""
try:
if os.name != 'nt':
os.chmod(key_path, 0o600)
logger.info(f"Set secure permissions (600) on {key_path}")
else:
logger.warning("Windows detected - set file permissions manually")
return True
except Exception as e:
logger.error(f"Failed to set permissions on {key_path}: {e}")
return False
@staticmethod
def _check_openssl() -> Tuple[bool, str]:
"""Check if OpenSSL is available"""
try:
result = subprocess.run(
['openssl', 'version'],
check=True,
capture_output=True,
text=True,
timeout=5
)
version = result.stdout.strip()
logger.info(f"OpenSSL found: {version}")
return True, version
except FileNotFoundError:
return False, "OpenSSL not found"
except subprocess.TimeoutExpired:
return False, "OpenSSL check timed out"
except subprocess.CalledProcessError as e:
return False, f"OpenSSL error: {e}"
@staticmethod
def generate_self_signed_cert(
domain: str = 'localhost',
days: int = 365,
cert_path: str = 'cert.pem',
key_path: str = 'key.pem'
) -> bool:
"""Generate self-signed SSL certificate"""
logger.info("Starting self-signed certificate generation")
if not SSLManager._validate_domain(domain):
logger.error(f"Invalid domain: {domain}")
return False
if not isinstance(days, int) or days < 1 or days > SSLManager.MAX_CERT_DAYS:
logger.error(f"Invalid certificate validity period: {days} days")
logger.info(f"Valid range: 1-{SSLManager.MAX_CERT_DAYS} days")
return False
try:
cert_path = SSLManager._sanitize_filename(cert_path)
key_path = SSLManager._sanitize_filename(key_path)
except ValueError as e:
logger.error(f"Invalid file path: {e}")
return False
valid, error_msg = SSLManager._validate_cert_path(cert_path, key_path)
if not valid:
logger.error(error_msg)
return False
openssl_ok, openssl_msg = SSLManager._check_openssl()
if not openssl_ok:
logger.error(openssl_msg)
logger.info("Install OpenSSL:")
logger.info(" Ubuntu/Debian: sudo apt-get install openssl")
logger.info(" MacOS: brew install openssl")
logger.info(" Windows: https://slproweb.com/products/Win32OpenSSL.html")
return False
subject = f'/CN={domain}'
if len(subject) > 256:
logger.error("Subject DN too long")
return False
cmd = [
'openssl', 'req', '-x509',
'-newkey', f'rsa:{SSLManager.MIN_KEY_SIZE}',
'-keyout', key_path,
'-out', cert_path,
'-days', str(days),
'-nodes',
'-subj', subject,
'-sha256'
]
try:
result = subprocess.run(
cmd,
check=True,
capture_output=True,
text=True,
timeout=60
)
if os.path.exists(key_path):
SSLManager._set_secure_permissions(key_path)
if os.path.exists(cert_path) and os.path.exists(key_path):
logger.info(f"Certificate generated: {cert_path}")
logger.info(f"Private key generated: {key_path}")
logger.info(f"Valid for {days} days")
logger.warning("Self-signed certificates should only be used for development!")
logger.warning("Browsers will show security warnings for self-signed certificates")
return True
else:
logger.error("Certificate or key file not created")
return False
except subprocess.TimeoutExpired:
logger.error("Certificate generation timed out")
return False
except subprocess.CalledProcessError as e:
logger.error(f"Certificate generation failed: {e.stderr}")
return False
except Exception as e:
logger.error(f"Unexpected error: {type(e).__name__}: {e}")
return False
@staticmethod
def setup_letsencrypt(domain: str, email: str) -> bool:
"""Setup Let's Encrypt certificate for production"""
logger.info("Setting up Let's Encrypt certificate guidance")
if not SSLManager._validate_domain(domain):
logger.error(f"Invalid domain: {domain}")
return False
if not SSLManager._validate_email(email):
logger.error(f"Invalid email: {email}")
return False
if domain == 'localhost':
logger.error("Cannot use Let's Encrypt with localhost")
logger.info("Use self-signed certificates for local development")
return False
try:
result = subprocess.run(
['certbot', '--version'],
check=True,
capture_output=True,
text=True,
timeout=5
)
logger.info(f"Certbot found: {result.stdout.strip()}")
except FileNotFoundError:
logger.error("Certbot not found. Install it first:")
logger.info(" Ubuntu/Debian: sudo apt-get install certbot")
logger.info(" MacOS: brew install certbot")
logger.info(" RHEL/CentOS: sudo yum install certbot")
return False
except subprocess.TimeoutExpired:
logger.error("Certbot check timed out")
return False
except subprocess.CalledProcessError as e:
logger.error(f"Certbot error: {e}")
return False
logger.warning("This requires sudo access and port 80 to be available")
logger.warning("Make sure your domain DNS points to this server")
logger.info(f"\nDomain: {domain}")
logger.info(f"Email: {email}")
logger.info("\nRun this command manually (requires sudo):")
logger.info(f" sudo certbot certonly --standalone -d {domain} "
f"--non-interactive --agree-tos --email {email}")
cert_path = f"/etc/letsencrypt/live/{domain}/fullchain.pem"
key_path = f"/etc/letsencrypt/live/{domain}/privkey.pem"
logger.info("\nAfter running certbot, configure your application:")
logger.info(f" SSL_CERT_PATH={cert_path}")
logger.info(f" SSL_KEY_PATH={key_path}")
logger.info(f" USE_SSL=true")
logger.info("\nSet up auto-renewal:")
logger.info(" sudo certbot renew --dry-run")
logger.info(" Add to cron: 0 0 * * * certbot renew --quiet")
return True
def validate_ssl_config(cert_path: str, key_path: str) -> Tuple[bool, str]:
"""Validate SSL configuration"""
if not cert_path or not key_path:
return False, "Certificate and key paths must be specified"
cert_path = os.path.abspath(cert_path)
key_path = os.path.abspath(key_path)
if not os.path.exists(cert_path):
return False, f"Certificate file not found: {cert_path}"
if not os.path.exists(key_path):
return False, f"Key file not found: {key_path}"
if not os.access(cert_path, os.R_OK):
return False, f"Cannot read certificate file: {cert_path}"
if not os.access(key_path, os.R_OK):
return False, f"Cannot read key file: {key_path}"
try:
with open(cert_path, 'r') as f:
cert_content = f.read()
if 'BEGIN CERTIFICATE' not in cert_content:
return False, "Invalid certificate file format"
with open(key_path, 'r') as f:
key_content = f.read()
if 'BEGIN' not in key_content or 'PRIVATE KEY' not in key_content:
return False, "Invalid private key file format"
except Exception as e:
return False, f"Error reading certificate files: {type(e).__name__}"
return True, "SSL configuration valid"
def run_server():
"""Run Flask server with SSL/TLS support"""
try:
from app import app, socketio, config
except ImportError as e:
logger.error(f"Failed to import application: {e}")
logger.error("Make sure 'app.py' exists with 'app', 'socketio', and 'config' objects")
return False
host = os.environ.get('FLASK_HOST', '0.0.0.0')
port = int(os.environ.get('FLASK_PORT', '5000'))
if not (1024 <= port <= 65535):
logger.error(f"Invalid port: {port}")
return False
use_ssl = getattr(config, 'USE_SSL', False)
if use_ssl:
ssl_cert = getattr(config, 'SSL_CERT', None)
ssl_key = getattr(config, 'SSL_KEY', None)
if not ssl_cert or not ssl_key:
logger.error("SSL enabled but certificate paths not configured")
logger.error("Set SSL_CERT and SSL_KEY in config")
return False
valid, message = validate_ssl_config(ssl_cert, ssl_key)
if not valid:
logger.error(f"SSL validation failed: {message}")
return False
logger.info("="*60)
logger.info("🔒 Starting server with SSL/TLS enabled")
logger.info("="*60)
logger.info(f"🌐 HTTPS URL: https://localhost:{port}")
logger.info(f"📜 Certificate: {ssl_cert}")
logger.info(f"🔑 Private Key: {ssl_key}")
logger.info("="*60)
try:
socketio.run(
app,
host=host,
port=port,
debug=False,
certfile=ssl_cert,
keyfile=ssl_key,
allow_unsafe_werkzeug=False
)
except Exception as e:
logger.error(f"Failed to start server with SSL: {type(e).__name__}: {e}")
return False
else:
logger.warning("="*60)
logger.warning("⚠️ Running WITHOUT SSL (Development mode)")
logger.warning("="*60)
logger.info(f"🌐 HTTP URL: http://localhost:{port}")
logger.info("\nTo enable SSL:")
logger.info(" 1. Generate certificate: python ssl_setup.py --generate")
logger.info(" 2. Or use Let's Encrypt: python ssl_setup.py --letsencrypt")
logger.info(" 3. Update config: USE_SSL=True, SSL_CERT=..., SSL_KEY=...")
logger.warning("\n⚠️ Never use HTTP in production!")
logger.warning("="*60)
debug_mode = os.environ.get('FLASK_DEBUG', 'False').lower() == 'true'
try:
socketio.run(
app,
host=host,
port=port,
debug=debug_mode,
allow_unsafe_werkzeug=False
)
except Exception as e:
logger.error(f"Failed to start server: {type(e).__name__}: {e}")
return False
return True
def main():
"""Main entry point"""
if len(sys.argv) > 1:
command = sys.argv[1].lower()
if command == '--generate':
domain = 'localhost'
days = 365
if len(sys.argv) > 2:
domain = sys.argv[2]
if not SSLManager._validate_domain(domain):
logger.error(f"Invalid domain: {domain}")
return 1
if len(sys.argv) > 3:
try:
days = int(sys.argv[3])
except ValueError:
logger.error(f"Invalid days value: {sys.argv[3]}")
return 1
success = SSLManager.generate_self_signed_cert(domain, days)
return 0 if success else 1
elif command == '--letsencrypt':
if len(sys.argv) < 4:
logger.error("Usage: python ssl_setup.py --letsencrypt <domain> <email>")
return 1
domain = sys.argv[2]
email = sys.argv[3]
success = SSLManager.setup_letsencrypt(domain, email)
return 0 if success else 1
elif command == '--validate':
if len(sys.argv) < 4:
logger.error("Usage: python ssl_setup.py --validate <cert_path> <key_path>")
return 1
cert_path = sys.argv[2]
key_path = sys.argv[3]
valid, message = validate_ssl_config(cert_path, key_path)
if valid:
logger.info(f"✅ {message}")
return 0
else:
logger.error(f"❌ {message}")
return 1
elif command == '--help':
print("SSL Setup and Certificate Management")
print("\nUsage:")
print(" python ssl_setup.py # Run server")
print(" python ssl_setup.py --generate [domain] [days] # Generate self-signed cert")
print(" python ssl_setup.py --letsencrypt <domain> <email> # Setup Let's Encrypt")
print(" python ssl_setup.py --validate <cert> <key> # Validate SSL config")
print(" python ssl_setup.py --help # Show this help")
print("\nExamples:")
print(" python ssl_setup.py --generate localhost 365")
print(" python ssl_setup.py --letsencrypt example.com admin@example.com")
print(" python ssl_setup.py --validate cert.pem key.pem")
return 0
else:
logger.error(f"Unknown command: {command}")
logger.info("Run with --help for usage information")
return 1
else:
success = run_server()
return 0 if success else 1
if __name__ == '__main__':
try:
sys.exit(main())
except KeyboardInterrupt:
logger.info("\nServer stopped by user")
sys.exit(0)
except Exception as e:
logger.error(f"Fatal error: {type(e).__name__}: {e}")
sys.exit(1)