Merge branch 'add-water-fix' - Closes #1360

Essentially the issue was as follows:

- Dehydrated starts multiple instances of add-water (via dehydrated hook
  script).
- Add-water writes it's pid file, overwriting any other currently running
  Add-water instances.
- Last instance rarely has correct pid file so dehydrated-wrapper / hook
  script cannot kill it.

Fix:

- Separated add-water to server & client components.
- Server component only runs once and does so in background.
- Client can run many times and can pass tokens to be served to server
  component.
- Client component is used by dehydrated hook script to serve multiple
  tokens with a single "http server".

Author: JedMeister

add-water/add-water.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Add Water
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/python /usr/lib/confconsole/plugins.d/Lets_Encrypt/add-water-srv -l /var/log/confconsole/letsencrypt.log
+
+[Install]
+WantedBy=multi-user.target

debian/confconsole.install

@@ -2,3 +2,4 @@ plugins.d/  /usr/lib/confconsole/
 *.py        /usr/lib/confconsole/
 conf/*      /etc/confconsole/
 share/*     /usr/share/confconsole/
+add-water/* /lib/systemd/system

plugins.d/Lets_Encrypt/add-water

@@ -0,0 +1,42 @@
+#!/usr/bin/python
+
+# Copyright (c) 2017 TurnKey GNU/Linux - http://www.turnkeylinux.org
+# 
+# Add-Water-Client - Agent to pass tokens to Add Water to serve
+#                    Dehydrated Let's Encrypt challenges
+#
+# This file is part of Confconsole.
+# 
+# Confconsole is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at your
+# option) any later version.
+
+from argparse import ArgumentParser
+import socket
+import sys
+
+if __name__ == '__main__':
+    parser = ArgumentParser(description="add-water-client - Agent to pass tokens to add-water server")
+    token_group = parser.add_mutually_exclusive_group()
+    token_group.add_argument('--deploy', help='path to token file to serve')
+    token_group.add_argument('--clean', help='path to token file to serve')
+    args = parser.parse_args()
+    
+    if args.deploy:
+        op = 'deploy'
+        token_path = args.deploy
+    elif args.clean:
+        op = 'clean'
+        token_path = args.clean
+    else:
+        print('Nothing to do!')
+        sys.exit(1)
+
+    host = '127.0.0.1' 
+    port = 9977
+
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((host, port))
+    sock.sendall(op + ' ' + token_path)
+    

plugins.d/Lets_Encrypt/add-water-client

@@ -0,0 +1,111 @@
+#!/usr/bin/python
+
+# Copyright (c) 2017 TurnKey GNU/Linux - http://www.turnkeylinux.org
+# 
+# Add-Water - Bottle based python HTTP server to serve
+#             Dehydrated Let's Encrypt challenges
+#
+# This file is part of Confconsole.
+# 
+# Confconsole is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at your
+# option) any later version.
+
+import socket
+import datetime
+from argparse import ArgumentParser
+from Queue import Queue, Empty
+from threading import Thread
+from os.path import isfile, dirname, basename, abspath
+from bottle import get, static_file, run, route, redirect
+
+# "Maintence" page to serve for all requested content, other than LE token
+DEFAULT_INDEX = '/usr/share/confconsole/letsencrypt/index.html'
+CUSTOM_INDEX = '/var/lib/confconsole/letsencrypt/index.html'
+
+if isfile(CUSTOM_INDEX):
+    INDEX_PATH = CUSTOM_INDEX
+else:
+    INDEX_PATH = DEFAULT_INDEX
+
+INDEX_FILE = basename(INDEX_PATH)
+INDEX_WEBROOT = dirname(INDEX_PATH)
+
+tokens = {}
+token_queue = Queue()
+
+def update_tokens():
+    # pull in new tokens from token queue
+    while True:
+        try:
+            new_token = token_queue.get_nowait()
+        except Empty:
+            break
+        else:
+
+            op, token = new_token.split(' ', 1)
+
+            token_path = abspath(token)
+            token_file = basename(token_path)
+            token_webroot = dirname(token_path)
+
+            if op == 'deploy':
+                tokens[token_file] = token_webroot
+            elif op == 'clean':
+                del tokens[token_file]
+            else:
+                raise ValueError('Unknown operation specified!')
+
+@get("/.well-known/acme-challenge/<filename:path>")
+def challenge(filename):
+    update_tokens()
+    if filename in tokens:
+        token_webroot = tokens[filename]
+        return static_file(filename, root=token_webroot)
+    else:
+        redirect('/')
+
+@route('/')
+def index():
+    update_tokens()
+    return static_file(INDEX_FILE, root=INDEX_WEBROOT)
+
+@route('<randompath:path>')
+def test(randompath):
+    redirect('/')
+
+#--
+
+def handle_token_input():
+    host = '127.0.0.1'
+    port = 9977
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.bind((host, port))
+    sock.listen(1)
+    
+    # client will only send 1 token per connection, might be
+    # more effecient way of doing this, but unsure how with dehydrated
+    while True:
+        conn, addr = sock.accept()
+
+        token = conn.recv(4096).decode('utf8')
+        print('Got token {} from {}: serving'.format(token, addr))
+        token_queue.put(token)
+
+        conn.close()
+
+    sock.close()
+
+if __name__ == '__main__':
+    parser = ArgumentParser(description="add-water - Bottle based python HTTP server to serve Dehydrated Let's Encrypt challenges")
+    parser.add_argument('-l', '--logfile', help='path to logfile')
+    args = parser.parse_args()
+
+    input_handler = Thread(target=handle_token_input)
+    input_handler.start()
+
+    print("[{}] Starting Server".format(
+        datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')))
+    run(host='0.0.0.0', port=80)
+

plugins.d/Lets_Encrypt/add-water-srv

@@ -43,7 +43,7 @@ cp $TKL_CERTFILE $TKL_CERTFILE.bak
 cp $TKL_KEYFILE $TKL_KEYFILE.bak
 
 BASE_BIN_PATH="/usr/lib/confconsole/plugins.d/Lets_Encrypt"
-export HTTP="add-water"
+export HTTP="add-water-client"
 export HTTP_USR="www-data"
 export HTTP_BIN="$BASE_BIN_PATH/$HTTP"
 export HTTP_PID=/var/run/$HTTP/pid
@@ -142,8 +142,7 @@ clean_finish() {
     if [ "$(check_80)" = "python" ]; then
         warning "Python is still listening on port 80"
         info "attempting to kill add-water server"
-        [ -f "$HTTP_PID" ] && kill -9 $(cat $HTTP_PID)
-        rm -f $HTTP_PID
+        systemctl stop add-water
     fi
     [ "$AUTHBIND_USR" = "$HTTP_USR" ] || chown $AUTHBIND_USR $AUTHBIND80
     if [ $EXIT_CODE -ne 0 ]; then
@@ -160,6 +159,7 @@ clean_finish() {
     else
         info "$APP completed successfully."
     fi
+    systemctl stop add-water
     exit $EXIT_CODE
 }
 
@@ -248,6 +248,7 @@ else
 fi
 
 [ "$AUTHBIND_USR" = "$HTTP_USR" ] || chown $HTTP_USR $AUTHBIND80
+systemctl start add-water
 info "running dehydrated"
 if [ "$DEBUG" = "y" ] || [ "$LOG_INFO" = "y" ]; then
     dehydrated --cron $args --config $CONFIG 2>&1 | tee -a $DEBUG_LOG

plugins.d/Lets_Encrypt/dehydrated-wrapper

@@ -23,15 +23,14 @@ function deploy_challenge {
 
     hook_log info "Deploying challenge for $DOMAIN"
     hook_log info "Serving $WELLKNOWN/$TOKEN_FILENAME on http://$DOMAIN/.well-known/acme-challenge/$TOKEN_FILENAME"
-    su - -s /bin/bash -c "authbind $HTTP_BIN -d $HTTP_PID -l $HTTP_LOG $WELLKNOWN/$TOKEN_FILENAME"
+    $HTTP_BIN --deploy "$WELLKNOWN/$TOKEN_FILENAME"
 }
 
 function clean_challenge {
     local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
 
-    hook_log info "Stopping $HTTP daemon"
-    kill -9 $(cat $HTTP_PID)
-    rm $HTTP_PID
+    hook_log info "Clean challenge for $DOMAIN"
+    $HTTP_BIN --clean "$WELLKNOWN/$TOKEN_FILENAME"
 }
 
 function deploy_cert {