CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-certbot-nginx

Nginx plugin for Certbot that enables automated SSL/TLS certificate management and deployment for Nginx web servers.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

constants.mddocs/

Platform Constants and Configuration

Platform-specific constants and configuration values used throughout the certbot-nginx plugin. These values handle cross-platform compatibility and provide default configuration settings.

Capabilities

Platform-Specific Server Roots

Default nginx server root directories for different operating systems.

# Platform-specific server root paths
FREEBSD_DARWIN_SERVER_ROOT: str = "/usr/local/etc/nginx"
LINUX_SERVER_ROOT: str = "/etc/nginx"
PKGSRC_SERVER_ROOT: str = "/usr/pkg/etc/nginx"

CLI Configuration Defaults

Default values for command-line interface options.

CLI_DEFAULTS: dict[str, Any] = {
    "server_root": str,      # Platform-dependent server root path
    "ctl": "nginx",         # Default nginx binary name
    "sleep_seconds": 1      # Default sleep time after configuration changes
}

SSL Configuration Constants

SSL-related configuration file names and paths.

MOD_SSL_CONF_DEST: str = "options-ssl-nginx.conf"
UPDATED_MOD_SSL_CONF_DIGEST: str = ".updated-options-ssl-nginx-conf-digest.txt"

Security Headers Configuration

Default security header configurations for enhancements.

HSTS_ARGS: list[str] = ['"max-age=31536000"', ' ', 'always']
HEADER_ARGS: dict[str, list[str]] = {'Strict-Transport-Security': HSTS_ARGS}

SSL Configuration Version Control

Hash values for tracking SSL configuration file versions across nginx and OpenSSL updates.

ALL_SSL_OPTIONS_HASHES: list[str] = [
    # List of SHA256 hashes for different SSL configuration versions
    # Used to detect when SSL configuration needs updating
]

Platform Detection Function

Utility function for retrieving platform-specific configuration values.

def os_constant(key: str) -> Any:
    """Get platform-specific constant value.
    
    Retrieves configuration constants based on the current operating system,
    with fallback values for unsupported platforms.
    
    Args:
        key: Constant key to retrieve
        
    Returns:
        Platform-appropriate constant value
        
    Raises:
        KeyError: If the constant key is not recognized
    """

Usage Examples

Getting Platform-Specific Paths

from certbot_nginx._internal import constants

# Get the default server root for current platform
server_root = constants.os_constant("server_root")
print(f"Nginx server root: {server_root}")

# Access CLI defaults
nginx_ctl = constants.CLI_DEFAULTS["ctl"]
sleep_time = constants.CLI_DEFAULTS["sleep_seconds"]

Working with SSL Configuration

# SSL configuration file paths
ssl_conf_file = constants.MOD_SSL_CONF_DEST
ssl_digest_file = constants.UPDATED_MOD_SSL_CONF_DIGEST

print(f"SSL config will be written to: {ssl_conf_file}")
print(f"SSL config digest: {ssl_digest_file}")

# Check if current SSL config hash is known
current_hash = "sha256_hash_of_current_config"
is_known_version = current_hash in constants.ALL_SSL_OPTIONS_HASHES

Security Headers Setup

# Get HSTS header configuration
hsts_config = constants.HEADER_ARGS['Strict-Transport-Security']
hsts_value = ''.join(hsts_config)
print(f"HSTS header value: {hsts_value}")

# Apply to nginx configuration
hsts_directive = ['add_header', 'Strict-Transport-Security'] + hsts_config

Platform Compatibility

The constants module handles differences between:

  • Linux systems: Uses /etc/nginx as default server root
  • FreeBSD/macOS: Uses /usr/local/etc/nginx as default server root
  • pkgsrc systems: Uses /usr/pkg/etc/nginx as default server root

This ensures the plugin works correctly across different nginx installation methods and operating systems.

SSL Configuration Management

The SSL configuration hash tracking system ensures:

  1. Version Detection: Identifies when SSL configurations need updates
  2. Backward Compatibility: Maintains support for older SSL configurations
  3. Security Updates: Enables automatic security enhancements over time
  4. Conflict Resolution: Prevents overwriting user-customized SSL settings

The hash-based system allows the plugin to detect when the SSL configuration file has been modified and decide whether to update it with newer security settings.

Install with Tessl CLI

npx tessl i tessl/pypi-certbot-nginx

docs

configurator.md

constants.md

display-ops.md

http-01.md

index.md

nginxparser.md

objects.md

parser.md

tile.json