Now adds the CA bundle as well.

WiddleWabbit · WiddleWabbit · commit e052e8863326 · 2018-05-29T15:49:57.000+08:00
diff --git a/README b/README
@@ -6,5 +6,8 @@ Requires:
 This script will update symlinks specified inside it to the latest ssl certificates from the relevant accounts on the server.
 Designed for use with cPanel's AutoSSL. This was created to combat Nginx requiring a direct link to the SSL Certificate while in use as a reverse proxy for Varnish Caching.
 
-Currently Configuration is entirely manual inside the python script file.
+As an addition the script will now also add the ca bundle from cPanel, using the cPanel UAPI, to the bottom of the certificate file. This is to prevent certificate incomplete errors
+and to prevent errors on mobile devices where the device's browser does not store copies of as many trusted Certificate Authorities as a desktop browser does.
+
+Currently Configuration is manual inside the python script file.
 
diff --git a/nginx_sslupdate.py b/nginx_sslupdate.py
@@ -42,8 +42,8 @@
     usrdir_key = '/home/' + options.user + '/ssl/keys/'
 
 #   Use glob to find the most recent certificate file and the most recent key file from the users directory
-    newest_cert = max(glob.iglob(os.path.join(usrdir_cert, '*.crt')), key=os.path.getctime)
-    newest_key = max(glob.iglob(os.path.join(usrdir_key, '*.key')), key=os.path.getctime)
+    newest_cert = max(glob.iglob(os.path.join(usrdir_cert, '*.crt')), key=os.path.getmtime)
+    newest_key = max(glob.iglob(os.path.join(usrdir_key, '*.key')), key=os.path.getmtime)
 
 #   Check to see if the latest certificate and the latest key are both the same as the current ones, if so then exit
     if current_cert == newest_cert and current_key == newest_key:
@@ -74,8 +74,52 @@ def symlink_force(target, link_name):
 
                 else:
                     raise e
-        
+
+#   Define function to be used for adding the ca bundle to the bottom of the certificate to prevent certificate incomplete errors.
+        def addBundle(user, cert_file):
+
+            # Import subprocess so that the cPanel UAPI can be used
+            import subprocess
+            
+            # Ensure the certificate file is formatted for the id
+            cert_file = cert_file.replace('.crt', '')
+            cert_file = cert_file.split('/')[-1]
+
+            # Fetch the cabundle using the UAPI
+            print('Fetching cabundle from cPanel using UAPI')
+            uapi_cmd = "uapi --user=" + user + " SSL fetch_cert_info id=" + cert_file
+            process = subprocess.Popen(uapi_cmd.split(), stdout=subprocess.PIPE)
+            output, err = process.communicate()
+
+            # Seperate out the response and get the bundles from the response
+            output = output.split()
+            bundle_begin = output.index('cabundle:')
+            bundle_end = output.index('certificate:')
+
+            bundle = ""
+            first = 0
+
+            for index in range(int(bundle_begin + 1), bundle_end):
+
+                if first == 0:
+                    bundle = '\n' + bundle + output[index]
+                    first = 1
+
+                else:
+                    bundle = bundle + " " + output[index]
+
+            # Ensure the file is correctly formatted to be appended to the other documents
+            bundle = bundle.replace("\\n", "\n")
+            bundle = bundle.replace('"', '')
+
+            # Append the bundle to the original certificate file
+            export = open('/home/' + user + '/ssl/certs/' + cert_file + '.crt', "a")
+            export.write(bundle)
+            export.close()
+            print('Appended to file successfully')
+
 #   Call symlink_force function to replace symlinks with symlinks to the latest certificates
+        addBundle(options.user, newest_cert)
         symlink_force(newest_cert, current_sym_cert)
         symlink_force(newest_key, current_sym_key)
 
