--- /dev/null
+#!/usr/bin/python
+
+import logging
+from socket import getfqdn
+
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+
+from acme import client
+from acme import jose
+from acme import messages
+
+import OpenSSL
+
+from . import constants
+from .authorize import authorize
+from .certificate import Certificate
+
+
+
+class Client(object):
+ def __init__(self, inventory, settings):
+ self._inventory = inventory
+ self._settings = settings
+ self._client = None
+
+
+ def _get_client(self):
+ if self._client is None:
+ logging.info("Loading account key")
+ with open("data/account.key.pem", "rb") as keyfd:
+ private_key = serialization.load_pem_private_key(
+ keyfd.read(),
+ password=None,
+ backend=default_backend()
+ )
+
+ logging.info("Loading account registration")
+ with open("data/registration.json", "rb") as regfd:
+ registration = messages.RegistrationResource.json_loads(regfd.read())
+
+ account_key = jose.JWKRSA(key=private_key)
+ acme_client = client.Client(constants.DIRECTORY_URL, account_key)
+ self._client = registration, acme_client, account_key
+
+ return self._client
+
+
+ def get_certificate(self, cname, servicetype):
+ sans = self._inventory.get_sans(getfqdn(), servicetype, cname)
+
+ _, acme_client, _ = self._get_client()
+ authorizations = authorize(sans, self._get_client(), self._settings)
+ certificate = Certificate(servicetype, cname, sans)
+
+ orequest = OpenSSL.crypto.load_certificate_request(
+ OpenSSL.crypto.FILETYPE_PEM, certificate.asString())
+
+ jrequest = jose.util.ComparableX509(orequest)
+ cert = acme_client.request_issuance(jrequest, authorizations)
+ chain = acme_client.fetch_chain(cert)
+
+ certificate.save(cert, chain)
+
+ logging.info("CName: %s", cname)
+ logging.info("SANs: %s", sans)