Merge branch 'renewal_validity_01' of github.com:Netflix/lemur into renewal_validity_01
This commit is contained in:
commit
1e81d47793
@ -172,7 +172,7 @@ class AcmeHandler(object):
|
||||
|
||||
except (AcmeError, TimeoutError):
|
||||
sentry.captureException(extra={"order_url": str(order.uri)})
|
||||
metrics.send("request_certificate_error", "counter", 1)
|
||||
metrics.send("request_certificate_error", "counter", 1, metric_tags={"uri": order.uri})
|
||||
current_app.logger.error(
|
||||
f"Unable to resolve Acme order: {order.uri}", exc_info=True
|
||||
)
|
||||
@ -183,6 +183,11 @@ class AcmeHandler(object):
|
||||
else:
|
||||
raise
|
||||
|
||||
metrics.send("request_certificate_success", "counter", 1, metric_tags={"uri": order.uri})
|
||||
current_app.logger.info(
|
||||
f"Successfully resolved Acme order: {order.uri}", exc_info=True
|
||||
)
|
||||
|
||||
pem_certificate = OpenSSL.crypto.dump_certificate(
|
||||
OpenSSL.crypto.FILETYPE_PEM,
|
||||
OpenSSL.crypto.load_certificate(
|
||||
|
@ -96,7 +96,7 @@ def build_secret(secret_format, secret_name, body, private_key, cert_chain):
|
||||
if secret_format == "TLS":
|
||||
secret["type"] = "kubernetes.io/tls"
|
||||
secret["data"] = {
|
||||
"tls.crt": base64encode(cert_chain),
|
||||
"tls.crt": base64encode(body),
|
||||
"tls.key": base64encode(private_key),
|
||||
}
|
||||
if secret_format == "Certificate":
|
||||
|
@ -98,10 +98,14 @@ def process_options(options):
|
||||
:param options:
|
||||
:return: dict or valid verisign options
|
||||
"""
|
||||
# if there is a config variable with VERISIGN_PRODUCT_<upper(authority.name)> take the value as Cert product-type
|
||||
# else default to "Server", to be compatoible with former versions
|
||||
authority = options.get("authority").name.upper()
|
||||
product_type = current_app.config.get("VERISIGN_PRODUCT_{0}".format(authority), "Server")
|
||||
data = {
|
||||
"challenge": get_psuedo_random_string(),
|
||||
"serverType": "Apache",
|
||||
"certProductType": "Server",
|
||||
"certProductType": product_type,
|
||||
"firstName": current_app.config.get("VERISIGN_FIRST_NAME"),
|
||||
"lastName": current_app.config.get("VERISIGN_LAST_NAME"),
|
||||
"signatureAlgorithm": "sha256WithRSAEncryption",
|
||||
@ -111,11 +115,6 @@ def process_options(options):
|
||||
|
||||
data["subject_alt_names"] = ",".join(get_additional_names(options))
|
||||
|
||||
if options.get("validity_end") > arrow.utcnow().shift(years=2):
|
||||
raise Exception(
|
||||
"Verisign issued certificates cannot exceed two years in validity"
|
||||
)
|
||||
|
||||
if options.get("validity_end"):
|
||||
# VeriSign (Symantec) only accepts strictly smaller than 2 year end date
|
||||
if options.get("validity_end") < arrow.utcnow().shift(years=2, days=-1):
|
||||
@ -210,7 +209,7 @@ class VerisignIssuerPlugin(IssuerPlugin):
|
||||
|
||||
response = self.session.post(url, data=data)
|
||||
try:
|
||||
cert = handle_response(response.content)["Response"]["Certificate"]
|
||||
response_dict = handle_response(response.content)
|
||||
except KeyError:
|
||||
metrics.send(
|
||||
"verisign_create_certificate_error",
|
||||
@ -222,8 +221,13 @@ class VerisignIssuerPlugin(IssuerPlugin):
|
||||
extra={"common_name": issuer_options.get("common_name", "")}
|
||||
)
|
||||
raise Exception(f"Error with Verisign: {response.content}")
|
||||
# TODO add external id
|
||||
return cert, current_app.config.get("VERISIGN_INTERMEDIATE"), None
|
||||
authority = issuer_options.get("authority").name.upper()
|
||||
cert = response_dict['Response']['Certificate']
|
||||
external_id = None
|
||||
if 'Transaction_ID' in response_dict['Response'].keys():
|
||||
external_id = response_dict['Response']['Transaction_ID']
|
||||
chain = current_app.config.get("VERISIGN_INTERMEDIATE_{0}".format(authority), current_app.config.get("VERISIGN_INTERMEDIATE"))
|
||||
return cert, chain, external_id
|
||||
|
||||
@staticmethod
|
||||
def create_authority(options):
|
||||
|
@ -5,37 +5,39 @@
|
||||
# pip-compile --no-index --output-file=requirements-dev.txt requirements-dev.in
|
||||
#
|
||||
aspy.yaml==1.3.0 # via pre-commit
|
||||
bleach==3.1.0 # via readme-renderer
|
||||
bleach==3.1.1 # via readme-renderer
|
||||
certifi==2019.11.28 # via requests
|
||||
cffi==1.14.0 # via cryptography
|
||||
cfgv==2.0.1 # via pre-commit
|
||||
chardet==3.0.4 # via requests
|
||||
cryptography==2.8 # via secretstorage
|
||||
docutils==0.15.2 # via readme-renderer
|
||||
flake8==3.5.0
|
||||
identify==1.4.9 # via pre-commit
|
||||
idna==2.8 # via requests
|
||||
importlib-metadata==1.3.0 # via keyring, pre-commit, twine
|
||||
invoke==1.3.0
|
||||
jeepney==0.4.2 # via secretstorage
|
||||
keyring==21.0.0 # via twine
|
||||
mccabe==0.6.1 # via flake8
|
||||
more-itertools==8.0.2 # via zipp
|
||||
nodeenv==1.3.3
|
||||
pkginfo==1.5.0.1 # via twine
|
||||
pre-commit==1.21.0
|
||||
pycodestyle==2.3.1 # via flake8
|
||||
pycparser==2.19 # via cffi
|
||||
pyflakes==1.6.0 # via flake8
|
||||
pygments==2.5.2 # via readme-renderer
|
||||
pyyaml==5.2
|
||||
readme-renderer==24.0 # via twine
|
||||
requests-toolbelt==0.9.1 # via twine
|
||||
requests==2.22.0 # via requests-toolbelt, twine
|
||||
six==1.13.0 # via bleach, cfgv, pre-commit, readme-renderer
|
||||
secretstorage==3.1.2 # via keyring
|
||||
six==1.13.0 # via bleach, cfgv, cryptography, pre-commit, readme-renderer
|
||||
toml==0.10.0 # via pre-commit
|
||||
tqdm==4.41.1 # via twine
|
||||
twine==3.1.1
|
||||
urllib3==1.25.7 # via requests
|
||||
virtualenv==16.7.9 # via pre-commit
|
||||
webencodings==0.5.1 # via bleach
|
||||
zipp==0.6.0 # via importlib-metadata
|
||||
|
||||
# The following packages are considered to be unsafe in a requirements file:
|
||||
# setuptools
|
||||
|
Loading…
Reference in New Issue
Block a user