Merge branch 'renewal_validity_01' of github.com:Netflix/lemur into renewal_validity_01

This commit is contained in:
csine-nflx 2020-03-03 17:28:58 -08:00
commit 1e81d47793
4 changed files with 27 additions and 16 deletions

View File

@ -172,7 +172,7 @@ class AcmeHandler(object):
except (AcmeError, TimeoutError): except (AcmeError, TimeoutError):
sentry.captureException(extra={"order_url": str(order.uri)}) sentry.captureException(extra={"order_url": str(order.uri)})
metrics.send("request_certificate_error", "counter", 1) metrics.send("request_certificate_error", "counter", 1, metric_tags={"uri": order.uri})
current_app.logger.error( current_app.logger.error(
f"Unable to resolve Acme order: {order.uri}", exc_info=True f"Unable to resolve Acme order: {order.uri}", exc_info=True
) )
@ -183,6 +183,11 @@ class AcmeHandler(object):
else: else:
raise raise
metrics.send("request_certificate_success", "counter", 1, metric_tags={"uri": order.uri})
current_app.logger.info(
f"Successfully resolved Acme order: {order.uri}", exc_info=True
)
pem_certificate = OpenSSL.crypto.dump_certificate( pem_certificate = OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_PEM, OpenSSL.crypto.FILETYPE_PEM,
OpenSSL.crypto.load_certificate( OpenSSL.crypto.load_certificate(

View File

@ -96,7 +96,7 @@ def build_secret(secret_format, secret_name, body, private_key, cert_chain):
if secret_format == "TLS": if secret_format == "TLS":
secret["type"] = "kubernetes.io/tls" secret["type"] = "kubernetes.io/tls"
secret["data"] = { secret["data"] = {
"tls.crt": base64encode(cert_chain), "tls.crt": base64encode(body),
"tls.key": base64encode(private_key), "tls.key": base64encode(private_key),
} }
if secret_format == "Certificate": if secret_format == "Certificate":

View File

@ -98,10 +98,14 @@ def process_options(options):
:param options: :param options:
:return: dict or valid verisign options :return: dict or valid verisign options
""" """
# if there is a config variable with VERISIGN_PRODUCT_<upper(authority.name)> take the value as Cert product-type
# else default to "Server", to be compatoible with former versions
authority = options.get("authority").name.upper()
product_type = current_app.config.get("VERISIGN_PRODUCT_{0}".format(authority), "Server")
data = { data = {
"challenge": get_psuedo_random_string(), "challenge": get_psuedo_random_string(),
"serverType": "Apache", "serverType": "Apache",
"certProductType": "Server", "certProductType": product_type,
"firstName": current_app.config.get("VERISIGN_FIRST_NAME"), "firstName": current_app.config.get("VERISIGN_FIRST_NAME"),
"lastName": current_app.config.get("VERISIGN_LAST_NAME"), "lastName": current_app.config.get("VERISIGN_LAST_NAME"),
"signatureAlgorithm": "sha256WithRSAEncryption", "signatureAlgorithm": "sha256WithRSAEncryption",
@ -111,11 +115,6 @@ def process_options(options):
data["subject_alt_names"] = ",".join(get_additional_names(options)) data["subject_alt_names"] = ",".join(get_additional_names(options))
if options.get("validity_end") > arrow.utcnow().shift(years=2):
raise Exception(
"Verisign issued certificates cannot exceed two years in validity"
)
if options.get("validity_end"): if options.get("validity_end"):
# VeriSign (Symantec) only accepts strictly smaller than 2 year end date # VeriSign (Symantec) only accepts strictly smaller than 2 year end date
if options.get("validity_end") < arrow.utcnow().shift(years=2, days=-1): if options.get("validity_end") < arrow.utcnow().shift(years=2, days=-1):
@ -210,7 +209,7 @@ class VerisignIssuerPlugin(IssuerPlugin):
response = self.session.post(url, data=data) response = self.session.post(url, data=data)
try: try:
cert = handle_response(response.content)["Response"]["Certificate"] response_dict = handle_response(response.content)
except KeyError: except KeyError:
metrics.send( metrics.send(
"verisign_create_certificate_error", "verisign_create_certificate_error",
@ -222,8 +221,13 @@ class VerisignIssuerPlugin(IssuerPlugin):
extra={"common_name": issuer_options.get("common_name", "")} extra={"common_name": issuer_options.get("common_name", "")}
) )
raise Exception(f"Error with Verisign: {response.content}") raise Exception(f"Error with Verisign: {response.content}")
# TODO add external id authority = issuer_options.get("authority").name.upper()
return cert, current_app.config.get("VERISIGN_INTERMEDIATE"), None cert = response_dict['Response']['Certificate']
external_id = None
if 'Transaction_ID' in response_dict['Response'].keys():
external_id = response_dict['Response']['Transaction_ID']
chain = current_app.config.get("VERISIGN_INTERMEDIATE_{0}".format(authority), current_app.config.get("VERISIGN_INTERMEDIATE"))
return cert, chain, external_id
@staticmethod @staticmethod
def create_authority(options): def create_authority(options):

View File

@ -5,37 +5,39 @@
# pip-compile --no-index --output-file=requirements-dev.txt requirements-dev.in # pip-compile --no-index --output-file=requirements-dev.txt requirements-dev.in
# #
aspy.yaml==1.3.0 # via pre-commit aspy.yaml==1.3.0 # via pre-commit
bleach==3.1.0 # via readme-renderer bleach==3.1.1 # via readme-renderer
certifi==2019.11.28 # via requests certifi==2019.11.28 # via requests
cffi==1.14.0 # via cryptography
cfgv==2.0.1 # via pre-commit cfgv==2.0.1 # via pre-commit
chardet==3.0.4 # via requests chardet==3.0.4 # via requests
cryptography==2.8 # via secretstorage
docutils==0.15.2 # via readme-renderer docutils==0.15.2 # via readme-renderer
flake8==3.5.0 flake8==3.5.0
identify==1.4.9 # via pre-commit identify==1.4.9 # via pre-commit
idna==2.8 # via requests idna==2.8 # via requests
importlib-metadata==1.3.0 # via keyring, pre-commit, twine
invoke==1.3.0 invoke==1.3.0
jeepney==0.4.2 # via secretstorage
keyring==21.0.0 # via twine keyring==21.0.0 # via twine
mccabe==0.6.1 # via flake8 mccabe==0.6.1 # via flake8
more-itertools==8.0.2 # via zipp
nodeenv==1.3.3 nodeenv==1.3.3
pkginfo==1.5.0.1 # via twine pkginfo==1.5.0.1 # via twine
pre-commit==1.21.0 pre-commit==1.21.0
pycodestyle==2.3.1 # via flake8 pycodestyle==2.3.1 # via flake8
pycparser==2.19 # via cffi
pyflakes==1.6.0 # via flake8 pyflakes==1.6.0 # via flake8
pygments==2.5.2 # via readme-renderer pygments==2.5.2 # via readme-renderer
pyyaml==5.2 pyyaml==5.2
readme-renderer==24.0 # via twine readme-renderer==24.0 # via twine
requests-toolbelt==0.9.1 # via twine requests-toolbelt==0.9.1 # via twine
requests==2.22.0 # via requests-toolbelt, twine requests==2.22.0 # via requests-toolbelt, twine
six==1.13.0 # via bleach, cfgv, pre-commit, readme-renderer secretstorage==3.1.2 # via keyring
six==1.13.0 # via bleach, cfgv, cryptography, pre-commit, readme-renderer
toml==0.10.0 # via pre-commit toml==0.10.0 # via pre-commit
tqdm==4.41.1 # via twine tqdm==4.41.1 # via twine
twine==3.1.1 twine==3.1.1
urllib3==1.25.7 # via requests urllib3==1.25.7 # via requests
virtualenv==16.7.9 # via pre-commit virtualenv==16.7.9 # via pre-commit
webencodings==0.5.1 # via bleach webencodings==0.5.1 # via bleach
zipp==0.6.0 # via importlib-metadata
# The following packages are considered to be unsafe in a requirements file: # The following packages are considered to be unsafe in a requirements file:
# setuptools # setuptools