From 1e64851d791f9c0f03625f958496f5d2c87d17de Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Fri, 26 Apr 2019 10:16:18 -0700 Subject: [PATCH 1/8] Strip out self-polling logic and rely on ACME; Enhance ELB logging and retries --- lemur/plugins/lemur_acme/dyn.py | 17 ++-- lemur/plugins/lemur_acme/plugin.py | 44 ++++------- lemur/plugins/lemur_aws/elb.py | 121 +++++++++++++++++++---------- 3 files changed, 104 insertions(+), 78 deletions(-) diff --git a/lemur/plugins/lemur_acme/dyn.py b/lemur/plugins/lemur_acme/dyn.py index 4eb01958..4159532c 100644 --- a/lemur/plugins/lemur_acme/dyn.py +++ b/lemur/plugins/lemur_acme/dyn.py @@ -64,11 +64,10 @@ def wait_for_dns_change(change_id, account_number=None): metrics.send('wait_for_dns_change_fail', 'counter', 1) sentry.captureException( extra={ - "fqdn": fqdn, "txt_record": token} + "fqdn": str(fqdn), "txt_record": str(token)} ) metrics.send('wait_for_dns_change_error', 'counter', 1, metric_tags={'fqdn': fqdn, 'txt_record': token}) - raise Exception("Unable to query DNS token for fqdn {}.".format(fqdn)) return @@ -155,8 +154,8 @@ def delete_txt_record(change_id, account_number, domain, token): except DynectDeleteError: sentry.captureException( extra={ - "fqdn": fqdn, "zone_name": zone_name, "node_name": node_name, - "txt_record": txt_record.txtdata} + "fqdn": str(fqdn), "zone_name": str(zone_name), "node_name": str(node_name), + "txt_record": str(txt_record.txtdata)} ) metrics.send('delete_txt_record_deleteerror', 'counter', 1, metric_tags={'fqdn': fqdn, 'txt_record': txt_record.txtdata}) @@ -166,11 +165,11 @@ def delete_txt_record(change_id, account_number, domain, token): except DynectUpdateError: sentry.captureException( extra={ - "fqdn": fqdn, "zone_name": zone_name, "node_name": node_name, - "txt_record": txt_record.txtdata} + "fqdn": str(fqdn), "zone_name": str(zone_name), "node_name": str(node_name), + "txt_record": str(txt_record.txtdata)} ) metrics.send('delete_txt_record_publish_error', 'counter', 1, - metric_tags={'fqdn': fqdn, 'txt_record': txt_record.txtdata}) + metric_tags={'fqdn': str(fqdn), 'txt_record': str(txt_record.txtdata)}) def delete_acme_txt_records(domain): @@ -201,8 +200,8 @@ def delete_acme_txt_records(domain): except DynectDeleteError: sentry.captureException( extra={ - "fqdn": fqdn, "zone_name": zone_name, "node_name": node_name, - "txt_record": txt_record.txtdata} + "fqdn": str(fqdn), "zone_name": str(zone_name), "node_name": str(node_name), + "txt_record": str(txt_record.txtdata)} ) metrics.send('delete_txt_record_deleteerror', 'counter', 1, metric_tags={'fqdn': fqdn, 'txt_record': txt_record.txtdata}) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 7519c4c7..3350682c 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -102,49 +102,33 @@ class AcmeHandler(object): metrics.send('complete_dns_challenge_error_no_dnsproviders', 'counter', 1) raise Exception("No DNS providers found for domain: {}".format(authz_record.host)) - for dns_provider in dns_providers: - # Grab account number (For Route53) - dns_provider_options = json.loads(dns_provider.credentials) - account_number = dns_provider_options.get("account_id") - dns_provider_plugin = self.get_dns_provider(dns_provider.provider_type) - for change_id in authz_record.change_id: - try: - dns_provider_plugin.wait_for_dns_change(change_id, account_number=account_number) - except Exception: - metrics.send('complete_dns_challenge_error', 'counter', 1) - sentry.captureException() - current_app.logger.debug( - f"Unable to resolve DNS challenge for change_id: {change_id}, account_id: " - f"{account_number}", exc_info=True) - raise + for dns_challenge in authz_record.dns_challenge: + response = dns_challenge.response(acme_client.client.net.key) - for dns_challenge in authz_record.dns_challenge: - response = dns_challenge.response(acme_client.client.net.key) + verified = response.simple_verify( + dns_challenge.chall, + authz_record.host, + acme_client.client.net.key.public_key() + ) - verified = response.simple_verify( - dns_challenge.chall, - authz_record.host, - acme_client.client.net.key.public_key() - ) + if not verified: + metrics.send('complete_dns_challenge_verification_error', 'counter', 1) + raise ValueError("Failed verification") - if not verified: - metrics.send('complete_dns_challenge_verification_error', 'counter', 1) - raise ValueError("Failed verification") - - time.sleep(5) - acme_client.answer_challenge(dns_challenge, response) + time.sleep(5) + acme_client.answer_challenge(dns_challenge, response) def request_certificate(self, acme_client, authorizations, order): for authorization in authorizations: for authz in authorization.authz: authorization_resource, _ = acme_client.poll(authz) - deadline = datetime.datetime.now() + datetime.timedelta(seconds=90) + deadline = datetime.datetime.now() + datetime.timedelta(seconds=360) try: orderr = acme_client.poll_and_finalize(order, deadline) except AcmeError: - sentry.captureException(extra={"order_url": order.uri}) + sentry.captureException(extra={"order_url": str(order.uri)}) metrics.send('request_certificate_error', 'counter', 1) current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True) raise diff --git a/lemur/plugins/lemur_aws/elb.py b/lemur/plugins/lemur_aws/elb.py index 43d99ff2..77e99d18 100644 --- a/lemur/plugins/lemur_aws/elb.py +++ b/lemur/plugins/lemur_aws/elb.py @@ -21,14 +21,22 @@ def retry_throttled(exception): :param exception: :return: """ + + # Log details about the exception + try: + raise exception + except Exception as e: + current_app.logger.error("ELB retry_throttled triggered", exc_info=True) + metrics.send('elb_retry', 'counter', 1, + metric_tags={"exception": e}) + sentry.captureException() + if isinstance(exception, botocore.exceptions.ClientError): if exception.response['Error']['Code'] == 'LoadBalancerNotFound': return False if exception.response['Error']['Code'] == 'CertificateNotFound': return False - - metrics.send('elb_retry', 'counter', 1) return True @@ -63,16 +71,20 @@ def get_all_elbs(**kwargs): :return: """ elbs = [] + try: + while True: + response = get_elbs(**kwargs) - while True: - response = get_elbs(**kwargs) + elbs += response['LoadBalancerDescriptions'] - elbs += response['LoadBalancerDescriptions'] - - if not response.get('NextMarker'): - return elbs - else: - kwargs.update(dict(Marker=response['NextMarker'])) + if not response.get('NextMarker'): + return elbs + else: + kwargs.update(dict(Marker=response['NextMarker'])) + except Exception as e: # noqa + metrics.send('get_all_elbs_error', 'counter', 1) + sentry.captureException() + raise def get_all_elbs_v2(**kwargs): @@ -84,18 +96,23 @@ def get_all_elbs_v2(**kwargs): """ elbs = [] - while True: - response = get_elbs_v2(**kwargs) - elbs += response['LoadBalancers'] + try: + while True: + response = get_elbs_v2(**kwargs) + elbs += response['LoadBalancers'] - if not response.get('NextMarker'): - return elbs - else: - kwargs.update(dict(Marker=response['NextMarker'])) + if not response.get('NextMarker'): + return elbs + else: + kwargs.update(dict(Marker=response['NextMarker'])) + except Exception as e: # noqa + metrics.send('get_all_elbs_v2_error', 'counter', 1) + sentry.captureException() + raise @sts_client('elbv2') -@retry(retry_on_exception=retry_throttled, wait_fixed=2000) +@retry(retry_on_exception=retry_throttled, wait_fixed=2000, stop_max_attempt_number=20) def get_listener_arn_from_endpoint(endpoint_name, endpoint_port, **kwargs): """ Get a listener ARN from an endpoint. @@ -103,27 +120,40 @@ def get_listener_arn_from_endpoint(endpoint_name, endpoint_port, **kwargs): :param endpoint_port: :return: """ - client = kwargs.pop('client') - elbs = client.describe_load_balancers(Names=[endpoint_name]) - for elb in elbs['LoadBalancers']: - listeners = client.describe_listeners(LoadBalancerArn=elb['LoadBalancerArn']) - for listener in listeners['Listeners']: - if listener['Port'] == endpoint_port: - return listener['ListenerArn'] + try: + client = kwargs.pop('client') + elbs = client.describe_load_balancers(Names=[endpoint_name]) + for elb in elbs['LoadBalancers']: + listeners = client.describe_listeners(LoadBalancerArn=elb['LoadBalancerArn']) + for listener in listeners['Listeners']: + if listener['Port'] == endpoint_port: + return listener['ListenerArn'] + except Exception as e: # noqa + metrics.send('get_listener_arn_from_endpoint_error', 'counter', 1, + metric_tags={"error": e, "endpoint_name": endpoint_name, "endpoint_port": endpoint_port}) + sentry.captureException(extra={"endpoint_name": str(endpoint_name), + "endpoint_port": str(endpoint_port)}) + raise @sts_client('elb') -@retry(retry_on_exception=retry_throttled, wait_fixed=2000) +@retry(retry_on_exception=retry_throttled, wait_fixed=2000, stop_max_attempt_number=20) def get_elbs(**kwargs): """ Fetches one page elb objects for a given account and region. """ - client = kwargs.pop('client') - return client.describe_load_balancers(**kwargs) + try: + client = kwargs.pop('client') + return client.describe_load_balancers(**kwargs) + except Exception as e: # noqa + metrics.send('get_elbs_error', 'counter', 1, + metric_tags={"error": e}) + sentry.captureException() + raise @sts_client('elbv2') -@retry(retry_on_exception=retry_throttled, wait_fixed=2000) +@retry(retry_on_exception=retry_throttled, wait_fixed=2000, stop_max_attempt_number=20) def get_elbs_v2(**kwargs): """ Fetches one page of elb objects for a given account and region. @@ -131,12 +161,18 @@ def get_elbs_v2(**kwargs): :param kwargs: :return: """ - client = kwargs.pop('client') - return client.describe_load_balancers(**kwargs) + try: + client = kwargs.pop('client') + return client.describe_load_balancers(**kwargs) + except Exception as e: # noqa + metrics.send('get_elbs_v2_error', 'counter', 1, + metric_tags={"error": e}) + sentry.captureException() + raise @sts_client('elbv2') -@retry(retry_on_exception=retry_throttled, wait_fixed=2000) +@retry(retry_on_exception=retry_throttled, wait_fixed=2000, stop_max_attempt_number=20) def describe_listeners_v2(**kwargs): """ Fetches one page of listener objects for a given elb arn. @@ -144,8 +180,14 @@ def describe_listeners_v2(**kwargs): :param kwargs: :return: """ - client = kwargs.pop('client') - return client.describe_listeners(**kwargs) + try: + client = kwargs.pop('client') + return client.describe_listeners(**kwargs) + except Exception as e: # noqa + metrics.send('describe_listeners_v2_error', 'counter', 1, + metric_tags={"error": e}) + sentry.captureException() + raise @sts_client('elb') @@ -157,11 +199,12 @@ def describe_load_balancer_policies(load_balancer_name, policy_names, **kwargs): :param load_balancer_name: :return: """ + try: return kwargs['client'].describe_load_balancer_policies(LoadBalancerName=load_balancer_name, PolicyNames=policy_names) except Exception as e: # noqa - metrics.send('describe_load_balancer_policies_fail', 'counter', 1, + metrics.send('describe_load_balancer_policies_error', 'counter', 1, metric_tags={"load_balancer_name": load_balancer_name, "policy_names": policy_names, "error": e}) sentry.captureException(extra={"load_balancer_name": load_balancer_name, "policy_names": policy_names}) raise @@ -179,14 +222,14 @@ def describe_ssl_policies_v2(policy_names, **kwargs): try: return kwargs['client'].describe_ssl_policies(Names=policy_names) except Exception as e: # noqa - metrics.send('describe_ssl_policies_v2_fail', 'counter', 1, + metrics.send('describe_ssl_policies_v2_error', 'counter', 1, metric_tags={"policy_names": policy_names, "error": e}) sentry.captureException(extra={"policy_names": policy_names}) raise @sts_client('elb') -@retry(retry_on_exception=retry_throttled, wait_fixed=2000) +@retry(retry_on_exception=retry_throttled, wait_fixed=2000, stop_max_attempt_number=20) def describe_load_balancer_types(policies, **kwargs): """ Describe the policies with policy details. @@ -198,7 +241,7 @@ def describe_load_balancer_types(policies, **kwargs): @sts_client('elb') -@retry(retry_on_exception=retry_throttled, wait_fixed=2000) +@retry(retry_on_exception=retry_throttled, wait_fixed=2000, stop_max_attempt_number=20) def attach_certificate(name, port, certificate_id, **kwargs): """ Attaches a certificate to a listener, throws exception @@ -218,7 +261,7 @@ def attach_certificate(name, port, certificate_id, **kwargs): @sts_client('elbv2') -@retry(retry_on_exception=retry_throttled, wait_fixed=2000) +@retry(retry_on_exception=retry_throttled, wait_fixed=2000, stop_max_attempt_number=20) def attach_certificate_v2(listener_arn, port, certificates, **kwargs): """ Attaches a certificate to a listener, throws exception From 1a3ba46873c8437d11829a76f2451feaa0235397 Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Fri, 26 Apr 2019 10:18:54 -0700 Subject: [PATCH 2/8] More retry changes --- lemur/plugins/lemur_aws/elb.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_aws/elb.py b/lemur/plugins/lemur_aws/elb.py index 77e99d18..618f75e8 100644 --- a/lemur/plugins/lemur_aws/elb.py +++ b/lemur/plugins/lemur_aws/elb.py @@ -206,7 +206,8 @@ def describe_load_balancer_policies(load_balancer_name, policy_names, **kwargs): except Exception as e: # noqa metrics.send('describe_load_balancer_policies_error', 'counter', 1, metric_tags={"load_balancer_name": load_balancer_name, "policy_names": policy_names, "error": e}) - sentry.captureException(extra={"load_balancer_name": load_balancer_name, "policy_names": policy_names}) + sentry.captureException(extra={"load_balancer_name": str(load_balancer_name), + "policy_names": str(policy_names)}) raise @@ -224,7 +225,7 @@ def describe_ssl_policies_v2(policy_names, **kwargs): except Exception as e: # noqa metrics.send('describe_ssl_policies_v2_error', 'counter', 1, metric_tags={"policy_names": policy_names, "error": e}) - sentry.captureException(extra={"policy_names": policy_names}) + sentry.captureException(extra={"policy_names": str(policy_names)}) raise From 333ba8030a37ec11e1036fc456c1efe78ea7f69d Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Fri, 26 Apr 2019 15:45:04 -0700 Subject: [PATCH 3/8] Ensure hostname is lowercase when comparing DNS challenges. ACME will automatically lowercase the hostname --- lemur/plugins/lemur_acme/plugin.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 3350682c..8380c966 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -19,7 +19,7 @@ import OpenSSL.crypto import josepy as jose from acme import challenges, messages from acme.client import BackwardsCompatibleClientV2, ClientNetwork -from acme.errors import PollError, WildcardUnsupportedError +from acme.errors import PollError, TimeoutError, WildcardUnsupportedError from acme.messages import Error as AcmeError from botocore.exceptions import ClientError from flask import current_app @@ -56,7 +56,7 @@ class AcmeHandler(object): def find_dns_challenge(self, host, authorizations): dns_challenges = [] for authz in authorizations: - if not authz.body.identifier.value == host: + if not authz.body.identifier.value.lower() == host.lower(): continue for combo in authz.body.challenges: if isinstance(combo.chall, challenges.DNS01): @@ -79,6 +79,10 @@ class AcmeHandler(object): host_to_validate = self.maybe_remove_wildcard(host) host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations) + if not dns_challenges: + sentry.captureException() + metrics.send('start_dns_challenge_error_no_dns_challenges', 'counter', 1) + raise Exception("Unable to determine DNS challenges from authorizations") for dns_challenge in dns_challenges: change_id = dns_provider.create_txt_record( @@ -127,7 +131,7 @@ class AcmeHandler(object): try: orderr = acme_client.poll_and_finalize(order, deadline) - except AcmeError: + except (AcmeError, TimeoutError): sentry.captureException(extra={"order_url": str(order.uri)}) metrics.send('request_certificate_error', 'counter', 1) current_app.logger.error(f"Unable to resolve Acme order: {order.uri}", exc_info=True) From 1a90e71884078ad1f8ec16f856542308dbdd5cd9 Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Fri, 26 Apr 2019 17:27:44 -0700 Subject: [PATCH 4/8] Move ACME host validation logic prior to R53 host modification --- lemur/plugins/lemur_acme/plugin.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 8380c966..02f08f9a 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -77,8 +77,9 @@ class AcmeHandler(object): change_ids = [] host_to_validate = self.maybe_remove_wildcard(host) - host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations) + host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) + if not dns_challenges: sentry.captureException() metrics.send('start_dns_challenge_error_no_dns_challenges', 'counter', 1) From 6e3f394cff0d89356542ddaa62f56c424ba67d89 Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Mon, 29 Apr 2019 13:55:26 -0700 Subject: [PATCH 5/8] Updated requirements ; Revert change and require DNS validation by provider --- lemur/plugins/lemur_acme/plugin.py | 42 ++++++++++++++++++++++++------ requirements-dev.txt | 6 ++--- requirements-docs.txt | 14 +++++----- requirements-tests.txt | 10 +++---- requirements.txt | 14 +++++----- 5 files changed, 56 insertions(+), 30 deletions(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 02f08f9a..b6a5dbbf 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -107,21 +107,45 @@ class AcmeHandler(object): metrics.send('complete_dns_challenge_error_no_dnsproviders', 'counter', 1) raise Exception("No DNS providers found for domain: {}".format(authz_record.host)) - for dns_challenge in authz_record.dns_challenge: - response = dns_challenge.response(acme_client.client.net.key) + for dns_provider in dns_providers: + # Grab account number (For Route53) + dns_provider_options = json.loads(dns_provider.credentials) + account_number = dns_provider_options.get("account_id") + dns_provider_plugin = self.get_dns_provider(dns_provider.provider_type) + for change_id in authz_record.change_id: + try: + dns_provider_plugin.wait_for_dns_change(change_id, account_number=account_number) + except Exception: + metrics.send('complete_dns_challenge_error', 'counter', 1) + sentry.captureException() + current_app.logger.debug( + f"Unable to resolve DNS challenge for change_id: {change_id}, account_id: " + f"{account_number}", exc_info=True) + raise - verified = response.simple_verify( - dns_challenge.chall, - authz_record.host, - acme_client.client.net.key.public_key() - ) + for dns_challenge in authz_record.dns_challenge: + response = dns_challenge.response(acme_client.client.net.key) + + verified = response.simple_verify( + dns_challenge.chall, + authz_record.host, + acme_client.client.net.key.public_key() + ) if not verified: metrics.send('complete_dns_challenge_verification_error', 'counter', 1) raise ValueError("Failed verification") time.sleep(5) - acme_client.answer_challenge(dns_challenge, response) + res = acme_client.answer_challenge(dns_challenge, response) + current_app.logger.debug(f"answer_challenge response: {res}") + + def get_dns_challenge(self, authzr): + for challenge in authzr.body.challenges: + if challenge.chall.typ == 'dns-01': + return challenge + else: + raise Exception("Could not find an HTTP challenge!") def request_certificate(self, acme_client, authorizations, order): for authorization in authorizations: @@ -132,6 +156,7 @@ class AcmeHandler(object): try: orderr = acme_client.poll_and_finalize(order, deadline) + except (AcmeError, TimeoutError): sentry.captureException(extra={"order_url": str(order.uri)}) metrics.send('request_certificate_error', 'counter', 1) @@ -480,6 +505,7 @@ class ACMEIssuerPlugin(IssuerPlugin): "pending_cert": entry["pending_cert"], }) except (PollError, AcmeError, Exception) as e: + raise sentry.captureException() metrics.send('get_ordered_certificates_resolution_error', 'counter', 1) order_url = order.uri diff --git a/requirements-dev.txt b/requirements-dev.txt index f9f1b8f3..0652df34 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -11,7 +11,7 @@ cfgv==1.6.0 # via pre-commit chardet==3.0.4 # via requests docutils==0.14 # via readme-renderer flake8==3.5.0 -identify==1.4.1 # via pre-commit +identify==1.4.2 # via pre-commit idna==2.8 # via requests importlib-metadata==0.9 # via pre-commit invoke==1.2.0 @@ -31,6 +31,6 @@ toml==0.10.0 # via pre-commit tqdm==4.31.1 # via twine twine==1.13.0 urllib3==1.24.2 # via requests -virtualenv==16.4.3 # via pre-commit +virtualenv==16.5.0 # via pre-commit webencodings==0.5.1 # via bleach -zipp==0.3.3 # via importlib-metadata +zipp==0.4.0 # via importlib-metadata diff --git a/requirements-docs.txt b/requirements-docs.txt index 5f69328d..4b75a502 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -7,7 +7,7 @@ acme==0.33.1 alabaster==0.7.12 # via sphinx alembic-autogenerate-enums==0.0.2 -alembic==1.0.9 +alembic==1.0.10 amqp==2.4.2 aniso8601==6.0.0 arrow==0.13.1 @@ -17,8 +17,8 @@ babel==2.6.0 # via sphinx bcrypt==3.1.6 billiard==3.6.0.0 blinker==1.4 -boto3==1.9.134 -botocore==1.12.134 +boto3==1.9.138 +botocore==1.12.138 celery[redis]==4.3.0 certifi==2019.3.9 certsrv==2.1.1 @@ -38,7 +38,7 @@ flask-migrate==2.4.0 flask-principal==0.4.0 flask-restful==0.3.7 flask-script==2.0.6 -flask-sqlalchemy==2.3.2 +flask-sqlalchemy==2.4.0 flask==1.0.2 future==0.17.1 gunicorn==19.9.0 @@ -47,7 +47,7 @@ idna==2.8 imagesize==1.1.0 # via sphinx inflection==0.3.1 itsdangerous==1.1.0 -javaobj-py3==0.2.4 +javaobj-py3==0.3.0 jinja2==2.10.1 jmespath==0.9.4 josepy==1.1.0 @@ -62,10 +62,10 @@ mock==2.0.0 ndg-httpsclient==0.5.1 packaging==19.0 # via sphinx paramiko==2.4.2 -pbr==5.1.3 +pbr==5.2.0 pem==19.1.0 psycopg2==2.8.2 -pyasn1-modules==0.2.4 +pyasn1-modules==0.2.5 pyasn1==0.4.5 pycparser==2.19 pycryptodomex==3.8.1 diff --git a/requirements-tests.txt b/requirements-tests.txt index 9dd01574..0a4660d0 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -7,11 +7,11 @@ asn1crypto==0.24.0 # via cryptography atomicwrites==1.3.0 # via pytest attrs==19.1.0 # via pytest -aws-sam-translator==1.10.0 # via cfn-lint +aws-sam-translator==1.11.0 # via cfn-lint aws-xray-sdk==2.4.2 # via moto -boto3==1.9.134 # via aws-sam-translator, moto +boto3==1.9.138 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.12.134 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.12.138 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2019.3.9 # via requests cffi==1.12.3 # via cryptography cfn-lint==0.19.1 # via moto @@ -42,7 +42,7 @@ mock==2.0.0 # via moto more-itertools==7.0.0 # via pytest moto==1.3.8 nose==1.3.7 -pbr==5.1.3 # via mock +pbr==5.2.0 # via mock pluggy==0.9.0 # via pytest py==1.8.0 # via pytest pyasn1==0.4.5 # via rsa @@ -55,7 +55,7 @@ python-dateutil==2.8.0 # via botocore, faker, freezegun, moto python-jose==3.0.1 # via moto pytz==2019.1 # via moto pyyaml==5.1 -requests-mock==1.5.2 +requests-mock==1.6.0 requests==2.21.0 # via cfn-lint, docker, moto, requests-mock, responses responses==0.10.6 # via moto rsa==4.0 # via python-jose diff --git a/requirements.txt b/requirements.txt index 2d17b930..74290471 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,7 +6,7 @@ # acme==0.33.1 alembic-autogenerate-enums==0.0.2 -alembic==1.0.9 # via flask-migrate +alembic==1.0.10 # via flask-migrate amqp==2.4.2 # via kombu aniso8601==6.0.0 # via flask-restful arrow==0.13.1 @@ -15,8 +15,8 @@ asyncpool==1.0 bcrypt==3.1.6 # via flask-bcrypt, paramiko billiard==3.6.0.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.9.134 -botocore==1.12.134 +boto3==1.9.138 +botocore==1.12.138 celery[redis]==4.3.0 certifi==2019.3.9 certsrv==2.1.1 @@ -36,7 +36,7 @@ flask-migrate==2.4.0 flask-principal==0.4.0 flask-restful==0.3.7 flask-script==2.0.6 -flask-sqlalchemy==2.3.2 +flask-sqlalchemy==2.4.0 flask==1.0.2 future==0.17.1 gunicorn==19.9.0 @@ -44,7 +44,7 @@ hvac==0.8.2 idna==2.8 # via requests inflection==0.3.1 itsdangerous==1.1.0 # via flask -javaobj-py3==0.2.4 # via pyjks +javaobj-py3==0.3.0 # via pyjks jinja2==2.10.1 jmespath==0.9.4 # via boto3, botocore josepy==1.1.0 # via acme @@ -58,10 +58,10 @@ marshmallow==2.19.2 mock==2.0.0 # via acme ndg-httpsclient==0.5.1 paramiko==2.4.2 -pbr==5.1.3 # via mock +pbr==5.2.0 # via mock pem==19.1.0 psycopg2==2.8.2 -pyasn1-modules==0.2.4 # via pyjks, python-ldap +pyasn1-modules==0.2.5 # via pyjks, python-ldap pyasn1==0.4.5 # via ndg-httpsclient, paramiko, pyasn1-modules, pyjks, python-ldap pycparser==2.19 # via cffi pycryptodomex==3.8.1 # via pyjks From 3a1da724194b0f02612badf3f6c388793d4f1d15 Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Mon, 29 Apr 2019 13:57:04 -0700 Subject: [PATCH 6/8] nt --- lemur/plugins/lemur_acme/plugin.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index b6a5dbbf..06dec882 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -140,13 +140,6 @@ class AcmeHandler(object): res = acme_client.answer_challenge(dns_challenge, response) current_app.logger.debug(f"answer_challenge response: {res}") - def get_dns_challenge(self, authzr): - for challenge in authzr.body.challenges: - if challenge.chall.typ == 'dns-01': - return challenge - else: - raise Exception("Could not find an HTTP challenge!") - def request_certificate(self, acme_client, authorizations, order): for authorization in authorizations: for authz in authorization.authz: @@ -505,7 +498,6 @@ class ACMEIssuerPlugin(IssuerPlugin): "pending_cert": entry["pending_cert"], }) except (PollError, AcmeError, Exception) as e: - raise sentry.captureException() metrics.send('get_ordered_certificates_resolution_error', 'counter', 1) order_url = order.uri From 8ed6187697e13c30e6d9e76682dc88ff97b2a8ad Mon Sep 17 00:00:00 2001 From: Garfield Carneiro Date: Fri, 3 May 2019 13:49:02 +0530 Subject: [PATCH 7/8] Package name has changed python-software-properties was renamed to software-properties-common https://askubuntu.com/questions/422975/e-package-python-software-properties-has-no-installation-candidate --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 46efd50a..b9d7335e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM python:3.5 RUN apt-get update -RUN apt-get install -y make python-software-properties curl +RUN apt-get install -y make software-properties-common curl RUN curl -sL https://deb.nodesource.com/setup_7.x | bash - RUN apt-get update RUN apt-get install -y nodejs libldap2-dev libsasl2-dev libldap2-dev libssl-dev From 6d5552afd38a82ecf0345730ccb770b48803106f Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 6 May 2019 16:31:50 -0700 Subject: [PATCH 8/8] updating requirements --- requirements-dev.txt | 4 ++-- requirements-docs.txt | 13 ++++++------- requirements-tests.txt | 9 ++++----- requirements.txt | 13 ++++++------- 4 files changed, 18 insertions(+), 21 deletions(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 0652df34..29509d99 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -18,7 +18,7 @@ invoke==1.2.0 mccabe==0.6.1 # via flake8 nodeenv==1.3.3 pkginfo==1.5.0.1 # via twine -pre-commit==1.15.2 +pre-commit==1.16.0 pycodestyle==2.3.1 # via flake8 pyflakes==1.6.0 # via flake8 pygments==2.3.1 # via readme-renderer @@ -30,7 +30,7 @@ six==1.12.0 # via bleach, cfgv, pre-commit, readme-renderer toml==0.10.0 # via pre-commit tqdm==4.31.1 # via twine twine==1.13.0 -urllib3==1.24.2 # via requests +urllib3==1.24.3 # via requests virtualenv==16.5.0 # via pre-commit webencodings==0.5.1 # via bleach zipp==0.4.0 # via importlib-metadata diff --git a/requirements-docs.txt b/requirements-docs.txt index 4b75a502..fef37c08 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -4,7 +4,7 @@ # # pip-compile --output-file requirements-docs.txt requirements-docs.in -U --no-index # -acme==0.33.1 +acme==0.34.1 alabaster==0.7.12 # via sphinx alembic-autogenerate-enums==0.0.2 alembic==1.0.10 @@ -17,8 +17,8 @@ babel==2.6.0 # via sphinx bcrypt==3.1.6 billiard==3.6.0.0 blinker==1.4 -boto3==1.9.138 -botocore==1.12.138 +boto3==1.9.143 +botocore==1.12.143 celery[redis]==4.3.0 certifi==2019.3.9 certsrv==2.1.1 @@ -56,13 +56,12 @@ kombu==4.5.0 lockfile==0.12.2 mako==1.0.9 markupsafe==1.1.1 -marshmallow-sqlalchemy==0.16.2 +marshmallow-sqlalchemy==0.16.3 marshmallow==2.19.2 -mock==2.0.0 +mock==3.0.4 ndg-httpsclient==0.5.1 packaging==19.0 # via sphinx paramiko==2.4.2 -pbr==5.2.0 pem==19.1.0 psycopg2==2.8.2 pyasn1-modules==0.2.5 @@ -101,7 +100,7 @@ sqlalchemy-utils==0.33.11 sqlalchemy==1.3.3 tabulate==0.8.3 twofish==0.3.0 -urllib3==1.24.2 +urllib3==1.24.3 vine==1.3.0 werkzeug==0.15.2 xmltodict==0.12.0 diff --git a/requirements-tests.txt b/requirements-tests.txt index 0a4660d0..5d28412c 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -9,9 +9,9 @@ atomicwrites==1.3.0 # via pytest attrs==19.1.0 # via pytest aws-sam-translator==1.11.0 # via cfn-lint aws-xray-sdk==2.4.2 # via moto -boto3==1.9.138 # via aws-sam-translator, moto +boto3==1.9.143 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.12.138 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.12.143 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2019.3.9 # via requests cffi==1.12.3 # via cryptography cfn-lint==0.19.1 # via moto @@ -38,11 +38,10 @@ jsonpickle==1.1 # via aws-xray-sdk jsonpointer==2.0 # via jsonpatch jsonschema==2.6.0 # via aws-sam-translator, cfn-lint markupsafe==1.1.1 # via jinja2 -mock==2.0.0 # via moto +mock==3.0.4 # via moto more-itertools==7.0.0 # via pytest moto==1.3.8 nose==1.3.7 -pbr==5.2.0 # via mock pluggy==0.9.0 # via pytest py==1.8.0 # via pytest pyasn1==0.4.5 # via rsa @@ -62,7 +61,7 @@ rsa==4.0 # via python-jose s3transfer==0.2.0 # via boto3 six==1.12.0 # via aws-sam-translator, cfn-lint, cryptography, docker, docker-pycreds, faker, freezegun, mock, moto, pytest, python-dateutil, python-jose, requests-mock, responses, websocket-client text-unidecode==1.2 # via faker -urllib3==1.24.2 # via botocore, requests +urllib3==1.24.3 # via botocore, requests websocket-client==0.56.0 # via docker werkzeug==0.15.2 # via flask, moto, pytest-flask wrapt==1.11.1 # via aws-xray-sdk diff --git a/requirements.txt b/requirements.txt index 74290471..fe27838b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ # # pip-compile --output-file requirements.txt requirements.in -U --no-index # -acme==0.33.1 +acme==0.34.1 alembic-autogenerate-enums==0.0.2 alembic==1.0.10 # via flask-migrate amqp==2.4.2 # via kombu @@ -15,8 +15,8 @@ asyncpool==1.0 bcrypt==3.1.6 # via flask-bcrypt, paramiko billiard==3.6.0.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.9.138 -botocore==1.12.138 +boto3==1.9.143 +botocore==1.12.143 celery[redis]==4.3.0 certifi==2019.3.9 certsrv==2.1.1 @@ -53,12 +53,11 @@ kombu==4.5.0 lockfile==0.12.2 mako==1.0.9 # via alembic markupsafe==1.1.1 # via jinja2, mako -marshmallow-sqlalchemy==0.16.2 +marshmallow-sqlalchemy==0.16.3 marshmallow==2.19.2 -mock==2.0.0 # via acme +mock==3.0.4 # via acme ndg-httpsclient==0.5.1 paramiko==2.4.2 -pbr==5.2.0 # via mock pem==19.1.0 psycopg2==2.8.2 pyasn1-modules==0.2.5 # via pyjks, python-ldap @@ -86,7 +85,7 @@ sqlalchemy-utils==0.33.11 sqlalchemy==1.3.3 # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils tabulate==0.8.3 twofish==0.3.0 # via pyjks -urllib3==1.24.2 # via botocore, requests +urllib3==1.24.3 # via botocore, requests vine==1.3.0 # via amqp, celery werkzeug==0.15.2 # via flask xmltodict==0.12.0