Merge branch 'master' into renewal_validity_01

lemur/plugins/lemur_acme/plugin.py

@@ -172,7 +172,7 @@ class AcmeHandler(object):
 
         except (AcmeError, TimeoutError):
             sentry.captureException(extra={"order_url": str(order.uri)})
-            metrics.send("request_certificate_error", "counter", 1)
+            metrics.send("request_certificate_error", "counter", 1, metric_tags={"uri": order.uri})
             current_app.logger.error(
                 f"Unable to resolve Acme order: {order.uri}", exc_info=True
             )
@@ -183,6 +183,11 @@ class AcmeHandler(object):
             else:
                 raise
 
+        metrics.send("request_certificate_success", "counter", 1, metric_tags={"uri": order.uri})
+        current_app.logger.info(
+            f"Successfully resolved Acme order: {order.uri}", exc_info=True
+        )
+
         pem_certificate = OpenSSL.crypto.dump_certificate(
             OpenSSL.crypto.FILETYPE_PEM,
             OpenSSL.crypto.load_certificate(

lemur/plugins/lemur_kubernetes/plugin.py

@@ -96,7 +96,7 @@ def build_secret(secret_format, secret_name, body, private_key, cert_chain):
     if secret_format == "TLS":
         secret["type"] = "kubernetes.io/tls"
         secret["data"] = {
-            "tls.crt": base64encode(cert_chain),
+            "tls.crt": base64encode(body),
             "tls.key": base64encode(private_key),
         }
     if secret_format == "Certificate":

lemur/plugins/lemur_verisign/plugin.py

@@ -98,10 +98,14 @@ def process_options(options):
     :param options:
     :return: dict or valid verisign options
     """
+    # if there is a config variable with VERISIGN_PRODUCT_<upper(authority.name)> take the value as Cert product-type
+    # else default to "Server", to be compatoible with former versions
+    authority = options.get("authority").name.upper()
+    product_type = current_app.config.get("VERISIGN_PRODUCT_{0}".format(authority), "Server")
     data = {
         "challenge": get_psuedo_random_string(),
         "serverType": "Apache",
-        "certProductType": "Server",
+        "certProductType": product_type,
         "firstName": current_app.config.get("VERISIGN_FIRST_NAME"),
         "lastName": current_app.config.get("VERISIGN_LAST_NAME"),
         "signatureAlgorithm": "sha256WithRSAEncryption",
@@ -111,11 +115,6 @@ def process_options(options):
 
     data["subject_alt_names"] = ",".join(get_additional_names(options))
 
-    if options.get("validity_end") > arrow.utcnow().shift(years=2):
-        raise Exception(
-            "Verisign issued certificates cannot exceed two years in validity"
-        )
-
     if options.get("validity_end"):
         # VeriSign (Symantec) only accepts strictly smaller than 2 year end date
         if options.get("validity_end") < arrow.utcnow().shift(years=2, days=-1):
@@ -210,7 +209,7 @@ class VerisignIssuerPlugin(IssuerPlugin):
 
         response = self.session.post(url, data=data)
         try:
-            cert = handle_response(response.content)["Response"]["Certificate"]
+            response_dict = handle_response(response.content)
         except KeyError:
             metrics.send(
                 "verisign_create_certificate_error",
@@ -222,8 +221,13 @@ class VerisignIssuerPlugin(IssuerPlugin):
                 extra={"common_name": issuer_options.get("common_name", "")}
             )
             raise Exception(f"Error with Verisign: {response.content}")
-        # TODO add external id
+        authority = issuer_options.get("authority").name.upper()
-        return cert, current_app.config.get("VERISIGN_INTERMEDIATE"), None
+        cert = response_dict['Response']['Certificate']
+        external_id = None
+        if 'Transaction_ID' in response_dict['Response'].keys():
+            external_id = response_dict['Response']['Transaction_ID']
+        chain = current_app.config.get("VERISIGN_INTERMEDIATE_{0}".format(authority), current_app.config.get("VERISIGN_INTERMEDIATE"))
+        return cert, chain, external_id
 
     @staticmethod
     def create_authority(options):

requirements-dev.txt

@@ -5,37 +5,39 @@
 #    pip-compile --no-index --output-file=requirements-dev.txt requirements-dev.in
 #
 aspy.yaml==1.3.0          # via pre-commit
-bleach==3.1.0             # via readme-renderer
+bleach==3.1.1             # via readme-renderer
 certifi==2019.11.28       # via requests
+cffi==1.14.0              # via cryptography
 cfgv==2.0.1               # via pre-commit
 chardet==3.0.4            # via requests
+cryptography==2.8         # via secretstorage
 docutils==0.15.2          # via readme-renderer
 flake8==3.5.0
 identify==1.4.9           # via pre-commit
 idna==2.8                 # via requests
-importlib-metadata==1.3.0  # via keyring, pre-commit, twine
 invoke==1.3.0
+jeepney==0.4.2            # via secretstorage
 keyring==21.0.0           # via twine
 mccabe==0.6.1             # via flake8
-more-itertools==8.0.2     # via zipp
 nodeenv==1.3.3
 pkginfo==1.5.0.1          # via twine
 pre-commit==1.21.0
 pycodestyle==2.3.1        # via flake8
+pycparser==2.19           # via cffi
 pyflakes==1.6.0           # via flake8
 pygments==2.5.2           # via readme-renderer
 pyyaml==5.2
 readme-renderer==24.0     # via twine
 requests-toolbelt==0.9.1  # via twine
 requests==2.22.0          # via requests-toolbelt, twine
-six==1.13.0               # via bleach, cfgv, pre-commit, readme-renderer
+secretstorage==3.1.2      # via keyring
+six==1.13.0               # via bleach, cfgv, cryptography, pre-commit, readme-renderer
 toml==0.10.0              # via pre-commit
 tqdm==4.41.1              # via twine
 twine==3.1.1
 urllib3==1.25.7           # via requests
 virtualenv==16.7.9        # via pre-commit
 webencodings==0.5.1       # via bleach
-zipp==0.6.0               # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools