Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make http-01 challenge work for SAN certificates

This commit is contained in:
Mathias Petermann 2020-09-30 17:40:15 +02:00
parent e3e5ef7d66
commit 66cab6abd3
1 changed files with 37 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
lemur/plugins/lemur_acme/plugin.py
View File

@ -830,17 +830,17 @@ class ACMEHttpIssuerPlugin(IssuerPlugin):
acme_client, registration = self.acme.setup_acme_client(authority) acme_client, registration = self.acme.setup_acme_client(authority)
orderr = acme_client.new_order(csr) orderr = acme_client.new_order(csr)
challenge = None
chall = []
for authz in orderr.authorizations: for authz in orderr.authorizations:
# Choosing challenge. # Choosing challenge.
# authz.body.challenges is a set of ChallengeBody objects. # authz.body.challenges is a set of ChallengeBody objects.
for i in authz.body.challenges: for i in authz.body.challenges:
# Find the supported challenge. # Find the supported challenge.
if isinstance(i.chall, challenges.HTTP01): if isinstance(i.chall, challenges.HTTP01):
challenge = i chall.append(i)
if challenge is None: if len(chall) == 0:
raise Exception('HTTP-01 challenge was not offered by the CA server.') raise Exception('HTTP-01 challenge was not offered by the CA server.')
else: else:
# Here we probably should create a pending certificate and make use of celery, but for now # Here we probably should create a pending certificate and make use of celery, but for now
@ -854,13 +854,42 @@ class ACMEHttpIssuerPlugin(IssuerPlugin):
raise Exception('No token_destination configured for this authority. Cant complete HTTP-01 challenge') raise Exception('No token_destination configured for this authority. Cant complete HTTP-01 challenge')
destination_plugin = plugins.get(token_destination.plugin_name) destination_plugin = plugins.get(token_destination.plugin_name)
destination_plugin.upload_acme_token(challenge.chall.path, challenge.chall.token, token_destination.options)
current_app.logger.info("Uploaded HTTP-01 challenge token, trying to poll and finalize the order") for challenge in chall:
response, validation = challenge.response_and_validation(acme_client.net.key)
destination_plugin.upload_acme_token(challenge.chall.path, validation, token_destination.options)
# Let the CA server know that we are ready for the challenge.
acme_client.answer_challenge(challenge, response)
current_app.logger.info("Uploaded HTTP-01 challenge tokens, trying to poll and finalize the order")
# Wait for challenge status and then issue a certificate.
for authz in orderr.authorizations:
authzr, resp = acme_client.poll(authz)
current_app.logger.info(authzr.body.status)
# It is possible to set a deadline time.
finalized_orderr = acme_client.finalize_order(orderr, datetime.datetime.now() + datetime.timedelta(minutes=1))
pem_certificate = OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_PEM,
OpenSSL.crypto.load_certificate(
OpenSSL.crypto.FILETYPE_PEM, finalized_orderr.fullchain_pem
),
).decode()
if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \
and datetime.datetime.now() < datetime.datetime.strptime(
current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'):
pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA")
else:
pem_certificate_chain = finalized_orderr.fullchain_pem[
len(pem_certificate): # noqa
].lstrip()
pem_certificate, pem_certificate_chain = self.acme.request_certificate(
acme_client, orderr.authorizations, csr
)
# TODO add external ID (if possible) # TODO add external ID (if possible)
return pem_certificate, pem_certificate_chain, None return pem_certificate, pem_certificate_chain, None