Fixes for using ACME with Route53 (#986)

* Changes required for functional Route53 operations

* Changes required for functional ACME operations with Route53

* Changes required for functional ACME operations with Route53, need external ID
This commit is contained in:
Daniel Pramann 2017-11-13 12:19:54 -06:00 committed by kevgliss
parent 041f3a22fa
commit 7e2c16ee38
2 changed files with 11 additions and 8 deletions

View File

@ -87,8 +87,8 @@ def request_certificate(acme_client, authorizations, csr):
cert_response, _ = acme_client.poll_and_request_issuance( cert_response, _ = acme_client.poll_and_request_issuance(
jose.util.ComparableX509( jose.util.ComparableX509(
OpenSSL.crypto.load_certificate_request( OpenSSL.crypto.load_certificate_request(
OpenSSL.crypto.FILETYPE_ASN1, OpenSSL.crypto.FILETYPE_PEM,
csr.public_bytes(serialization.Encoding.DER), csr
) )
), ),
authzrs=[authz_record.authz for authz_record in authorizations], authzrs=[authz_record.authz for authz_record in authorizations],
@ -96,12 +96,13 @@ def request_certificate(acme_client, authorizations, csr):
pem_certificate = OpenSSL.crypto.dump_certificate( pem_certificate = OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_PEM, cert_response.body OpenSSL.crypto.FILETYPE_PEM, cert_response.body
) ).decode('utf-8')
pem_certificate_chain = "\n".join( # https://github.com/alex/letsencrypt-aws/commit/853ea7f93f141fe18d9ef12aee6b3388f98b4830
pem_certificate_chain = b"\n".join(
OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert) OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
for cert in acme_client.fetch_chain(cert_response) for cert in acme_client.fetch_chain(cert_response)
) ).decode('utf-8')
return pem_certificate, pem_certificate_chain return pem_certificate, pem_certificate_chain
@ -133,7 +134,7 @@ def get_domains(options):
domains = [options['common_name']] domains = [options['common_name']]
if options.get('extensions'): if options.get('extensions'):
for name in options['extensions']['sub_alt_names']['names']: for name in options['extensions']['sub_alt_names']['names']:
domains.append(name) domains.append(name.value)
return domains return domains
@ -194,7 +195,8 @@ class ACMEIssuerPlugin(IssuerPlugin):
domains = get_domains(issuer_options) domains = get_domains(issuer_options)
authorizations = get_authorizations(acme_client, account_number, domains) authorizations = get_authorizations(acme_client, account_number, domains)
pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, csr) pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, csr)
return pem_certificate, pem_certificate_chain # TODO add external ID (if possible)
return pem_certificate, pem_certificate_chain, None
@staticmethod @staticmethod
def create_authority(options): def create_authority(options):

View File

@ -27,6 +27,7 @@ def find_zone_id(domain, client=None):
raise ValueError( raise ValueError(
"Unable to find a Route53 hosted zone for {}".format(domain) "Unable to find a Route53 hosted zone for {}".format(domain)
) )
return zones[0][1]
@sts_client('route53') @sts_client('route53')
@ -54,7 +55,7 @@ def change_txt_record(action, zone_id, domain, value, client=None):
return response["ChangeInfo"]["Id"] return response["ChangeInfo"]["Id"]
def create_txt_record(account_number, host, value): def create_txt_record(host, value, account_number):
zone_id = find_zone_id(host, account_number=account_number) zone_id = find_zone_id(host, account_number=account_number)
change_id = change_txt_record( change_id = change_txt_record(
"CREATE", "CREATE",