Fixing autorotation failures. (#825)
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
This commit is contained in:
parent
5a4806bc43
commit
9c92138f2d
@ -16,7 +16,14 @@ from lemur.extensions import metrics
|
||||
from lemur.deployment import service as deployment_service
|
||||
from lemur.endpoints import service as endpoint_service
|
||||
from lemur.notifications.messaging import send_rotation_notification
|
||||
from lemur.certificates.service import reissue_certificate, get_certificate_primitives, get_all_pending_reissue, get_by_name, get_all_certs
|
||||
from lemur.certificates.schemas import CertificateOutputSchema
|
||||
from lemur.certificates.service import (
|
||||
reissue_certificate,
|
||||
get_certificate_primitives,
|
||||
get_all_pending_reissue,
|
||||
get_by_name,
|
||||
get_all_certs
|
||||
)
|
||||
|
||||
from lemur.certificates.verify import verify_string
|
||||
|
||||
@ -29,28 +36,19 @@ def print_certificate_details(details):
|
||||
:param details:
|
||||
:return:
|
||||
"""
|
||||
details, errors = CertificateOutputSchema().dump(details)
|
||||
print("[+] Re-issuing certificate with the following details: ")
|
||||
print(
|
||||
"\t[+] Common Name: {common_name}\n"
|
||||
"\t[+] Subject Alternate Names: {sans}\n"
|
||||
"\t[+] Authority: {authority_name}\n"
|
||||
"\t[+] Validity Start: {validity_start}\n"
|
||||
"\t[+] Validity End: {validity_end}\n"
|
||||
"\t[+] Organization: {organization}\n"
|
||||
"\t[+] Organizational Unit: {organizational_unit}\n"
|
||||
"\t[+] Country: {country}\n"
|
||||
"\t[+] State: {state}\n"
|
||||
"\t[+] Location: {location}".format(
|
||||
common_name=details['common_name'],
|
||||
sans=",".join(x['value'] for x in details['extensions']['sub_alt_names']['names']) or None,
|
||||
authority_name=details['authority'].name,
|
||||
validity_start=details['validity_start'].isoformat(),
|
||||
validity_end=details['validity_end'].isoformat(),
|
||||
organization=details['organization'],
|
||||
organizational_unit=details['organizational_unit'],
|
||||
country=details['country'],
|
||||
state=details['state'],
|
||||
location=details['location']
|
||||
"\t[+] Validity End: {validity_end}\n".format(
|
||||
common_name=details['commonName'],
|
||||
sans=",".join(x['value'] for x in details['extensions']['subAltNames']['names']) or None,
|
||||
authority_name=details['authority']['name'],
|
||||
validity_start=details['validityStart'],
|
||||
validity_end=details['validityEnd']
|
||||
)
|
||||
)
|
||||
|
||||
@ -126,19 +124,11 @@ def request_reissue(certificate, commit):
|
||||
details = get_certificate_primitives(certificate)
|
||||
|
||||
print_certificate_details(details)
|
||||
|
||||
if commit:
|
||||
try:
|
||||
new_cert = reissue_certificate(certificate, replace=True)
|
||||
metrics.send('certificate_reissue_success', 'counter', 1)
|
||||
print("[+] New certificate named: {0}".format(new_cert.name))
|
||||
except Exception as e:
|
||||
metrics.send('certificate_reissue_failure', 'counter', 1)
|
||||
print(
|
||||
"[!] Failed to reissue certificate {1} reason: {2}".format(
|
||||
certificate.name,
|
||||
e
|
||||
)
|
||||
)
|
||||
new_cert = reissue_certificate(certificate, replace=True)
|
||||
metrics.send('certificate_reissue_success', 'counter', 1)
|
||||
print("[+] New certificate named: {0}".format(new_cert.name))
|
||||
|
||||
|
||||
@manager.option('-e', '--endpoint', dest='endpoint_name', help='Name of the endpoint you wish to rotate.')
|
||||
@ -199,16 +189,25 @@ def reissue(old_certificate_name, commit):
|
||||
|
||||
print("[+] Starting certificate re-issuance.")
|
||||
|
||||
old_cert = validate_certificate(old_certificate_name)
|
||||
try:
|
||||
old_cert = validate_certificate(old_certificate_name)
|
||||
|
||||
if not old_cert:
|
||||
for certificate in get_all_pending_reissue():
|
||||
print("[+] {0} is eligible for re-issuance".format(certificate.name))
|
||||
request_reissue(certificate, commit)
|
||||
else:
|
||||
request_reissue(old_cert, commit)
|
||||
if not old_cert:
|
||||
for certificate in get_all_pending_reissue():
|
||||
print("[+] {0} is eligible for re-issuance".format(certificate.name))
|
||||
request_reissue(certificate, commit)
|
||||
else:
|
||||
request_reissue(old_cert, commit)
|
||||
|
||||
print("[+] Done!")
|
||||
print("[+] Done!")
|
||||
except Exception as e:
|
||||
metrics.send('certificate_reissue_failure', 'counter', 1)
|
||||
print(
|
||||
"[!] Failed to reissue certificate {0} reason: {1}".format(
|
||||
old_cert.name,
|
||||
e
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
@manager.command
|
||||
|
@ -475,8 +475,10 @@ def get_certificate_primitives(certificate):
|
||||
# we will rely on the Lemur generated name
|
||||
data.pop('name', None)
|
||||
|
||||
data['validity_start'] = start
|
||||
data['validity_end'] = end
|
||||
# TODO this can be removed once we migrate away from cn
|
||||
data['cn'] = data['common_name']
|
||||
data['not_before'] = start
|
||||
data['not_after'] = end
|
||||
return data
|
||||
|
||||
|
||||
|
@ -53,7 +53,7 @@ def test_get_certificate_primitives(certificate):
|
||||
|
||||
with freeze_time(datetime.date(year=2016, month=10, day=30)):
|
||||
primitives = get_certificate_primitives(certificate)
|
||||
assert len(primitives) == 20
|
||||
assert len(primitives) == 23
|
||||
|
||||
|
||||
def test_certificate_edit_schema(session):
|
||||
|
Loading…
Reference in New Issue
Block a user