Do not re-use CSR during certificate reissuance; Update requirement; Add more logging to celery handler

2018-11-12 09:52:11 -08:00
parent 6f0005c78e
commit a7a05e26bc
8 changed files with 38 additions and 22 deletions
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -367,7 +367,7 @@ def update_destinations(target, value, initiator):
    destination_plugin = plugins.get(value.plugin_name)
    status = FAILURE_METRIC_STATUS
    try:
-        if target.private_key:
+        if target.private_key or not destination_plugin.requires_key:
            destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)
            status = SUCCESS_METRIC_STATUS
    except Exception as e:
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -539,6 +539,9 @@ def reissue_certificate(certificate, replace=None, user=None):
    """
    primitives = get_certificate_primitives(certificate)

+    if primitives.get("csr"):
+        #  We do not want to re-use the CSR when creating a certificate because this defeats the purpose of rotation.
+        del primitives["csr"]
    if not user:
        primitives['creator'] = certificate.user

--- a/lemur/common/celery.py
+++ b/lemur/common/celery.py
@ -53,8 +53,10 @@ def fetch_acme_cert(id):
        id: an id of a PendingCertificate
    """
    log_data = {
-        "function": "{}.{}".format(__name__, sys._getframe().f_code.co_name)
+        "function": "{}.{}".format(__name__, sys._getframe().f_code.co_name),
+        "message": "Resolving pending certificate {}".format(id)
    }
+    current_app.logger.debug(log_data)
    pending_certs = pending_certificate_service.get_pending_certs([id])
    new = 0
    failed = 0
@ -138,11 +140,22 @@ def fetch_all_pending_acme_certs():
    """Instantiate celery workers to resolve all pending Acme certificates"""
    pending_certs = pending_certificate_service.get_unresolved_pending_certs()

+    log_data = {
+        "function": "{}.{}".format(__name__, sys._getframe().f_code.co_name),
+        "message": "Starting job."
+    }
+
+    current_app.logger.debug(log_data)
+
    # We only care about certs using the acme-issuer plugin
    for cert in pending_certs:
        cert_authority = get_authority(cert.authority_id)
        if cert_authority.plugin_name == 'acme-issuer':
            if datetime.now(timezone.utc) - cert.last_updated > timedelta(minutes=5):
+                log_data["message"] = "Triggering job for cert {}".format(cert.name)
+                log_data["cert_name"] = cert.name
+                log_data["cert_id"] = cert.id
+                current_app.logger.debug(log_data)
                fetch_acme_cert.delay(cert.id)


--- a/lemur/plugins/lemur_aws/plugin.py
+++ b/lemur/plugins/lemur_aws/plugin.py
@ -35,8 +35,8 @@
 from flask import current_app

 from lemur.plugins import lemur_aws as aws
-from lemur.plugins.lemur_aws import iam, s3, elb, ec2
 from lemur.plugins.bases import DestinationPlugin, ExportDestinationPlugin, SourcePlugin
+from lemur.plugins.lemur_aws import iam, s3, elb, ec2


 def get_region_from_dns(dns):