From a873d69859d2a68d3dd36a2981a721c951ec19ef Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Tue, 3 Mar 2020 18:24:48 -0800 Subject: [PATCH 1/7] adding documentation for DIGICERT_MAX_VALIDITY --- docs/administration.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/administration.rst b/docs/administration.rst index 8f055147..341eda6a 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -735,6 +735,12 @@ The following configuration properties are required to use the Digicert issuer p This is the default validity (in years), if no end date is specified. (Default: 1) +.. data:: DIGICERT_MAX_VALIDITY + :noindex: + + This is the maximum validity (in years). (Default: DIGICERT_DEFAULT_VALIDITY) + + .. data:: DIGICERT_PRIVATE :noindex: From 9ef538305d8a91b06cd128945fe8f19e063ddc8a Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Wed, 4 Mar 2020 11:45:47 -0800 Subject: [PATCH 2/7] updating default language for digicert max validity option --- docs/administration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index 341eda6a..6cbf42bd 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -738,7 +738,7 @@ The following configuration properties are required to use the Digicert issuer p .. data:: DIGICERT_MAX_VALIDITY :noindex: - This is the maximum validity (in years). (Default: DIGICERT_DEFAULT_VALIDITY) + This is the maximum validity (in years). (Default: value of DIGICERT_DEFAULT_VALIDITY) .. data:: DIGICERT_PRIVATE From c0004e506e538c849e6c69c6e7b42640256dc64f Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Wed, 4 Mar 2020 14:50:44 -0800 Subject: [PATCH 3/7] removing 2 year option from Lemur certificate request form --- .../app/angular/certificates/certificate/tracking.tpl.html | 1 - 1 file changed, 1 deletion(-) diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 7ac2107f..027add0f 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -140,7 +140,6 @@ From 5dfb6acb17eaf34ce4970da3154934113188577b Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Thu, 5 Mar 2020 14:59:21 -0800 Subject: [PATCH 4/7] adding support for ACME_POWERDNS_VERIFY option to support CA Bundles and disabling Server validation --- docs/administration.rst | 9 +++++++++ lemur/plugins/lemur_acme/powerdns.py | 7 +++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 8f055147..ea9537da 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -1008,6 +1008,15 @@ The following configuration properties are required to use the PowerDNS ACME Plu This is the number of times DNS Verification should be attempted (i.e. 20) + +.. data:: ACME_POWERDNS_VERIFY + :noindex: + + This configures how PowerDNS verifies TLS certificates. The PowerDNS Plugin relies on the requests library, supported options are as follows: + * True: Verifies the certificate chains to a known publicly-trusted CA. (Default) + * False: Disable certificate validation (Not Recommended) + * File/Dir path to CA Bundle: Verify that the certificate chains to a Certificate Authority in the provided CA bundle. + .. _CommandLineInterface: Command Line Interface diff --git a/lemur/plugins/lemur_acme/powerdns.py b/lemur/plugins/lemur_acme/powerdns.py index f3ad9965..1b7cf1d4 100644 --- a/lemur/plugins/lemur_acme/powerdns.py +++ b/lemur/plugins/lemur_acme/powerdns.py @@ -246,11 +246,12 @@ def _get_zone_name(domain, account_number): def _get(path, params=None): """ Execute a GET request on the given URL (base_uri + path) and return response as JSON object """ base_uri = current_app.config.get("ACME_POWERDNS_DOMAIN") + verify_value = current_app.config.get("ACME_POWERDNS_VERIFY", True) resp = requests.get( f"{base_uri}{path}", headers=_generate_header(), params=params, - verify=True, + verify=verify_value, ) resp.raise_for_status() return resp.json() @@ -259,9 +260,11 @@ def _get(path, params=None): def _patch(path, payload): """ Execute a Patch request on the given URL (base_uri + path) with given payload """ base_uri = current_app.config.get("ACME_POWERDNS_DOMAIN") + verify_value = current_app.config.get("ACME_POWERDNS_VERIFY", True) resp = requests.patch( f"{base_uri}{path}", data=json.dumps(payload), - headers=_generate_header() + headers=_generate_header(), + verify=verify_value, ) resp.raise_for_status() From b85fe2f2b5c95ba0d2f3a31c22d5daeade8ca378 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Thu, 5 Mar 2020 15:03:43 -0800 Subject: [PATCH 5/7] updated documentation language --- docs/administration.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index ea9537da..df3a5cff 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -1012,10 +1012,10 @@ The following configuration properties are required to use the PowerDNS ACME Plu .. data:: ACME_POWERDNS_VERIFY :noindex: - This configures how PowerDNS verifies TLS certificates. The PowerDNS Plugin relies on the requests library, supported options are as follows: - * True: Verifies the certificate chains to a known publicly-trusted CA. (Default) - * False: Disable certificate validation (Not Recommended) - * File/Dir path to CA Bundle: Verify that the certificate chains to a Certificate Authority in the provided CA bundle. + This configures how TLS certificates on the PowerDNS API target are validated. The PowerDNS Plugin depends on the PyPi requests library, which supports the following options: + * True: Verifies the TLS certificate was issued by a known publicly-trusted CA. (Default) + * False: Disables certificate validation (Not Recommended) + * File/Dir path to CA Bundle: Verifies the TLS certificate was issued by a Certificate Authority in the provided CA bundle. .. _CommandLineInterface: From 771e72187a48b33c6ccea78aaa5e8b58907f8f76 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Thu, 5 Mar 2020 15:24:56 -0800 Subject: [PATCH 6/7] updates based on feedback --- docs/administration.rst | 2 +- lemur/plugins/lemur_acme/powerdns.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index df3a5cff..d2dcf4c2 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -1012,7 +1012,7 @@ The following configuration properties are required to use the PowerDNS ACME Plu .. data:: ACME_POWERDNS_VERIFY :noindex: - This configures how TLS certificates on the PowerDNS API target are validated. The PowerDNS Plugin depends on the PyPi requests library, which supports the following options: + This configures how TLS certificates on the PowerDNS API target are validated. The PowerDNS Plugin depends on the PyPi requests library, which supports the following options for the verify parameter: * True: Verifies the TLS certificate was issued by a known publicly-trusted CA. (Default) * False: Disables certificate validation (Not Recommended) * File/Dir path to CA Bundle: Verifies the TLS certificate was issued by a Certificate Authority in the provided CA bundle. diff --git a/lemur/plugins/lemur_acme/powerdns.py b/lemur/plugins/lemur_acme/powerdns.py index 1b7cf1d4..a26faaac 100644 --- a/lemur/plugins/lemur_acme/powerdns.py +++ b/lemur/plugins/lemur_acme/powerdns.py @@ -251,7 +251,7 @@ def _get(path, params=None): f"{base_uri}{path}", headers=_generate_header(), params=params, - verify=verify_value, + verify=verify_value ) resp.raise_for_status() return resp.json() @@ -265,6 +265,6 @@ def _patch(path, payload): f"{base_uri}{path}", data=json.dumps(payload), headers=_generate_header(), - verify=verify_value, + verify=verify_value ) resp.raise_for_status() From 6227e4aa89e0064de790c1152c4f045c11dfe670 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Thu, 5 Mar 2020 16:51:21 -0800 Subject: [PATCH 7/7] fixing formatting of ACME_POWERDNS_VERIFY options --- docs/administration.rst | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index d2dcf4c2..0db374ff 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -1013,9 +1013,12 @@ The following configuration properties are required to use the PowerDNS ACME Plu :noindex: This configures how TLS certificates on the PowerDNS API target are validated. The PowerDNS Plugin depends on the PyPi requests library, which supports the following options for the verify parameter: - * True: Verifies the TLS certificate was issued by a known publicly-trusted CA. (Default) - * False: Disables certificate validation (Not Recommended) - * File/Dir path to CA Bundle: Verifies the TLS certificate was issued by a Certificate Authority in the provided CA bundle. + + True: Verifies the TLS certificate was issued by a known publicly-trusted CA. (Default) + + False: Disables certificate validation (Not Recommended) + + File/Dir path to CA Bundle: Verifies the TLS certificate was issued by a Certificate Authority in the provided CA bundle. .. _CommandLineInterface: