adding functionality to fetch the desired chain

This commit is contained in:
Hossein Shafagh 2021-03-10 12:39:50 -08:00
parent f2205b6025
commit caa44c1531
2 changed files with 21 additions and 12 deletions

View File

@ -23,6 +23,7 @@ from acme import challenges, errors, messages
from acme.client import BackwardsCompatibleClientV2, ClientNetwork from acme.client import BackwardsCompatibleClientV2, ClientNetwork
from acme.errors import TimeoutError from acme.errors import TimeoutError
from acme.messages import Error as AcmeError from acme.messages import Error as AcmeError
from certbot import crypto_util as acme_crypto_util
from flask import current_app from flask import current_app
from lemur.common.utils import generate_private_key from lemur.common.utils import generate_private_key
@ -92,7 +93,8 @@ class AcmeHandler(object):
deadline = datetime.datetime.now() + datetime.timedelta(seconds=360) deadline = datetime.datetime.now() + datetime.timedelta(seconds=360)
try: try:
orderr = acme_client.poll_and_finalize(order, deadline) orderr = acme_client.poll_authorizations(order, deadline)
orderr = acme_client.finalize_order(orderr, deadline, fetch_alternative_chains=True)
except (AcmeError, TimeoutError): except (AcmeError, TimeoutError):
sentry.captureException(extra={"order_url": str(order.uri)}) sentry.captureException(extra={"order_url": str(order.uri)})
@ -112,14 +114,23 @@ class AcmeHandler(object):
f"Successfully resolved Acme order: {order.uri}", exc_info=True f"Successfully resolved Acme order: {order.uri}", exc_info=True
) )
pem_certificate, pem_certificate_chain = self.extract_cert_and_chain(orderr.fullchain_pem) pem_certificate, pem_certificate_chain = self.extract_cert_and_chain(orderr.fullchain_pem,
orderr.alternative_fullchains_pem)
current_app.logger.debug( current_app.logger.debug(
"{0} {1}".format(type(pem_certificate), type(pem_certificate_chain)) "{0} {1}".format(type(pem_certificate), type(pem_certificate_chain))
) )
return pem_certificate, pem_certificate_chain return pem_certificate, pem_certificate_chain
def extract_cert_and_chain(self, fullchain_pem): def extract_cert_and_chain(self, fullchain_pem, alternative_fullchains_pem, preferred_issuer=None):
if not preferred_issuer:
preferred_issuer = current_app.config.get("ACME_PREFERRED_ISSUER", None)
if preferred_issuer:
# returns first chain if not match
fullchain_pem = acme_crypto_util.find_chain_with_issuer([fullchain_pem] + alternative_fullchains_pem,
preferred_issuer)
pem_certificate = OpenSSL.crypto.dump_certificate( pem_certificate = OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_PEM, OpenSSL.crypto.FILETYPE_PEM,
OpenSSL.crypto.load_certificate( OpenSSL.crypto.load_certificate(
@ -127,12 +138,7 @@ class AcmeHandler(object):
), ),
).decode() ).decode()
if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \ pem_certificate_chain = fullchain_pem[len(pem_certificate):].lstrip()
and datetime.datetime.now() < datetime.datetime.strptime(
current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'):
pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA")
else:
pem_certificate_chain = fullchain_pem[len(pem_certificate):].lstrip()
return pem_certificate, pem_certificate_chain return pem_certificate, pem_certificate_chain

View File

@ -119,8 +119,10 @@ class AcmeHttpChallenge(AcmeChallenge):
current_app.logger.info("Uploaded HTTP-01 challenge tokens, trying to poll and finalize the order") current_app.logger.info("Uploaded HTTP-01 challenge tokens, trying to poll and finalize the order")
try: try:
finalized_orderr = acme_client.poll_and_finalize(orderr, deadline = datetime.datetime.now() + datetime.timedelta(seconds=90)
datetime.datetime.now() + datetime.timedelta(seconds=90)) orderr = acme_client.poll_authorizations(orderr, deadline)
finalized_orderr = acme_client.finalize_order(orderr, deadline, fetch_alternative_chains=True)
except errors.ValidationError as validationError: except errors.ValidationError as validationError:
for authz in validationError.failed_authzrs: for authz in validationError.failed_authzrs:
for chall in authz.body.challenges: for chall in authz.body.challenges:
@ -130,7 +132,8 @@ class AcmeHttpChallenge(AcmeChallenge):
ERROR_CODES[chall.error.code])) ERROR_CODES[chall.error.code]))
raise Exception('Validation error occured, can\'t complete challenges. See logs for more information.') raise Exception('Validation error occured, can\'t complete challenges. See logs for more information.')
pem_certificate, pem_certificate_chain = self.acme.extract_cert_and_chain(finalized_orderr.fullchain_pem) pem_certificate, pem_certificate_chain = self.acme.extract_cert_and_chain(finalized_orderr.fullchain_pem,
finalized_orderr.alternative_fullchains_pem)
if len(deployed_challenges) != 0: if len(deployed_challenges) != 0:
for token_path in deployed_challenges: for token_path in deployed_challenges: