adding functionality to fetch the desired chain
This commit is contained in:
parent
f2205b6025
commit
caa44c1531
|
@ -23,6 +23,7 @@ from acme import challenges, errors, messages
|
||||||
from acme.client import BackwardsCompatibleClientV2, ClientNetwork
|
from acme.client import BackwardsCompatibleClientV2, ClientNetwork
|
||||||
from acme.errors import TimeoutError
|
from acme.errors import TimeoutError
|
||||||
from acme.messages import Error as AcmeError
|
from acme.messages import Error as AcmeError
|
||||||
|
from certbot import crypto_util as acme_crypto_util
|
||||||
from flask import current_app
|
from flask import current_app
|
||||||
|
|
||||||
from lemur.common.utils import generate_private_key
|
from lemur.common.utils import generate_private_key
|
||||||
|
@ -92,7 +93,8 @@ class AcmeHandler(object):
|
||||||
deadline = datetime.datetime.now() + datetime.timedelta(seconds=360)
|
deadline = datetime.datetime.now() + datetime.timedelta(seconds=360)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
orderr = acme_client.poll_and_finalize(order, deadline)
|
orderr = acme_client.poll_authorizations(order, deadline)
|
||||||
|
orderr = acme_client.finalize_order(orderr, deadline, fetch_alternative_chains=True)
|
||||||
|
|
||||||
except (AcmeError, TimeoutError):
|
except (AcmeError, TimeoutError):
|
||||||
sentry.captureException(extra={"order_url": str(order.uri)})
|
sentry.captureException(extra={"order_url": str(order.uri)})
|
||||||
|
@ -112,14 +114,23 @@ class AcmeHandler(object):
|
||||||
f"Successfully resolved Acme order: {order.uri}", exc_info=True
|
f"Successfully resolved Acme order: {order.uri}", exc_info=True
|
||||||
)
|
)
|
||||||
|
|
||||||
pem_certificate, pem_certificate_chain = self.extract_cert_and_chain(orderr.fullchain_pem)
|
pem_certificate, pem_certificate_chain = self.extract_cert_and_chain(orderr.fullchain_pem,
|
||||||
|
orderr.alternative_fullchains_pem)
|
||||||
|
|
||||||
current_app.logger.debug(
|
current_app.logger.debug(
|
||||||
"{0} {1}".format(type(pem_certificate), type(pem_certificate_chain))
|
"{0} {1}".format(type(pem_certificate), type(pem_certificate_chain))
|
||||||
)
|
)
|
||||||
return pem_certificate, pem_certificate_chain
|
return pem_certificate, pem_certificate_chain
|
||||||
|
|
||||||
def extract_cert_and_chain(self, fullchain_pem):
|
def extract_cert_and_chain(self, fullchain_pem, alternative_fullchains_pem, preferred_issuer=None):
|
||||||
|
|
||||||
|
if not preferred_issuer:
|
||||||
|
preferred_issuer = current_app.config.get("ACME_PREFERRED_ISSUER", None)
|
||||||
|
if preferred_issuer:
|
||||||
|
# returns first chain if not match
|
||||||
|
fullchain_pem = acme_crypto_util.find_chain_with_issuer([fullchain_pem] + alternative_fullchains_pem,
|
||||||
|
preferred_issuer)
|
||||||
|
|
||||||
pem_certificate = OpenSSL.crypto.dump_certificate(
|
pem_certificate = OpenSSL.crypto.dump_certificate(
|
||||||
OpenSSL.crypto.FILETYPE_PEM,
|
OpenSSL.crypto.FILETYPE_PEM,
|
||||||
OpenSSL.crypto.load_certificate(
|
OpenSSL.crypto.load_certificate(
|
||||||
|
@ -127,12 +138,7 @@ class AcmeHandler(object):
|
||||||
),
|
),
|
||||||
).decode()
|
).decode()
|
||||||
|
|
||||||
if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \
|
pem_certificate_chain = fullchain_pem[len(pem_certificate):].lstrip()
|
||||||
and datetime.datetime.now() < datetime.datetime.strptime(
|
|
||||||
current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'):
|
|
||||||
pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA")
|
|
||||||
else:
|
|
||||||
pem_certificate_chain = fullchain_pem[len(pem_certificate):].lstrip()
|
|
||||||
|
|
||||||
return pem_certificate, pem_certificate_chain
|
return pem_certificate, pem_certificate_chain
|
||||||
|
|
||||||
|
|
|
@ -119,8 +119,10 @@ class AcmeHttpChallenge(AcmeChallenge):
|
||||||
current_app.logger.info("Uploaded HTTP-01 challenge tokens, trying to poll and finalize the order")
|
current_app.logger.info("Uploaded HTTP-01 challenge tokens, trying to poll and finalize the order")
|
||||||
|
|
||||||
try:
|
try:
|
||||||
finalized_orderr = acme_client.poll_and_finalize(orderr,
|
deadline = datetime.datetime.now() + datetime.timedelta(seconds=90)
|
||||||
datetime.datetime.now() + datetime.timedelta(seconds=90))
|
orderr = acme_client.poll_authorizations(orderr, deadline)
|
||||||
|
finalized_orderr = acme_client.finalize_order(orderr, deadline, fetch_alternative_chains=True)
|
||||||
|
|
||||||
except errors.ValidationError as validationError:
|
except errors.ValidationError as validationError:
|
||||||
for authz in validationError.failed_authzrs:
|
for authz in validationError.failed_authzrs:
|
||||||
for chall in authz.body.challenges:
|
for chall in authz.body.challenges:
|
||||||
|
@ -130,7 +132,8 @@ class AcmeHttpChallenge(AcmeChallenge):
|
||||||
ERROR_CODES[chall.error.code]))
|
ERROR_CODES[chall.error.code]))
|
||||||
raise Exception('Validation error occured, can\'t complete challenges. See logs for more information.')
|
raise Exception('Validation error occured, can\'t complete challenges. See logs for more information.')
|
||||||
|
|
||||||
pem_certificate, pem_certificate_chain = self.acme.extract_cert_and_chain(finalized_orderr.fullchain_pem)
|
pem_certificate, pem_certificate_chain = self.acme.extract_cert_and_chain(finalized_orderr.fullchain_pem,
|
||||||
|
finalized_orderr.alternative_fullchains_pem)
|
||||||
|
|
||||||
if len(deployed_challenges) != 0:
|
if len(deployed_challenges) != 0:
|
||||||
for token_path in deployed_challenges:
|
for token_path in deployed_challenges:
|
||||||
|
|
Loading…
Reference in New Issue