From e0ac7497348183d19e82afd4019651540ab922d6 Mon Sep 17 00:00:00 2001 From: Ronald Moesbergen Date: Thu, 6 Dec 2018 16:47:53 +0100 Subject: [PATCH 1/2] When parsing SAN's, ignore unknown san_types, because in some cases they can contain unparsable/serializable values, resulting in a TypeError(repr(o) + " is not JSON serializable") --- lemur/common/fields.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/common/fields.py b/lemur/common/fields.py index 9a0198e9..5ab0c6f0 100644 --- a/lemur/common/fields.py +++ b/lemur/common/fields.py @@ -350,6 +350,7 @@ class SubjectAlternativeNameExtension(Field): value = value.dotted_string else: current_app.logger.warning('Unknown SubAltName type: {name}'.format(name=name)) + continue general_names.append({'nameType': name_type, 'value': value}) From a50d80992c41ff5ba4a6ac6248212fd2b5719c4f Mon Sep 17 00:00:00 2001 From: sirferl Date: Wed, 12 Dec 2018 12:45:48 +0100 Subject: [PATCH 2/2] updated query to ignore empty parameters --- lemur/certificates/cli.py | 52 +++++++++++++++------------------------ 1 file changed, 20 insertions(+), 32 deletions(-) diff --git a/lemur/certificates/cli.py b/lemur/certificates/cli.py index 7a46138c..c4a95187 100644 --- a/lemur/certificates/cli.py +++ b/lemur/certificates/cli.py @@ -238,17 +238,7 @@ def reissue(old_certificate_name, commit): if not old_cert: for certificate in get_all_pending_reissue(): - try: - request_reissue(certificate, commit) - except Exception as e: - sentry.captureException() - current_app.logger.exception( - "Error reissuing certificate: {}".format(certificate.name), exc_info=True) - print( - "[!] Failed to reissue certificates. Reason: {}".format( - e - ) - ) + request_reissue(certificate, commit) else: request_reissue(old_cert, commit) @@ -275,30 +265,31 @@ def query(fqdns, issuer, owner, expired): table = [] q = database.session_query(Certificate) + if issuer: + sub_query = database.session_query(Authority.id) \ + .filter(Authority.name.ilike('%{0}%'.format(issuer))) \ + .subquery() - sub_query = database.session_query(Authority.id) \ - .filter(Authority.name.ilike('%{0}%'.format(issuer))) \ - .subquery() - - q = q.filter( - or_( - Certificate.issuer.ilike('%{0}%'.format(issuer)), - Certificate.authority_id.in_(sub_query) + q = q.filter( + or_( + Certificate.issuer.ilike('%{0}%'.format(issuer)), + Certificate.authority_id.in_(sub_query) + ) ) - ) - - q = q.filter(Certificate.owner.ilike('%{0}%'.format(owner))) + if owner: + q = q.filter(Certificate.owner.ilike('%{0}%'.format(owner))) if not expired: q = q.filter(Certificate.expired == False) # noqa - for f in fqdns.split(','): - q = q.filter( - or_( - Certificate.cn.ilike('%{0}%'.format(f)), - Certificate.domains.any(Domain.name.ilike('%{0}%'.format(f))) + if fqdns: + for f in fqdns.split(','): + q = q.filter( + or_( + Certificate.cn.ilike('%{0}%'.format(f)), + Certificate.domains.any(Domain.name.ilike('%{0}%'.format(f))) + ) ) - ) for c in q.all(): table.append([c.id, c.name, c.owner, c.issuer]) @@ -373,10 +364,7 @@ def check_revoked(): else: status = verify_string(cert.body, "") - if status is None: - cert.status = 'unknown' - else: - cert.status = 'valid' if status else 'revoked' + cert.status = 'valid' if status else 'revoked' except Exception as e: sentry.captureException()