Infra/lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
2,702 Commits 4 Branches 45 Tags 7.5 MiB
d5ae45a0d0
Commit Graph

481 Commits

Author SHA1 Message Date
Hossein Shafagh
9037f88430 just in case the path varies 2019-10-18 11:02:41 -07:00
Hossein Shafagh
1768aad9e2 capturing no such entity exception. 2019-10-18 10:17:58 -07:00
Hossein Shafagh
8aea257e6a optimizing the call to describe cert to only the few certs with the naming issue 2019-10-18 09:24:49 -07:00
Hossein Shafagh
d43e859c34 describing the cert for each endpoint, for better cert search 2019-10-18 08:46:01 -07:00
Hossein Shafagh
b5ab87877b adding retry to acme setup client, since it can experience timeouts or other types of Connection Errors 2019-10-17 10:16:33 -07:00
pmelse
f0652ca6a9
bug fix for overwriting certificates 2019-10-10 15:49:31 -04:00
Hossein Shafagh
477db836f4 lint 2019-09-23 12:52:17 -07:00
Hossein Shafagh
86f661a8af With NLBs the DNS formatting has changed, which resulted in Lemur not getting the region correctly parsed 2019-09-23 12:36:08 -07:00
Hossein Shafagh
8c9a1df2cf
Merge branch 'master' into up-dependencies-20Sep2019 2019-09-20 15:19:25 -07:00
Hossein Shafagh
a13c45e9cc updating dependencies, and fixing the deprecated arrow.replaces to shift 2019-09-20 13:49:38 -07:00
Curtis Castrapel
1c6fee7292 Allow better DNS autodetection for domains that directly match a DNS hosted zone 2019-08-15 10:52:26 -07:00
Hossein Shafagh
5d4413e45c
Merge branch 'master' into ultradnsPlugin 2019-08-09 08:48:24 -07:00
Kush Bavishi
d9aef2da3e Changed dummy nameserver value 2019-08-07 14:38:18 -07:00
Kush Bavishi
a97283f0a4 Fixed indentation 2019-08-07 14:23:09 -07:00
Kush Bavishi
a6bf081bec Remove unused import 2019-08-07 14:08:27 -07:00
Kush Bavishi
43f5c8b34e Fixed indentation 2019-08-07 14:08:06 -07:00
Kush Bavishi
cadf372f7b Removed hardcoded value from function call 2019-08-07 14:02:10 -07:00
Kush Bavishi
b4f4e4dc24 Added extra check for return value to test_create_txt_record 2019-08-07 13:55:02 -07:00
Kush Bavishi
fa7f71d859 Modified paginate response to dummy values 2019-08-07 13:53:10 -07:00
Kush Bavishi
3ff56fc595 Blank line removed 2019-08-07 13:42:11 -07:00
Kush Bavishi
894502644c test_wait_for_dns_change fixed! 2019-08-07 13:39:20 -07:00
Kush Bavishi
37a1b55b08 test_delete_txt_record changed to mock get_zone_name and return the value directly instead of executing the function. 2019-08-07 13:27:21 -07:00
Kush Bavishi
31c2d207a2 test_delete_txt_record fixed. Function call was missing earlier 2019-08-07 13:23:05 -07:00
Kush Bavishi
785c1ca73e test_create_txt_record modified - get_zone_name mocked to return the zone name directly, instead of actually running the function. 2019-08-07 13:20:24 -07:00
Kush Bavishi
f2cbddf9e2 Unit tests for get_zone_name, get_zones 2019-08-07 13:17:16 -07:00
Kush Bavishi
6e84e1fd59 Unit Tests for create_txt_record, delete_txt_record, wait_for_dns_change 2019-08-07 13:04:38 -07:00
Hossein Shafagh
ff1f73f985 fixing the plugin test to include authority 2019-08-07 12:05:36 -07:00
Hossein Shafagh
bbda9b1d6f making sure to handle when no config file provided, though we do a check for that 2019-08-07 12:05:13 -07:00
Hossein Shafagh
b885cdf9d0 adding multi profile name support with DigiCert plug. 
This requires that the configs are a dict, with multiple entries, where the key is the name of the Authority used to issue certs with.

DIGICERT_CIS_PROFILE_NAMES = {"sha2-rsa-ecc-root": "ssl_plus"}
DIGICERT_CIS_ROOTS = {"root": "ROOT"}
DIGICERT_CIS_INTERMEDIATES = {"inter": "INTERMEDIATE_CA_CERT"}

Hence, in DB one need to add
1) the corresponding authority table, with digicert-cis-issuer. Note the names here are used to mapping in the above config
2) the corresponding intermediary in the certificate table , with root_aurhority_id set to the id of the new authority_id
 2019-08-07 10:24:38 -07:00
Kush Bavishi
a7c2b970b0 Unit testing Part 1 2019-08-05 14:00:22 -07:00
Kush Bavishi
2903799b85 Changed string formatting from "{}".format() to f"{}" for consistency 2019-07-31 14:19:49 -07:00
Kush Bavishi
5a401b2d87 Added the Zone class and Record class to ultradns.py and removed the respective files 2019-07-31 12:04:42 -07:00
Kush Bavishi
fe075dc9f5 Changed function comments to doc strings. 2019-07-31 12:00:31 -07:00
Kush Bavishi
503df999fa Updated metrics.send to send function named, followed by status, separated by a period 2019-07-31 11:32:04 -07:00
Kush Bavishi
11cd095131 Reduced the number of calls to get_public_authoritative_nameserver by using a variable 2019-07-31 11:12:28 -07:00
Kush Bavishi
3ba7fdbd49 Updated logger to log a dictionary instead of a string 2019-07-31 11:11:39 -07:00
Hossein Shafagh
6bf920e66c
Merge branch 'master' into ultradnsPlugin 2019-07-30 14:13:45 -07:00
Kush Bavishi
44bc562e8b
Update ultradns.py 
Minor logging changes in wait_for_dns_change
 2019-07-30 13:08:16 -07:00
Kush Bavishi
3d48b422b5 Removed TODO 2019-07-30 11:39:35 -07:00
Kush Bavishi
3ad791e1ec Dynamically obtain the authoritative nameserver for the domain 2019-07-29 18:01:28 -07:00
Kush Bavishi
e993194b4f Check ultraDNS authoritative server first. Upon success, check Googles DNS server. 2019-07-29 14:59:28 -07:00
Hossein Shafagh
adabe18c90 metric tags, to be able to track which domains where failing during the LetsEncrypt domain validation 2019-07-25 18:56:28 -07:00
Kush Bavishi
252410c6e9 Updated TTL from 300 to 5 2019-07-22 16:00:20 -07:00
Kush Bavishi
51f3b7dde0 Added the Record class for UltraDNS 2019-07-22 14:23:40 -07:00
Kush Bavishi
0b52aa8c59 Added Zone class to handle ultradns zones 2019-07-22 11:47:48 -07:00
Kush Bavishi
e37a7c775e Initial commit for the UltraDNS plugin to support Lets Encrypt 2019-07-18 14:29:54 -07:00
Curtis Castrapel
0c5a8f2039 Relax celery time limit for source syncing; Ensure metric tags are string 2019-07-01 08:35:04 -07:00
alwaysjolley
86a1fb41ac lint fix 2019-06-25 06:56:37 -04:00
alwaysjolley
55a96ba790 type none 2019-06-24 15:10:10 -04:00
alwaysjolley
6699833297 fixing empty chain 2019-06-24 13:10:08 -04:00
alwaysjolley
bbf50cf0b0 updated dest as well as src 2019-06-20 08:26:32 -04:00
alwaysjolley
02719a1de7 Merge branch 'master' into vault_regex 
fixed conflicts:
	lemur/plugins/lemur_vault_dest/plugin.py
 2019-06-19 09:53:08 -04:00
alwaysjolley
56917614a2 fixing regex to be more flexable 2019-06-19 09:46:44 -04:00
Ryan DeShone
09c7076e79 Handle double data field in API v2 2019-05-22 17:12:10 -04:00
Curtis Castrapel
1423ac0d98 More metrics 2019-05-21 12:55:33 -07:00
Curtis Castrapel
34c7e5230b Set a limit on number of retries 2019-05-21 12:52:41 -07:00
Curtis Castrapel
68fd1556b2 Black lint all the things 2019-05-16 07:57:02 -07:00
Curtis Castrapel
e3c5490d25 Expose exact response from digicert as error 2019-05-15 13:36:40 -07:00
Curtis Castrapel
7e92edc70a Set resolved cert ID before resolving cert; Ignore sentry exceptions when no records on deletion 2019-05-15 11:43:59 -07:00
Curtis Castrapel
565142f985 Add soft timeouts to celery jobs; Check for PEM in LE order 2019-05-14 12:52:30 -07:00
Curtis
e65154b48e
Merge branch 'master' into develop 2019-05-07 07:36:51 -07:00
alwaysjolley
ef7a8587fe Merge branch 'lemur_vault_source' of github.com:/alwaysjolley/lemur into lemur_vault_source 2019-05-07 10:06:09 -04:00
alwaysjolley
b0c8901b0a lint cleanup 2019-05-07 10:05:01 -04:00
alwaysjolley
36ce1cc7ef
Merge branch 'master' into lemur_vault_source 2019-05-07 09:41:50 -04:00
alwaysjolley
fb3f0bd72a adding Vault Source plugin 2019-05-07 09:37:30 -04:00
Daniel Iancu
a7af3cf8d2 Fix Cloudflare DNS 2019-05-07 03:05:24 +03:00
Curtis Castrapel
3a1da72419 nt 2019-04-29 13:57:04 -07:00
Curtis Castrapel
6e3f394cff Updated requirements ; Revert change and require DNS validation by provider 2019-04-29 13:55:26 -07:00
Curtis Castrapel
1a90e71884 Move ACME host validation logic prior to R53 host modification 2019-04-26 17:27:44 -07:00
Curtis Castrapel
333ba8030a Ensure hostname is lowercase when comparing DNS challenges. ACME will automatically lowercase the hostname 2019-04-26 15:45:04 -07:00
Curtis Castrapel
1a3ba46873 More retry changes 2019-04-26 10:18:54 -07:00
Curtis Castrapel
1e64851d79 Strip out self-polling logic and rely on ACME; Enhance ELB logging and retries 2019-04-26 10:16:18 -07:00
Curtis
8eef95b58e
Merge branch 'master' into expose_verisign_exception 2019-04-25 19:15:55 -07:00
Curtis Castrapel
dcdfb32883 Expose verisign exceptions 2019-04-25 19:14:15 -07:00
Curtis Castrapel
39584f214b Process DNS Challenges appropriately (1 challenge -> 1 domain) 2019-04-25 15:12:52 -07:00
Curtis Castrapel
2bc604e5a9 Better metrics and error reporting 2019-04-25 13:50:41 -07:00
Curtis Castrapel
272285f64a Better exception handling, logging, and metrics for ACME flow 2019-04-24 15:26:23 -07:00
alwaysjolley
a801112cf6
Merge branch 'master' into lemur_vault_plugin 2019-04-23 07:07:39 -04:00
alwaysjolley
85efb6a99e cleanup tmp files 2019-04-23 07:06:52 -04:00
alwaysjolley
f9dadb2670 fixing validation 2019-04-22 09:38:44 -04:00
alwaysjolley
8dccaaf544 simpler validation 2019-04-22 07:58:01 -04:00
alwaysjolley
1667c05742 removed unused functions 2019-04-18 13:57:10 -04:00
alwaysjolley
b39e2e3f66 Merge branch 'master' into lemur_vault_plugin 2019-04-18 13:55:45 -04:00
alwaysjolley
fb3b0e8cd7 adding regex filtering 2019-04-18 13:52:40 -04:00
Hossein Shafagh
df8d4e0892
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-12 09:38:50 -07:00
alwaysjolley
9ecc19c481 adding san filter 2019-04-12 09:53:06 -04:00
Hossein Shafagh
d7abf2ec18 adding a new util method for setting options 2019-04-11 17:13:47 -07:00
Hossein Shafagh
60edab9f6d cleaning up 2019-04-11 14:12:31 -07:00
Hossein Shafagh
f185df4f1e bringing class AWSDestinationPlugin(DestinationPlugin) after AWSSourcePlugin.slug, such that we can do: sync_as_source_name = AWSSourcePlugin.slug 2019-04-11 13:28:58 -07:00
Hossein Shafagh
d628e97035
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst 2019-04-10 09:47:06 -07:00
Hossein Shafagh
f3d0536800 removing hardcoded rules, to give more flexibility into defining new source-destinations 2019-04-09 20:49:07 -07:00
Hossein Shafagh
64c6bb2475
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-09 08:28:05 -07:00
Marti Raudsepp
dbf34a4d48 Rewrite Java Keystore/Truststore support based on pyjks library 2019-04-06 20:24:46 +03:00
Ryan DeShone
e10007ef7b Add support for Vault KV API v2 
This adds the ability to target KV API v1 or v2.
 2019-03-29 10:32:49 -04:00
Hossein Shafagh
d2e969b836 better synching of source and destinations 2019-03-26 18:20:14 -07:00
Curtis
4018c68d49
Merge branch 'master' into authority_validation_LE_errors 2019-03-25 08:34:10 -07:00
Curtis Castrapel
c2158ff8fb Add order URI during LE cert creation failure; Fail properly when invalid CA passed; Update reqs 2019-03-25 08:28:23 -07:00
alwaysjolley
fa4a5122bc fixing file read to trim line endings and cleanup 2019-03-20 14:59:04 -04:00
alwaysjolley
f99b11d50e refactor url and token to support muiltiple instances of vault 2019-03-20 13:51:06 -04:00
alwaysjolley
f1c09a6f8f fixed comments 2019-03-07 15:58:34 -05:00
alwaysjolley
752c9a086b fixing error handling and better data formating 2019-03-07 15:41:29 -05:00
alwaysjolley
a1cb8ee266 fixing lint 2019-03-05 07:37:04 -05:00
alwaysjolley
880eaad6cb Merge branch 'lemur_vault_plugin' of github.com:/alwaysjolley/lemur into lemur_vault_plugin 2019-03-05 07:22:18 -05:00
alwaysjolley
4a027797e0 fixing linting issues 2019-03-05 07:19:22 -05:00
alwaysjolley
20518bc377
Merge branch 'master' into lemur_vault_plugin 2019-03-01 09:58:43 -05:00
alwaysjolley
5d2f603c84 renamed vault destination plugin to avoid conflict with vault pki plugin 2019-03-01 09:49:52 -05:00
alwaysjolley
53301728fa Moved url to config file instead of plugin option. One one url can be supported 
unless both the token and url are moved to the plugin options.
 2019-02-26 09:15:12 -05:00
alwaysjolley
cd65a36437 - support multiple bundle configuration, nginx, apache, cert only 
- update vault destination to support multi cert under one object
- added san list as key value
- read and update object with new keys, keeping other keys, allowing
us to keep an iterable list of keys in an object for deploying multiple
certs to a single node
 2019-02-25 09:42:07 -05:00
Ronald Moesbergen
ef0c08dfd9 Fix: when no alias is entered when exporting a certificate, the alias is set to 'blah'. 
This fix sets it to the common name instead.
 2019-02-21 16:33:43 +01:00
alwaysjolley
eaa73998a0 adding lemur_vault destination plugin 2019-02-19 15:03:15 -05:00
Hossein Shafagh
6705a0e030
Merge branch 'master' into ADCS-plugin 2019-02-01 16:38:39 -08:00
sirferl
36ab1c0bec
Merge branch 'master' into ADCS-plugin 2019-02-01 19:10:46 +01:00
Marti Raudsepp
e24a94d798 Enforce that PEM strings (certs, keys, CSR) are internally passed as str, not bytes 
This was already true in most places but not 100%, leading to lots of redundant checks and conversions.
 2019-01-30 18:11:24 +02:00
Hossein Shafagh
7f4f4ffded
Merge branch 'master' into master 2019-01-29 16:30:15 -08:00
Hossein Shafagh
48ad20faca moving the 2 year validity issue to the Verisign plugin, and address it there 2019-01-29 16:17:08 -08:00
alwaysjolley
c68a9cf80a fixing linting issues 2019-01-29 11:10:56 -05:00
alwaysjolley
254a3079f2 fix whitespace 2019-01-29 11:01:55 -05:00
alwaysjolley
b4d1b80e04 Adding support for cfssl auth mode signing 2019-01-29 10:13:44 -05:00
sirferl
c77ccdf46e
Merge branch 'master' into ADCS-plugin 2019-01-28 17:57:46 +01:00
Curtis Castrapel
7f88c24e83 Fix LetsEncrypt Dyn flow for duplicate CN/SAN 2019-01-17 14:56:04 -08:00
Curtis Castrapel
0e02e6da79 Be more forgiving to throttling 2019-01-11 11:13:43 -08:00
sirferl
a1ca61d813 changed a too long comment 2019-01-09 09:50:26 +01:00
sirferl
a43476bc87 minor errors after lint fix 2019-01-07 11:04:27 +01:00
sirferl
054685fc38
Merge branch 'master' into ADCS-plugin 2019-01-07 10:23:18 +01:00
sirferl
c62bcd1456 repaired several lint errors 2019-01-07 10:02:37 +01:00
Curtis
6a31856d0d
Update plugin.py 2018-12-21 12:33:47 -08:00
Curtis
b5d6abb01f
Merge branch 'master' into kubernetes-improvment 2018-12-21 12:06:09 -08:00
sirferl
f02178c154 added ADCS issuer and source plugin 2018-12-20 11:54:47 +01:00
Wesley Hartford
fbf48316b1 Minor changes for code review suggestions. 2018-12-18 22:43:32 -05:00
Wesley Hartford
073d05ae21 Merge branch 'kubernetes-fix' into kubernetes-improvment 2018-12-18 22:26:03 -05:00
Wesley Hartford
e7313da03e Minor changes for code review suggestions. 2018-12-18 22:24:48 -05:00
Wesley Hartford
bc621c1468 Improve the Kubernetes Destination plugin 
The plugin now supports loading details from local files rather than requiring them to be entered through the UI. This is especially relaent when Lemur is deployed on Kubernetes as the certificate, token, and current namespace will be injected into the pod. The location these details are injected are the defaults if no configuration details are supplied.

The plugin now supports deploying the secret in three different formats:
* Full - matches the formate used by the plugin prior to these changes.
* TLS - creates a secret of type kubernetes.io/tls and includes the certificate chain and private key, this format is used by many kubernetes features.
* Certificate - creates a secret containing only the certificate chain, suitable for use as trust authority where private keys should _NOT_ be deployed.

The deployed secret can now have a name set through the configuration options; the setting allows the insertion of the placeholder '{common_name}' which will be replaced by the certificate's common name value.

Debug level logging has been added.
 2018-12-12 13:25:36 -08:00
Wesley Hartford
060c78fd91 Fix Kubernetes Destination Plugin 
The Kubernetes plugin was broken. There were two major issues:
* The server certificate was entered in a string input making it impossible (as far as I know) to enter a valid PEM certificate.
* The base64 encoding calls were passing strings where bytes were expected.

The fix to the first issue depends on #2218 and a change in the options structure. I've also included some improved input validation and logging.
 2018-12-10 15:33:04 -08:00
Wesley Hartford
437d918cf7 Fix textarea and validation on destination page 
The destination configuration page did not previously support a textarea input as was supported on most other pages. The validation of string inputs was not being performed. This commit addresses both of those issues and corrects the validation expressions for the AWS and S3 destination plugins so that they continue to function. The SFTP destination plugin does not have any string validation. The Kubernetes plugin does not work at all as far as I can tell; there will be another PR in the coming days to address that.
 2018-12-10 12:04:16 -08:00
Curtis Castrapel
2a235fb0e2 Prefer DNS provider with longest matching zone 2018-11-30 12:44:52 -08:00
Curtis Castrapel
a90154e0ae LetsEncrypt Celery Flow 2018-11-29 09:29:05 -08:00
Curtis Castrapel
a7a05e26bc Do not re-use CSR during certificate reissuance; Update requirement; Add more logging to celery handler 2018-11-12 09:52:11 -08:00
Curtis Castrapel
a3f96b96ee Add fixture to failing function 2018-11-05 15:16:09 -08:00
Curtis Castrapel
75183ef2f2 Unpin most dependencies, and fix moto 2018-11-05 14:37:52 -08:00
Curtis Castrapel
054cc64ee8 Prevent dashes from appearing at end of cert name in AWS 2018-10-23 12:49:58 -07:00
Curtis Castrapel
56282845fa Enable optional verisign cloud transparency configuration 2018-10-01 09:20:50 -07:00
Gus Esquivel
82e69db0c5 fix error message typo 2018-09-04 10:21:34 -05:00
Curtis
1b77dfa47a
Revert "Precommit - Fix linty things" 2018-08-22 13:21:35 -07:00
Curtis Castrapel
3e9726d9db Precommit work 2018-08-22 10:38:09 -07:00
Curtis Castrapel
9f64f0523b Increase timeouts 2018-08-17 15:36:56 -07:00
Curtis Castrapel
43ae6c39e3 wait right here 2018-08-17 12:14:02 -07:00
Curtis Castrapel
7f9a035802 Fix private key bytecode issue 2018-08-17 10:59:01 -07:00
Curtis Castrapel
be9d683e46 fix merge 2018-08-16 10:15:48 -07:00
Curtis Castrapel
da99bcda68 Better zone handling 2018-08-16 10:12:19 -07:00
Curtis Castrapel
2c22c9c2f1 Allow proper detection of zones, fix certificate detection 2018-08-14 14:37:45 -07:00