477db836f4
lint
2019-09-23 12:52:17 -07:00
86f661a8af
With NLBs the DNS formatting has changed, which resulted in Lemur not getting the region correctly parsed
2019-09-23 12:36:08 -07:00
8c9a1df2cf
Merge branch 'master' into up-dependencies-20Sep2019
2019-09-20 15:19:25 -07:00
a13c45e9cc
updating dependencies, and fixing the deprecated arrow.replaces to shift
2019-09-20 13:49:38 -07:00
1c6fee7292
Allow better DNS autodetection for domains that directly match a DNS hosted zone
2019-08-15 10:52:26 -07:00
5d4413e45c
Merge branch 'master' into ultradnsPlugin
2019-08-09 08:48:24 -07:00
d9aef2da3e
Changed dummy nameserver value
2019-08-07 14:38:18 -07:00
a97283f0a4
Fixed indentation
2019-08-07 14:23:09 -07:00
a6bf081bec
Remove unused import
2019-08-07 14:08:27 -07:00
43f5c8b34e
Fixed indentation
2019-08-07 14:08:06 -07:00
cadf372f7b
Removed hardcoded value from function call
2019-08-07 14:02:10 -07:00
b4f4e4dc24
Added extra check for return value to test_create_txt_record
2019-08-07 13:55:02 -07:00
fa7f71d859
Modified paginate response to dummy values
2019-08-07 13:53:10 -07:00
3ff56fc595
Blank line removed
2019-08-07 13:42:11 -07:00
894502644c
test_wait_for_dns_change fixed!
2019-08-07 13:39:20 -07:00
37a1b55b08
test_delete_txt_record changed to mock get_zone_name and return the value directly instead of executing the function.
2019-08-07 13:27:21 -07:00
31c2d207a2
test_delete_txt_record fixed. Function call was missing earlier
2019-08-07 13:23:05 -07:00
785c1ca73e
test_create_txt_record modified - get_zone_name mocked to return the zone name directly, instead of actually running the function.
2019-08-07 13:20:24 -07:00
f2cbddf9e2
Unit tests for get_zone_name, get_zones
2019-08-07 13:17:16 -07:00
6e84e1fd59
Unit Tests for create_txt_record, delete_txt_record, wait_for_dns_change
2019-08-07 13:04:38 -07:00
ff1f73f985
fixing the plugin test to include authority
2019-08-07 12:05:36 -07:00
bbda9b1d6f
making sure to handle when no config file provided, though we do a check for that
2019-08-07 12:05:13 -07:00
b885cdf9d0
adding multi profile name support with DigiCert plug.
...
This requires that the configs are a dict, with multiple entries, where the key is the name of the Authority used to issue certs with.
DIGICERT_CIS_PROFILE_NAMES = {"sha2-rsa-ecc-root": "ssl_plus"}
DIGICERT_CIS_ROOTS = {"root": "ROOT"}
DIGICERT_CIS_INTERMEDIATES = {"inter": "INTERMEDIATE_CA_CERT"}
Hence, in DB one need to add
1) the corresponding authority table, with digicert-cis-issuer. Note the names here are used to mapping in the above config
2) the corresponding intermediary in the certificate table , with root_aurhority_id set to the id of the new authority_id
2019-08-07 10:24:38 -07:00
a7c2b970b0
Unit testing Part 1
2019-08-05 14:00:22 -07:00
2903799b85
Changed string formatting from "{}".format() to f"{}" for consistency
2019-07-31 14:19:49 -07:00
5a401b2d87
Added the Zone class and Record class to ultradns.py and removed the respective files
2019-07-31 12:04:42 -07:00
fe075dc9f5
Changed function comments to doc strings.
2019-07-31 12:00:31 -07:00
503df999fa
Updated metrics.send to send function named, followed by status, separated by a period
2019-07-31 11:32:04 -07:00
11cd095131
Reduced the number of calls to get_public_authoritative_nameserver by using a variable
2019-07-31 11:12:28 -07:00
3ba7fdbd49
Updated logger to log a dictionary instead of a string
2019-07-31 11:11:39 -07:00
6bf920e66c
Merge branch 'master' into ultradnsPlugin
2019-07-30 14:13:45 -07:00
44bc562e8b
Update ultradns.py
...
Minor logging changes in wait_for_dns_change
2019-07-30 13:08:16 -07:00
3d48b422b5
Removed TODO
2019-07-30 11:39:35 -07:00
3ad791e1ec
Dynamically obtain the authoritative nameserver for the domain
2019-07-29 18:01:28 -07:00
e993194b4f
Check ultraDNS authoritative server first. Upon success, check Googles DNS server.
2019-07-29 14:59:28 -07:00
adabe18c90
metric tags, to be able to track which domains where failing during the LetsEncrypt domain validation
2019-07-25 18:56:28 -07:00
252410c6e9
Updated TTL from 300 to 5
2019-07-22 16:00:20 -07:00
51f3b7dde0
Added the Record class for UltraDNS
2019-07-22 14:23:40 -07:00
0b52aa8c59
Added Zone class to handle ultradns zones
2019-07-22 11:47:48 -07:00
e37a7c775e
Initial commit for the UltraDNS plugin to support Lets Encrypt
2019-07-18 14:29:54 -07:00
0c5a8f2039
Relax celery time limit for source syncing; Ensure metric tags are string
2019-07-01 08:35:04 -07:00
86a1fb41ac
lint fix
2019-06-25 06:56:37 -04:00
55a96ba790
type none
2019-06-24 15:10:10 -04:00
6699833297
fixing empty chain
2019-06-24 13:10:08 -04:00
bbf50cf0b0
updated dest as well as src
2019-06-20 08:26:32 -04:00
02719a1de7
Merge branch 'master' into vault_regex
...
fixed conflicts:
lemur/plugins/lemur_vault_dest/plugin.py
2019-06-19 09:53:08 -04:00
56917614a2
fixing regex to be more flexable
2019-06-19 09:46:44 -04:00
09c7076e79
Handle double data field in API v2
2019-05-22 17:12:10 -04:00
1423ac0d98
More metrics
2019-05-21 12:55:33 -07:00
34c7e5230b
Set a limit on number of retries
2019-05-21 12:52:41 -07:00
68fd1556b2
Black lint all the things
2019-05-16 07:57:02 -07:00
e3c5490d25
Expose exact response from digicert as error
2019-05-15 13:36:40 -07:00
7e92edc70a
Set resolved cert ID before resolving cert; Ignore sentry exceptions when no records on deletion
2019-05-15 11:43:59 -07:00
565142f985
Add soft timeouts to celery jobs; Check for PEM in LE order
2019-05-14 12:52:30 -07:00
e65154b48e
Merge branch 'master' into develop
2019-05-07 07:36:51 -07:00
ef7a8587fe
Merge branch 'lemur_vault_source' of github.com:/alwaysjolley/lemur into lemur_vault_source
2019-05-07 10:06:09 -04:00
b0c8901b0a
lint cleanup
2019-05-07 10:05:01 -04:00
36ce1cc7ef
Merge branch 'master' into lemur_vault_source
2019-05-07 09:41:50 -04:00
fb3f0bd72a
adding Vault Source plugin
2019-05-07 09:37:30 -04:00
a7af3cf8d2
Fix Cloudflare DNS
2019-05-07 03:05:24 +03:00
3a1da72419
nt
2019-04-29 13:57:04 -07:00
6e3f394cff
Updated requirements ; Revert change and require DNS validation by provider
2019-04-29 13:55:26 -07:00
1a90e71884
Move ACME host validation logic prior to R53 host modification
2019-04-26 17:27:44 -07:00
333ba8030a
Ensure hostname is lowercase when comparing DNS challenges. ACME will automatically lowercase the hostname
2019-04-26 15:45:04 -07:00
1a3ba46873
More retry changes
2019-04-26 10:18:54 -07:00
1e64851d79
Strip out self-polling logic and rely on ACME; Enhance ELB logging and retries
2019-04-26 10:16:18 -07:00
8eef95b58e
Merge branch 'master' into expose_verisign_exception
2019-04-25 19:15:55 -07:00
dcdfb32883
Expose verisign exceptions
2019-04-25 19:14:15 -07:00
39584f214b
Process DNS Challenges appropriately (1 challenge -> 1 domain)
2019-04-25 15:12:52 -07:00
2bc604e5a9
Better metrics and error reporting
2019-04-25 13:50:41 -07:00
272285f64a
Better exception handling, logging, and metrics for ACME flow
2019-04-24 15:26:23 -07:00
a801112cf6
Merge branch 'master' into lemur_vault_plugin
2019-04-23 07:07:39 -04:00
85efb6a99e
cleanup tmp files
2019-04-23 07:06:52 -04:00
f9dadb2670
fixing validation
2019-04-22 09:38:44 -04:00
8dccaaf544
simpler validation
2019-04-22 07:58:01 -04:00
1667c05742
removed unused functions
2019-04-18 13:57:10 -04:00
b39e2e3f66
Merge branch 'master' into lemur_vault_plugin
2019-04-18 13:55:45 -04:00
fb3b0e8cd7
adding regex filtering
2019-04-18 13:52:40 -04:00
df8d4e0892
Merge branch 'master' into rewrite-java-keystore-use-pyjks
2019-04-12 09:38:50 -07:00
9ecc19c481
adding san filter
2019-04-12 09:53:06 -04:00
d7abf2ec18
adding a new util method for setting options
2019-04-11 17:13:47 -07:00
60edab9f6d
cleaning up
2019-04-11 14:12:31 -07:00
f185df4f1e
bringing class AWSDestinationPlugin(DestinationPlugin) after AWSSourcePlugin.slug, such that we can do: sync_as_source_name = AWSSourcePlugin.slug
2019-04-11 13:28:58 -07:00
d628e97035
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst
2019-04-10 09:47:06 -07:00
f3d0536800
removing hardcoded rules, to give more flexibility into defining new source-destinations
2019-04-09 20:49:07 -07:00
64c6bb2475
Merge branch 'master' into rewrite-java-keystore-use-pyjks
2019-04-09 08:28:05 -07:00
dbf34a4d48
Rewrite Java Keystore/Truststore support based on pyjks library
2019-04-06 20:24:46 +03:00
e10007ef7b
Add support for Vault KV API v2
...
This adds the ability to target KV API v1 or v2.
2019-03-29 10:32:49 -04:00
d2e969b836
better synching of source and destinations
2019-03-26 18:20:14 -07:00
4018c68d49
Merge branch 'master' into authority_validation_LE_errors
2019-03-25 08:34:10 -07:00
c2158ff8fb
Add order URI during LE cert creation failure; Fail properly when invalid CA passed; Update reqs
2019-03-25 08:28:23 -07:00
fa4a5122bc
fixing file read to trim line endings and cleanup
2019-03-20 14:59:04 -04:00
f99b11d50e
refactor url and token to support muiltiple instances of vault
2019-03-20 13:51:06 -04:00
f1c09a6f8f
fixed comments
2019-03-07 15:58:34 -05:00
752c9a086b
fixing error handling and better data formating
2019-03-07 15:41:29 -05:00
a1cb8ee266
fixing lint
2019-03-05 07:37:04 -05:00
880eaad6cb
Merge branch 'lemur_vault_plugin' of github.com:/alwaysjolley/lemur into lemur_vault_plugin
2019-03-05 07:22:18 -05:00
4a027797e0
fixing linting issues
2019-03-05 07:19:22 -05:00
20518bc377
Merge branch 'master' into lemur_vault_plugin
2019-03-01 09:58:43 -05:00
5d2f603c84
renamed vault destination plugin to avoid conflict with vault pki plugin
2019-03-01 09:49:52 -05:00
53301728fa
Moved url to config file instead of plugin option. One one url can be supported
...
unless both the token and url are moved to the plugin options.
2019-02-26 09:15:12 -05:00
cd65a36437
- support multiple bundle configuration, nginx, apache, cert only
...
- update vault destination to support multi cert under one object
- added san list as key value
- read and update object with new keys, keeping other keys, allowing
us to keep an iterable list of keys in an object for deploying multiple
certs to a single node
2019-02-25 09:42:07 -05:00
ef0c08dfd9
Fix: when no alias is entered when exporting a certificate, the alias is set to 'blah'.
...
This fix sets it to the common name instead.
2019-02-21 16:33:43 +01:00
eaa73998a0
adding lemur_vault destination plugin
2019-02-19 15:03:15 -05:00
6705a0e030
Merge branch 'master' into ADCS-plugin
2019-02-01 16:38:39 -08:00
36ab1c0bec
Merge branch 'master' into ADCS-plugin
2019-02-01 19:10:46 +01:00
e24a94d798
Enforce that PEM strings (certs, keys, CSR) are internally passed as str, not bytes
...
This was already true in most places but not 100%, leading to lots of redundant checks and conversions.
2019-01-30 18:11:24 +02:00
7f4f4ffded
Merge branch 'master' into master
2019-01-29 16:30:15 -08:00
48ad20faca
moving the 2 year validity issue to the Verisign plugin, and address it there
2019-01-29 16:17:08 -08:00
c68a9cf80a
fixing linting issues
2019-01-29 11:10:56 -05:00
254a3079f2
fix whitespace
2019-01-29 11:01:55 -05:00
b4d1b80e04
Adding support for cfssl auth mode signing
2019-01-29 10:13:44 -05:00
c77ccdf46e
Merge branch 'master' into ADCS-plugin
2019-01-28 17:57:46 +01:00
7f88c24e83
Fix LetsEncrypt Dyn flow for duplicate CN/SAN
2019-01-17 14:56:04 -08:00
0e02e6da79
Be more forgiving to throttling
2019-01-11 11:13:43 -08:00
a1ca61d813
changed a too long comment
2019-01-09 09:50:26 +01:00
a43476bc87
minor errors after lint fix
2019-01-07 11:04:27 +01:00
054685fc38
Merge branch 'master' into ADCS-plugin
2019-01-07 10:23:18 +01:00
c62bcd1456
repaired several lint errors
2019-01-07 10:02:37 +01:00
6a31856d0d
Update plugin.py
2018-12-21 12:33:47 -08:00
b5d6abb01f
Merge branch 'master' into kubernetes-improvment
2018-12-21 12:06:09 -08:00
f02178c154
added ADCS issuer and source plugin
2018-12-20 11:54:47 +01:00
fbf48316b1
Minor changes for code review suggestions.
2018-12-18 22:43:32 -05:00
073d05ae21
Merge branch 'kubernetes-fix' into kubernetes-improvment
2018-12-18 22:26:03 -05:00
e7313da03e
Minor changes for code review suggestions.
2018-12-18 22:24:48 -05:00
bc621c1468
Improve the Kubernetes Destination plugin
...
The plugin now supports loading details from local files rather than requiring them to be entered through the UI. This is especially relaent when Lemur is deployed on Kubernetes as the certificate, token, and current namespace will be injected into the pod. The location these details are injected are the defaults if no configuration details are supplied.
The plugin now supports deploying the secret in three different formats:
* Full - matches the formate used by the plugin prior to these changes.
* TLS - creates a secret of type kubernetes.io/tls and includes the certificate chain and private key, this format is used by many kubernetes features.
* Certificate - creates a secret containing only the certificate chain, suitable for use as trust authority where private keys should _NOT_ be deployed.
The deployed secret can now have a name set through the configuration options; the setting allows the insertion of the placeholder '{common_name}' which will be replaced by the certificate's common name value.
Debug level logging has been added.
2018-12-12 13:25:36 -08:00
060c78fd91
Fix Kubernetes Destination Plugin
...
The Kubernetes plugin was broken. There were two major issues:
* The server certificate was entered in a string input making it impossible (as far as I know) to enter a valid PEM certificate.
* The base64 encoding calls were passing strings where bytes were expected.
The fix to the first issue depends on #2218 and a change in the options structure. I've also included some improved input validation and logging.
2018-12-10 15:33:04 -08:00
437d918cf7
Fix textarea and validation on destination page
...
The destination configuration page did not previously support a textarea input as was supported on most other pages. The validation of string inputs was not being performed. This commit addresses both of those issues and corrects the validation expressions for the AWS and S3 destination plugins so that they continue to function. The SFTP destination plugin does not have any string validation. The Kubernetes plugin does not work at all as far as I can tell; there will be another PR in the coming days to address that.
2018-12-10 12:04:16 -08:00
2a235fb0e2
Prefer DNS provider with longest matching zone
2018-11-30 12:44:52 -08:00
a90154e0ae
LetsEncrypt Celery Flow
2018-11-29 09:29:05 -08:00
a7a05e26bc
Do not re-use CSR during certificate reissuance; Update requirement; Add more logging to celery handler
2018-11-12 09:52:11 -08:00
a3f96b96ee
Add fixture to failing function
2018-11-05 15:16:09 -08:00
75183ef2f2
Unpin most dependencies, and fix moto
2018-11-05 14:37:52 -08:00
054cc64ee8
Prevent dashes from appearing at end of cert name in AWS
2018-10-23 12:49:58 -07:00
56282845fa
Enable optional verisign cloud transparency configuration
2018-10-01 09:20:50 -07:00
82e69db0c5
fix error message typo
2018-09-04 10:21:34 -05:00
1b77dfa47a
Revert "Precommit - Fix linty things"
2018-08-22 13:21:35 -07:00
3e9726d9db
Precommit work
2018-08-22 10:38:09 -07:00
9f64f0523b
Increase timeouts
2018-08-17 15:36:56 -07:00
43ae6c39e3
wait right here
2018-08-17 12:14:02 -07:00
7f9a035802
Fix private key bytecode issue
2018-08-17 10:59:01 -07:00
be9d683e46
fix merge
2018-08-16 10:15:48 -07:00
da99bcda68
Better zone handling
2018-08-16 10:12:19 -07:00
2c22c9c2f1
Allow proper detection of zones, fix certificate detection
2018-08-14 14:37:45 -07:00
1a5abe6550
fix lint
2018-08-13 15:11:57 -07:00
cc836433fb
formatting
2018-08-13 15:06:16 -07:00
5829794d82
typo fix
2018-08-13 14:25:54 -07:00
bb026b8b59
Allow LetsEncrypt renewals and requesting certificates without specifying DNS provider
2018-08-13 14:22:59 -07:00
1f0f432327
Fix unit tests certificates to have correct chains and private keys
...
In preparation for certificate integrity-checking: invalid certificate
chains and mismatching private keys will no longer be allowed anywhere
in Lemur code.
The test vector certs were generated using the Lemur "cryptography"
authority plugin.
* Certificates are now more similar to real-world usage: long serial
numbers, etc.
* Private key is included for all certs, so it's easy to re-generate
anything if needed.
2018-08-03 19:45:13 +03:00
44192d4494
remove debug print
2018-07-30 15:27:23 -07:00
0889076d3b
Support LetsEncrypt accounts
2018-07-30 15:25:02 -07:00
2a6dda07eb
Show and send error for pending certs
2018-07-27 14:15:14 -07:00
1a02740b67
reformat code (noop)
2018-06-29 15:24:31 -07:00
3397fb6560
R53: Extend only TXT records
2018-06-20 10:33:35 -07:00
3efc709e03
tests
2018-06-19 21:16:35 -07:00
dda7f54a16
lint
2018-06-19 20:58:00 -07:00
2d33d3e2b8
lint
2018-06-19 20:35:00 -07:00
d50c9c7748
Merge branch 'master' into acme_validation_dns_provider_option
2018-06-19 16:45:25 -07:00
a141b8c5ea
Support concurrent issuance in Route53 for LetsEncrypt
2018-06-19 16:27:58 -07:00
b2bc431823
Merge branch 'master' into dyn2
2018-06-14 08:06:31 -07:00
4e72cb96c9
Graceful cancellation of pending cert and order details in log for acme failure
2018-06-14 08:02:34 -07:00
b99aad743b
remove linuxdst plugin
2018-06-13 15:15:09 -07:00
135f2b710c
Limit dns queries to 10 attempts
2018-06-13 15:14:48 -07:00
065e0edc5f
lint
2018-06-13 14:22:45 -07:00
d72792ff37
Fix unique dyn situation where zone does not match tld, and there's a deeper zone
2018-06-13 14:08:39 -07:00
038f5dc554
Merge branch 'master' into linuxdst
2018-06-12 07:40:40 -07:00
7f5d1a0b6b
sync error
2018-06-11 15:40:15 -07:00
5e24f685c1
lint error
2018-05-29 10:46:24 -07:00
544a02ca3f
Addressing comments. Updating copyrights. Added function to determine authorative name server
2018-05-29 10:23:01 -07:00
b0f9d33b32
Requirements update
2018-05-25 11:07:26 -07:00
de52fa7f48
fix v1 backwards compatibility
2018-05-16 08:00:33 -07:00
680f4966a1
acme v2 support
2018-05-16 07:46:37 -07:00
a9b9b27a0b
fix tests
2018-05-10 12:58:04 -07:00
52e7ff9919
Allow specification of dns provider name only
2018-05-10 12:58:04 -07:00
0bd14488bb
Update requirements, handle more lemur_acme exceptions, and remove take a tour button
2018-05-08 15:35:03 -07:00
6500559f8e
Fix issue with automatically renewing acme certificates
2018-05-08 14:54:10 -07:00
642dbd4098
Merge branch 'master' into linuxdst
2018-05-08 12:09:05 -07:00
a8187d15c6
quick lint
2018-05-08 11:04:25 -07:00
df5168765b
more tests
2018-05-08 11:03:17 -07:00
e68b3d2cbd
0.7 release
2018-05-07 09:58:24 -07:00
1be3f8368f
dyn support
2018-05-04 15:01:01 -07:00
3e64dd4653
Additional work
2018-05-04 15:01:01 -07:00
532872b3c6
dns_provider ui
2018-04-27 11:18:51 -07:00
efd5836e43
fix test
2018-04-26 09:04:13 -07:00
f0f2092fb4
Some unit tests
2018-04-25 11:19:34 -07:00
7704f51441
Working acme flow. Pending DNS providers UI
2018-04-24 09:38:57 -07:00
81e349e07d
Merge branch 'master' into hackday
2018-04-23 10:11:49 -07:00
44e3b33aaa
More stuff. Will prioritize this more next week
2018-04-20 14:49:54 -07:00
fbce1ef7c7
temp digicert fix
2018-04-13 15:50:55 -07:00
b2e6938815
WIP: Add support for Acme/LetsEncrypt with DNS Provider integration
2018-04-13 15:50:54 -07:00
5dd03098e5
actually update deps
2018-04-13 15:50:53 -07:00
c03133622f
Correct validities
2018-04-13 15:18:17 -07:00
8303cfbd2b
Fix datetime
2018-04-13 14:53:45 -07:00
3ef550f738
Merge branch 'master' into hackday
2018-04-12 12:49:52 -07:00
52cb145333
ecc: add the support for ECC ( #1191 )
...
* ecc: add the support for ECC
update generate_private_key to support ECC. Move key types to constant. Update UI for the new key types
* ecc: Remove extra line to fix linting
* ecc: Fix flake8 lint problems
* Update options.tpl.html
2018-04-10 16:54:17 -07:00
a9baaf4da4
add(plugins): Added a statsd plugin for lemur ( #1189 )
2018-04-10 15:15:03 -07:00
f61098b874
WIP: Add support for Acme/LetsEncrypt with DNS Provider integration
2018-04-10 14:28:53 -07:00
8ca4f730e8
lemur_digicert: Do not truncate valid_to anymore ( #1187 )
...
* lemur_digicert: Do not truncate valid_to anymore
The valid_to field for Digicert supports YYYY-MM-DDTHH:MM:SSZ so we should stop truncating
* lemur_digicert: Update unit tests for valid_to
2018-04-10 13:23:09 -07:00
28614b5793
remove linuxdst plugin
2018-04-04 14:49:25 +03:00
4a0103a88d
SFTP destination plugin ( #1170 )
...
* add sftp destination plugin
2018-04-03 10:30:19 -07:00
Hossein Shafagh
Curtis Castrapel
Kush Bavishi
Kush Bavishi
alwaysjolley
Ryan DeShone
Curtis
alwaysjolley
Daniel Iancu
Hossein Shafagh
Marti Raudsepp
Ronald Moesbergen
sirferl
Curtis Castrapel
sirferl
Wesley Hartford
Gus Esquivel
Dmitry Zykov
Will Bengtson
Mihir Jham