Beispiel #1
0
 def test_session_reset(self):
     papi = ApiSession(api.controller_ip, api.username, api.password,
                       verify=False, api_version=api.api_version)
     res = papi.get('pool', params={'fields': 'name'})
     assert res.status_code == 200
     papi.reset_session()
     res = papi.get('pool', params={'fields': 'name'})
     assert res.status_code == 200
     data = {'name': 'test-reset'}
     res = papi.post('pool', data=data)
     assert res.status_code == 201
     papi.reset_session()
     res = papi.delete_by_name('pool', 'test-reset')
     assert res.status_code == 204
Beispiel #2
0
 def test_session_connected(self):
     ApiSession.clear_cached_sessions()
     session = ApiSession(controller_ip=login_info["controller_ip"],
                          username=login_info.get("username", "admin"),
                          password=login_info.get("password", "fr3sca$%^"),
                          lazy_authentication=True)
     assert not session.connected
     session.get('pool')
     assert session.connected
     ApiSession.clear_cached_sessions()
     session = ApiSession(controller_ip=login_info["controller_ip"],
                          username=login_info.get("username", "admin"),
                          password=login_info.get("password", "fr3sca$%^"),
                          lazy_authentication=False)
     assert session.connected
 def test_lazy_authentication(self):
     ApiSession.clear_cached_sessions()
     session = ApiSession(controller_ip=login_info["controller_ip"],
                          username=login_info.get("username", "admin"),
                          password=login_info.get("password", "avi123"),
                          lazy_authentication=True)
     assert not session.keystone_token
     session.get('pool')
     assert session.keystone_token
     ApiSession.clear_cached_sessions()
     session = ApiSession(controller_ip=login_info["controller_ip"],
                          username=login_info.get("username", "admin"),
                          password=login_info.get("password", "avi123"),
                          lazy_authentication=False)
     assert session.keystone_token
Beispiel #4
0
class AviUsage:

    # Authenticates with Avi controller API and sets the SSL session
    def __init__(self, avi_ip, avi_user, avi_pswd, avi_version):
        self.avi_api = ApiSession(avi_ip,
                                  avi_user,
                                  avi_pswd,
                                  api_version=avi_version)

    # Runs the API and gets the statis
    def get_max_core_usage(self, sdate, edate, limit):
        metrics_api = "/analytics/metrics/controller"
        params = {
            'metric_id': 'controller_stats.max_num_se_cores',
            'step': 86400,
            'start': sdate,
            'stop': edate,
            'limit': limit,
            'pad_missing_data': 'false'
        }

        ret = self.avi_api.get(path=metrics_api, params=params)
        #print(json.dumps(ret.json()))
        count = ret.json()['count']
        if count > 0:
            max_usage = ret.json(
            )['results'][0]['series'][0]['header']['statistics']['max']
            min_usage = ret.json(
            )['results'][0]['series'][0]['header']['statistics']['min']
            sdate = ret.json(
            )['results'][0]['series'][0]['header']['statistics']['min_ts']
            edate = ret.json(
            )['results'][0]['series'][0]['header']['statistics']['max_ts']
            return (max_usage, min_usage, sdate, edate)
Beispiel #5
0
 def test_session_reset(self):
     papi = ApiSession(controller_ip=api.avi_credentials.controller,
                       username=api.avi_credentials.username,
                       password=api.avi_credentials.password, verify=False,
                       api_version=api.avi_credentials.api_version,
                       data_log=api.data_log)
     res = papi.get('pool', params={'fields': 'name'})
     assert res.status_code == 200
     papi.reset_session()
     res = papi.get('pool', params={'fields': 'name'})
     assert res.status_code == 200
     data = {'name': 'test-reset'}
     res = papi.post('pool', data=data)
     assert res.status_code == 201
     papi.reset_session()
     res = papi.delete_by_name('pool', 'test-reset')
     assert res.status_code == 204
Beispiel #6
0
    def test_context_sharing(self):
        api1 = ApiSession(controller_ip=login_info.get('controller_ip'),
                          username=login_info.get('username'),
                          password=login_info.get('password'),
                          lazy_authentication=False)

        context_api1 = api1.get_context()

        api1.clear_cached_sessions()

        api2 = ApiSession(controller_ip=login_info.get('controller_ip'),
                          username=login_info.get('username'),
                          password=login_info.get('password'),
                          session_id= context_api1['session_id'],
                          csrftoken=context_api1['csrftoken'],
                          lazy_authentication=True)
        api2.get('pool')
        assert api2.get_context() == context_api1
def enable_disable_vs():

    global session
    session = ApiSession('localhost', 'admin', 'admin', api_version='18.2.6')
    session.tenant = '*'

    vs_obj_list = session.get(
        'virtualservice?join_subresources=runtime&page_size=-1').json(
        )['results']

    data_disable = {'enabled': False}
    data_enable = {'enabled': True}

    vs_oper_init_list = []

    for vs in vs_obj_list:
        if vs['runtime']['oper_status']['state'] == 'OPER_INITIALIZING':
            vs_oper_init_list.append(vs)

    for v in vs_oper_init_list:
        t_uuid = get_vs_tenant_uuid(v['tenant_ref'])
        t_name = get_tenant_name(t_uuid)
        v_uuid = get_vs_tenant_uuid(v['url'])
        v_name = get_vs_name(v_uuid)

        print "Disabling the VS %s\n" % (v_name)
        if t_name != 'admin':
            resp = session.patch('virtualservice/' + v['uuid'],
                                 tenant=t_name,
                                 data={'replace': data_disable},
                                 api_version='18.2.6')
            print resp
        else:
            resp = session.patch('virtualservice/' + v['uuid'],
                                 data={'replace': data_disable},
                                 api_version='18.2.6')
            print resp

        time.sleep(1)

        print "Enabling the VS %s\n" % (v_name)

        if t_name != 'admin':
            resp = session.patch('virtualservice/' + v['uuid'],
                                 tenant=t_name,
                                 data={'replace': data_enable},
                                 api_version='18.2.6')
            print resp
        else:
            resp = session.patch('virtualservice/' + v['uuid'],
                                 data={'replace': data_enable},
                                 api_version='18.2.6')
            print resp

        time.sleep(1)

    print "All the Vses have been Disabled/Enabled Successfully\n"
Beispiel #8
0
    def test_user_login(self):
        api1 = ApiSession(controller_ip=login_info.get('controller_ip'),
                          username=login_info.get('username'),
                          password=login_info.get('password'),
                          lazy_authentication=False)
        user_info = gSAMPLE_CONFIG["Passwords"]
        original_password = login_info.get('password')
        new_password = "******"
        user_info['password'] = new_password
        user_info['old_password'] = original_password
        res = api1.put('useraccount', data=json.dumps(user_info))
        assert res.status_code == 200
        api1.clear_cached_sessions()

        api2 = ApiSession(controller_ip=login_info.get('controller_ip'),
                          username=login_info.get('username'),
                          password=new_password,
                          lazy_authentication=False)
        res = api2.get('pool')
        assert res.status_code in [200, 204]

        resp = api2.get('systemconfiguration', tenant='admin')
        r = resp.json()
        data = r['portal_configuration']['password_strength_check'] = False
        sysresp = api2.put('systemconfiguration', data=data, tenant='admin')
        assert sysresp.status_code == 200
        old_password = user_info['password']
        changed_password = original_password
        user_info['password'] = original_password
        user_info['old_password'] = old_password
        result = api2.put('useraccount', user_info)
        assert result.status_code == 200
        res = api2.get('pool')
        assert res.status_code in [200, 204]
        api2.clear_cached_sessions()

        api3 = ApiSession(controller_ip=login_info.get('controller_ip'),
                          username=login_info.get('username'),
                          password=changed_password,
                          lazy_authentication=False)
        res = api3.get('pool')
        assert res.status_code in [200, 204]
def main():
    parser = argparse.ArgumentParser(
        description="AVISDK based Script query gslb services on multiple pages "
    )
    parser.add_argument("-u",
                        "--username",
                        required=True,
                        help="Login username")
    parser.add_argument("-p",
                        "--password",
                        required=True,
                        help="Login password")
    parser.add_argument("-c",
                        "--controller",
                        required=True,
                        help="Controller IP address")
    parser.add_argument("-a",
                        "--api_version",
                        required=False,
                        help="Api Version Name")
    parser.add_argument("-t",
                        "--tenant",
                        required=False,
                        help="Tenant, if left blank Admin is selected")
    args = parser.parse_args()

    user = args.username
    controller = args.controller
    api_version = str(args.api_version if args.api_version else '17.2.14')
    tenant = str(args.tenant if args.tenant else 'admin')
    password = args.password

    session = ApiSession(controller,
                         user,
                         password,
                         tenant=tenant,
                         api_version=api_version)

    page = 1
    while True:
        resp = session.get("gslbservice?page_size=1000&page=" + str(page))
        if resp.status_code in range(200, 299):
            json_data = json.loads(resp.text)
            print(json_data['results'])
            if 'next' in json_data:
                page += 1
            else:
                print("End of entries")
                break
        else:
            print("Error: %s" % resp.text)
Beispiel #10
0
    def test_basic_auth(self):
        basic_vs_cfg = gSAMPLE_CONFIG["BasicVS"]
        vs_obj = basic_vs_cfg["vs_obj"]
        headers = {
            'X-Avi-Version': login_info.get("api_version", gapi_version),
            'Authorization': 'Basic YWRtaW46YXZpMTIzJCU='
        }
        aviapi = ApiSession(controller_ip=login_info.get('controller_ip'),
                            username=login_info.get('username'),
                            api_version=login_info.get("api_version",
                                                       gapi_version),
                            user_hdrs=headers)

        resp = aviapi.post('pool',
                           data=json.dumps(basic_vs_cfg["pool_obj"]),
                           api_version=login_info.get("api_version"))
        assert resp.status_code in (200, 201)

        resp = aviapi.post('vsvip',
                           data=json.dumps(basic_vs_cfg["vsvip_obj"]),
                           api_version=login_info.get("api_version"))
        assert resp.status_code in (200, 201)
        vs_obj["vsvip_ref"] = api.get_obj_ref(resp.json())

        resp = aviapi.post('virtualservice',
                           data=json.dumps(vs_obj),
                           api_version=login_info.get("api_version"))
        print(resp.json)
        assert resp.status_code in (200, 201)
        pool_name = gSAMPLE_CONFIG["BasicVS"]["pool_obj"]["name"]
        vsvip_name = gSAMPLE_CONFIG["BasicVS"]["vsvip_obj"]["name"]
        resp = aviapi.get('virtualservice',
                          tenant='admin',
                          api_version=login_info.get("api_version"))
        assert resp.json()['count'] >= 1
        assert resp.status_code in (200, 204)
        resp = aviapi.delete_by_name('virtualservice',
                                     vs_obj['name'],
                                     api_version=login_info.get("api_version"))
        assert resp.status_code in (200, 204)
        resp = aviapi.delete_by_name("pool",
                                     pool_name,
                                     api_version=login_info.get("api_version"))
        assert resp.status_code in (200, 204)
        resp = aviapi.delete_by_name("vsvip",
                                     vsvip_name,
                                     api_version=login_info.get("api_version"))
        assert resp.status_code in (200, 204)
Beispiel #11
0
# Author: Manmeet Singh

#!/usr/bin/env python

from avi.sdk.avi_api import ApiSession

session = ApiSession('10.79.111.0', 'admin', 'Avi12345!', api_version='18.2.6')
session.tenant = '*'

rt_vs = []
ci_vs = []
vs_obj_list = session.get(
    'virtualservice?join_subresources=runtime&page_size=-1').json()['results']

for vs in vs_obj_list:
    if vs['analytics_policy']['metrics_realtime_update']['enabled']:
        rt_vs.append(vs['name'])
    if vs['analytics_policy']['client_insights'] in ('PASSIVE', 'ACTIVE'):
        ci_vs.append(vs['name'])

print('Total VS : ' + str(len(vs_obj_list)))
print('\n')
print('==============REALTIME METRICS==============')
print(rt_vs)
print('Number of VS with Real time Metrics are: ' + str(len(rt_vs)))
print('\n')
print('==============CLIENT INSIGHTS==============')
print(ci_vs)
print('Number of VS with Client Insights are: ' + str(len(ci_vs)))
Beispiel #12
0
def analyze_logs(api_session: ApiSession,
                 start_date: datetime.datetime, end_date: datetime.datetime, page_size: int,
                 delay: float, stats,
                 args: dict):

    tenant = args.tenant
    vs_name = args.vs_name
    fields = args.fields
    top_n = args.top_n
    obfuscate_ips = not args.no_ip_obfuscation
    use_dns = args.dns

    uas = collections.defaultdict(DictOfInts)
    waf_rules = collections.defaultdict(int)
    # { "ARGS:foo" => { "count": 137, "values" => { "val1:" 3, "val2": 66 } } }
    match_elements = {}

    waf_hits = 0
    waf_elements = 0

    file_writer = ApiResponseWriter(args.logapiresponses)
    applog_writer = AppLogWriter(args.jsonfile, obfuscate_ips)

    path = "/analytics/logs/"
    num_fetched = 0
    total_to_fetch = -1
    fixed_options = "virtualservice={}&type=1&page_size={}".format(vs_name, page_size)
    fixed_options += "&udf=true&nf=true&orderby=report_timestamp"
    if fields:
        fixed_options += "&cols={}".format(fields)
    minutes_tofetch = 8
    max_minutes = 64
    min_minutes = 1
    orig_start_date = start_date
    while start_date < end_date:
        upper_end = min(start_date + datetime.timedelta(minutes=minutes_tofetch), end_date)
        # make request for logs [start_date, up_to]:
        time_options = "&start={}&end={}".format(
            # The API claims to expect ISO 8601 format, but rejects the request if we use it:
            # start_date.isoformat(), end_date.isoformat()
            # It seems to be unable to handle time zones. The following works:
            # f"{start_date:%Y-%m-%dT%H:%M:%S.%fZ}", f"{upper_end:%Y-%m-%dT%H:%M:%S.%fZ}"
            "{:%Y-%m-%dT%H:%M:%S.%fZ}".format(start_date), "{:%Y-%m-%dT%H:%M:%S.%fZ}".format(upper_end)
        )
        query_options = fixed_options + time_options
        logging.debug("Query String: '{}'".format(query_options))

        result = api_session.get(path, tenant=tenant, params=query_options)
        file_writer.save_api_response(result.text)

        j = result.json()
        num_to_fetch = j['count']  # this is not 100% accurate, more a hint
        if total_to_fetch == -1:
            total_to_fetch = num_to_fetch
        if num_to_fetch == 0:
            start_date = upper_end
            if minutes_tofetch < max_minutes:
                minutes_tofetch *= 2
                logging.debug("Increased time window to {} minutes".format(minutes_tofetch))

            continue
        if len(j['results']) == 0:
            applog_writer.close()
            raise LogResponseException(num_fetched)
        for applog in j['results']:
            hits, elements = process_applog_entry(applog, uas, stats, waf_rules, match_elements)
            waf_hits += hits
            waf_elements += elements

            applog_writer.save_applog_chunk(applog)

        logging.debug(" First time stamp:{},\n last time stamp: {}".format(
            j['results'][0]['report_timestamp'],
            j['results'][-1]['report_timestamp']))

        num_fetched += len(j['results'])
        remaining_time = end_date - upper_end
        r_minutes = ceil(remaining_time.days * 24 * 60 + remaining_time.seconds / 60)
        r_percent = ceil(100 * remaining_time / (end_date - orig_start_date))
        # Print one line of info to indicate progress, even if verbose is off:
        logging.info("Fetched {:8d} AppLog entries, {:4d} minutes remaining ({:2d}%)".
                     format(num_fetched, r_minutes, r_percent))

        if num_to_fetch > len(j['results']) and minutes_tofetch > min_minutes:
            minutes_tofetch /= 2
            logging.debug("Decreased time window to {} minutes".format(minutes_tofetch))

        # if there's a 'next' hint in the response, use it
        # note that due to a current limitation, for page_size = 10k, there
        # is never a 'next' link.
        while 'next' in j:
            # fetch page after page, update num_fetched, save result
            next = j['next']
            qs = next.split('?')[1]
            logging.debug("New query string from 'next': {}".format(qs))
            if delay > 0:
                sleep(delay)
            result = api_session.get(path, tenant=tenant, params=qs)
            file_writer.save_api_response(result.text)

            j = result.json()
            for applog in j['results']:
                hits, elements = process_applog_entry(applog, uas, stats, waf_rules, match_elements)
                waf_hits += hits
                waf_elements += elements
                applog_writer.save_applog_chunk(applog)

            num_fetched += len(j['results'])
            logging.debug("Newly fetched: {}, total: {}".format(len(j['results']), num_fetched))

        logging.debug("No 'next' link, to fetch: {}, fetched: {}".format(num_to_fetch, num_fetched))

        # To avoid fetching the same us twice, we increment by 1 us (and risk
        # missing logs if there is more than 1 per us)
        start_date = j['results'][-1]['report_timestamp']
        start_date = datetime.datetime.fromisoformat(start_date) + datetime.timedelta(microseconds=1)
        logging.debug("New start date: {}".format(start_date.isoformat()))  # f"{start_date:%Y-%m-%dT%H:%M:%S.%fZ}"))
        if delay > 0:
            sleep(delay)

    if num_fetched >= total_to_fetch:
        print("Done")
    else:
        print("Download incomplete: Expected {}, got {} log lines".format(num_to_fetch, num_fetched))

    applog_writer.close()
    file_writer.close()

    if num_fetched > 0:
        statfile = args.outfile
        if statfile:
            if not statfile.endswith(".gz"):
                statfile += ".gz"

            out_fd = gzip.open(statfile, "xt")
        else:
            out_fd = sys.stdout

        show_results(top_n, obfuscate_ips, use_dns, num_fetched, uas, stats,
                     waf_rules, match_elements, waf_hits, waf_elements, out_fd)

    return num_fetched >= total_to_fetch
Beispiel #13
0
def get_crt(user,
            password,
            tenant,
            api_version,
            account_key,
            csr,
            CA=DEFAULT_CA,
            disable_check=False,
            directory_url=DEFAULT_DIRECTORY_URL,
            contact=None):
    directory, acct_headers, alg, jwk = None, None, None, None  # global variables

    # helper functions - base64 encode for jose spec
    def _b64(b):
        return base64.urlsafe_b64encode(b).decode('utf8').replace("=", "")

    # helper function - run external commands
    def _cmd(cmd_list,
             stdin=None,
             cmd_input=None,
             err_msg="Command Line Error"):
        proc = subprocess.Popen(cmd_list,
                                stdin=stdin,
                                stdout=subprocess.PIPE,
                                stderr=subprocess.PIPE)
        out, err = proc.communicate(cmd_input)
        if proc.returncode != 0:
            raise IOError("{0}\n{1}".format(err_msg, err))
        return out

    # helper function - make request and automatically parse json response
    def _do_request(url, data=None, err_msg="Error", depth=0):
        try:
            resp = urlopen(
                Request(url,
                        data=data,
                        headers={
                            "Content-Type": "application/jose+json",
                            "User-Agent": "acme-tiny"
                        }))
            resp_data, code, headers = resp.read().decode(
                "utf8"), resp.getcode(), resp.headers
        except IOError as e:
            resp_data = e.read().decode("utf8") if hasattr(e,
                                                           "read") else str(e)
            code, headers = getattr(e, "code", None), {}
        try:
            resp_data = json.loads(resp_data)  # try to parse json results
        except ValueError:
            pass  # ignore json parsing errors
        if depth < 100 and code == 400 and resp_data[
                'type'] == "urn:ietf:params:acme:error:badNonce":
            raise IndexError(resp_data)  # allow 100 retrys for bad nonces
        if code not in [200, 201, 204]:
            raise ValueError(
                "{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".
                format(err_msg, url, data, code, resp_data))
        return resp_data, code, headers

    # helper function - make signed requests
    def _send_signed_request(url, payload, err_msg, depth=0):
        payload64 = "" if payload is None else _b64(
            json.dumps(payload).encode('utf8'))
        new_nonce = _do_request(directory['newNonce'])[2]['Replay-Nonce']
        protected = {"url": url, "alg": alg, "nonce": new_nonce}
        protected.update({"jwk": jwk} if acct_headers is None else
                         {"kid": acct_headers['Location']})
        protected64 = _b64(json.dumps(protected).encode('utf8'))
        protected_input = "{0}.{1}".format(protected64,
                                           payload64).encode('utf8')
        out = _cmd(["openssl", "dgst", "-sha256", "-sign", account_key],
                   stdin=subprocess.PIPE,
                   cmd_input=protected_input,
                   err_msg="OpenSSL Error")
        data = json.dumps({
            "protected": protected64,
            "payload": payload64,
            "signature": _b64(out)
        })
        try:
            return _do_request(url,
                               data=data.encode('utf8'),
                               err_msg=err_msg,
                               depth=depth)
        except IndexError:  # retry bad nonces (they raise IndexError)
            return _send_signed_request(url,
                                        payload,
                                        err_msg,
                                        depth=(depth + 1))

    # helper function - poll until complete
    def _poll_until_not(url, pending_statuses, err_msg):
        result, t0 = None, time.time()
        while result is None or result['status'] in pending_statuses:
            assert (time.time() - t0 <
                    3600), "Polling timeout"  # 1 hour timeout
            time.sleep(0 if result is None else 2)
            result, _, _ = _send_signed_request(url, None, err_msg)
        return result

    session = ApiSession('localhost',
                         user,
                         password,
                         tenant=tenant,
                         api_version=api_version)

    log.info("Generating account key...")
    out = _cmd(["openssl", "genrsa", "4096"], err_msg="OpenSSL Error")
    with open(account_key, 'w') as f:
        f.write(out.decode("utf-8"))

    # parse account key to get public key
    log.info("Parsing account key...")
    out = _cmd(["openssl", "rsa", "-in", account_key, "-noout", "-text"],
               err_msg="OpenSSL Error")
    pub_pattern = r"modulus:[\s]+?00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)"
    pub_hex, pub_exp = re.search(pub_pattern, out.decode('utf8'),
                                 re.MULTILINE | re.DOTALL).groups()
    pub_exp = "{0:x}".format(int(pub_exp))
    pub_exp = "0{0}".format(pub_exp) if len(pub_exp) % 2 else pub_exp
    alg = "RS256"
    jwk = {
        "e":
        _b64(binascii.unhexlify(pub_exp.encode("utf-8"))),
        "kty":
        "RSA",
        "n":
        _b64(binascii.unhexlify(
            re.sub(r"(\s|:)", "", pub_hex).encode("utf-8"))),
    }
    accountkey_json = json.dumps(jwk, sort_keys=True, separators=(',', ':'))
    thumbprint = _b64(hashlib.sha256(accountkey_json.encode('utf8')).digest())

    # find domains
    log.info("Parsing CSR...")
    out = _cmd(["openssl", "req", "-in", csr, "-noout", "-text"],
               err_msg="Error loading {0}".format(csr))
    domains = set([])
    common_name = re.search(r"Subject:.*? CN\s?=\s?([^\s,;/]+)",
                            out.decode('utf8'))
    if common_name is not None:
        domains.add(common_name.group(1))
    subject_alt_names = re.search(
        r"X509v3 Subject Alternative Name: (?:critical)?\n +([^\n]+)\n",
        out.decode('utf8'), re.MULTILINE | re.DOTALL)
    if subject_alt_names is not None:
        for san in subject_alt_names.group(1).split(", "):
            if san.startswith("DNS:"):
                domains.add(san[4:])
    log.info("Found domains: {0}".format(", ".join(domains)))

    # get the ACME directory of urls
    log.info("Getting directory...")
    directory_url = CA + "/directory" if CA != DEFAULT_CA else directory_url  # backwards compatibility with deprecated CA kwarg
    directory, _, _ = _do_request(directory_url,
                                  err_msg="Error getting directory")
    log.info("Directory found!")

    # create account, update contact details (if any), and set the global key identifier
    log.info("Registering account...")
    reg_payload = {"termsOfServiceAgreed": True}
    account, code, acct_headers = _send_signed_request(directory['newAccount'],
                                                       reg_payload,
                                                       "Error registering")
    log.info("Registered!" if code == 201 else "Already registered!")
    if contact is not None:
        account, _, _ = _send_signed_request(acct_headers['Location'],
                                             {"contact": contact},
                                             "Error updating contact details")
        log.info("Updated contact details:\n{0}".format("\n".join(
            account['contact'])))

    # create a new order
    log.info("Creating new order...")
    order_payload = {
        "identifiers": [{
            "type": "dns",
            "value": d
        } for d in domains]
    }
    order, _, order_headers = _send_signed_request(directory['newOrder'],
                                                   order_payload,
                                                   "Error creating new order")
    log.info("Order created!")

    # get the authorizations that need to be completed
    for auth_url in order['authorizations']:
        authorization, _, _ = _send_signed_request(auth_url, None,
                                                   "Error getting challenges")
        domain = authorization['identifier']['value']
        log.info("Verifying {0}...".format(domain))

        # find the http-01 challenge and write the challenge file
        challenge = [
            c for c in authorization['challenges'] if c['type'] == "http-01"
        ][0]
        token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token'])
        keyauthorization = "{0}.{1}".format(token, thumbprint)

        # Update vs
        rsp = session.get("vsvip/?search=(fqdn,{})".format(domain)).json()
        if rsp["count"] == 0:
            raise Exception(
                "Could not find a VSVIP with fqdn = {}".format(domain))
        vsvip_uuid = rsp["results"][0]["uuid"]
        rsp = session.get(
            "virtualservice?search=(vsvip_ref,{})".format(vsvip_uuid)).json()
        if rsp['count'] == 0:
            raise Exception(
                "Could not find a VS with common name = {}".format(domain))

        vs_uuid = rsp["results"][0]["uuid"]
        log.info("Found vs {} with fqdn {}".format(vs_uuid, domain))
        # Check if the vs is servering on port 80
        serving_on_port_80 = False
        service_on_port_80_data = None
        for service in rsp["results"][0]["services"]:
            if service["port"] == "80":
                serving_on_port_80 = True
                break

        # create HTTP policy
        httppolicy_data = {
            "name": (domain + "LetsEncryptHTTPpolicy"),
            "http_security_policy": {
                "rules": [{
                    "name": "Rule 1",
                    "index": 1,
                    "enable": True,
                    "match": {
                        "vs_port": {
                            "match_criteria": "IS_IN",
                            "ports": [80]
                        },
                        "path": {
                            "match_criteria":
                            "CONTAINS",
                            "match_case":
                            "SENSITIVE",
                            "match_str":
                            [".well-known/acme-challenge/{}".format(token)]
                        }
                    },
                    "action": {
                        "action": "HTTP_SECURITY_ACTION_SEND_RESPONSE",
                        "status_code": "HTTP_LOCAL_RESPONSE_STATUS_CODE_200",
                        "file": {
                            "content_type": "text/plain",
                            "file_content": keyauthorization
                        }
                    }
                }]
            },
            "is_internal_policy": False
        }
        rsp = session.post("httppolicyset", data=httppolicy_data).json()
        httppolicy_uuid = rsp["uuid"]
        log.info("Created HTTP policy with uuid {}".format(httppolicy_uuid))

        patch_data = {
            "add": {
                "http_policies": [{
                    "http_policy_set_ref":
                    "/api/httppolicyset/{}".format(httppolicy_uuid),
                    "index":
                    1000001
                }]
            }
        }
        if not serving_on_port_80:
            # Add to port to virtualservice
            service_on_port_80_data = {
                "enable_http2": False,
                "enable_ssl": False,
                "port": 80,
                "port_range_end": 80
            }
            patch_data["add"]["services"] = [service_on_port_80_data]
        rsp = session.patch("virtualservice/{}".format(vs_uuid), patch_data)

        exception_occured = None
        try:
            # check that the file is in place
            try:
                wellknown_url = "http://{0}/.well-known/acme-challenge/{1}".format(
                    domain, token)
                assert (disable_check
                        or _do_request(wellknown_url)[0] == keyauthorization)
            except (AssertionError, ValueError) as e:
                raise ValueError(
                    "Wrote file to {0}, but couldn't download {1}: {2}".format(
                        'wellknown_path', 'wellknown_url', e))

            # say the challenge is done
            _send_signed_request(
                challenge['url'], {},
                "Error submitting challenges: {0}".format(domain))
            authorization = _poll_until_not(
                auth_url, ["pending"],
                "Error checking challenge status for {0}".format(domain))
            if authorization['status'] != "valid":
                raise ValueError("Challenge did not pass for {0}: {1}".format(
                    domain, authorization))

        except Exception as e:
            exception_occured = str(e)
        finally:
            # Update the vs
            patch_data = {
                "delete": {
                    "http_policies": [{
                        "http_policy_set_ref":
                        "/api/httppolicyset/{}".format(httppolicy_uuid),
                        "index":
                        1000001
                    }]
                }
            }
            if not serving_on_port_80:
                patch_data["delete"]["services"] = [service_on_port_80_data]
            rsp = session.patch("virtualservice/{}".format(vs_uuid),
                                patch_data)
            rsp = session.delete("httppolicyset/{}".format(httppolicy_uuid))

        if exception_occured:
            log.error(exception_occured)
            raise Exception(exception_occured)

        log.info("{0} verified!".format(domain))

    # finalize the order with the csr
    log.info("Signing certificate...")
    csr_der = _cmd(["openssl", "req", "-in", csr, "-outform", "DER"],
                   err_msg="DER Export Error")
    _send_signed_request(order['finalize'], {"csr": _b64(csr_der)},
                         "Error finalizing order")

    # poll the order to monitor when it's done
    order = _poll_until_not(order_headers['Location'],
                            ["pending", "processing"],
                            "Error checking order status")
    if order['status'] != "valid":
        raise ValueError("Order failed: {0}".format(order))

    # download the certificate
    certificate_pem, _, _ = _send_signed_request(
        order['certificate'], None, "Certificate download failed")
    log.info("Certificate signed!")

    return certificate_pem