def obtain_certificate_from_csr(self, csr, orderr=None):
"""Obtain certificate.
:param .util.CSR csr: PEM-encoded Certificate Signing
Request. The key used to generate this CSR can be different
than `authkey`.
:param acme.messages.OrderResource orderr: contains authzrs
:returns: certificate and chain as PEM byte strings
:rtype: tuple
"""
if self.auth_handler is None:
msg = ("Unable to obtain certificate because authenticator is "
"not set.")
logger.warning(msg)
raise errors.Error(msg)
if self.account.regr is None:
raise errors.Error("Please register with the ACME server first.")
logger.debug("CSR: %s", csr)
if orderr is None:
orderr = self._get_order_and_authorizations(csr.data, best_effort=False)
deadline = datetime.datetime.now() + datetime.timedelta(seconds=90)
orderr = self.acme.finalize_order(orderr, deadline)
cert, chain = crypto_util.cert_and_chain_from_fullchain(orderr.fullchain_pem)
return cert.encode(), chain.encode()
def test_cert_and_chain_from_fullchain(self):
cert_pem = CERT.decode()
chain_pem = cert_pem + SS_CERT.decode()
fullchain_pem = cert_pem + chain_pem
spacey_fullchain_pem = cert_pem + u'\n' + chain_pem
from certbot.crypto_util import cert_and_chain_from_fullchain
for fullchain in (fullchain_pem, spacey_fullchain_pem):
cert_out, chain_out = cert_and_chain_from_fullchain(fullchain)
self.assertEqual(cert_out, cert_pem)
self.assertEqual(chain_out, chain_pem)
def test_cert_and_chain_from_fullchain(self):
cert_pem = CERT.decode()
chain_pem = cert_pem + SS_CERT.decode()
fullchain_pem = cert_pem + chain_pem
spacey_fullchain_pem = cert_pem + u'\n' + chain_pem
from certbot.crypto_util import cert_and_chain_from_fullchain
for fullchain in (fullchain_pem, spacey_fullchain_pem):
cert_out, chain_out = cert_and_chain_from_fullchain(fullchain)
self.assertEqual(cert_out, cert_pem)
self.assertEqual(chain_out, chain_pem)
def obtain_certificate_from_csr(
self,
csr: util.CSR,
orderr: Optional[messages.OrderResource] = None
) -> Tuple[bytes, bytes]:
"""Obtain certificate.
:param .util.CSR csr: PEM-encoded Certificate Signing
Request. The key used to generate this CSR can be different
than `authkey`.
:param acme.messages.OrderResource orderr: contains authzrs
:returns: certificate and chain as PEM byte strings
:rtype: tuple
"""
if self.auth_handler is None:
msg = ("Unable to obtain certificate because authenticator is "
"not set.")
logger.error(msg)
raise errors.Error(msg)
if self.account is None or self.account.regr is None:
raise errors.Error("Please register with the ACME server first.")
if self.acme is None:
raise errors.Error("ACME client is not set.")
logger.debug("CSR: %s", csr)
if orderr is None:
orderr = self._get_order_and_authorizations(csr.data,
best_effort=False)
deadline = datetime.datetime.now() + datetime.timedelta(
seconds=self.config.issuance_timeout)
logger.debug("Will poll for certificate issuance until %s", deadline)
orderr = self.acme.finalize_order(
orderr,
deadline,
fetch_alternative_chains=self.config.preferred_chain is not None)
fullchain = orderr.fullchain_pem
if self.config.preferred_chain and orderr.alternative_fullchains_pem:
fullchain = crypto_util.find_chain_with_issuer(
[fullchain] + orderr.alternative_fullchains_pem,
self.config.preferred_chain, not self.config.dry_run)
cert, chain = crypto_util.cert_and_chain_from_fullchain(fullchain)
return cert.encode(), chain.encode()
def test_cert_and_chain_from_fullchain(self):
cert_pem = CERT.decode()
chain_pem = cert_pem + SS_CERT.decode()
fullchain_pem = cert_pem + chain_pem
spacey_fullchain_pem = cert_pem + u'\n' + chain_pem
crlf_fullchain_pem = fullchain_pem.replace(u'\n', u'\r\n')
# In the ACME v1 code path, the fullchain is constructed by loading cert+chain DERs
# and using OpenSSL to dump them, so here we confirm that OpenSSL is producing certs
# that will be parseable by cert_and_chain_from_fullchain.
acmev1_fullchain_pem = self._parse_and_reencode_pem(cert_pem) + \
self._parse_and_reencode_pem(cert_pem) + self._parse_and_reencode_pem(SS_CERT.decode())
from certbot.crypto_util import cert_and_chain_from_fullchain
for fullchain in (fullchain_pem, spacey_fullchain_pem, crlf_fullchain_pem,
acmev1_fullchain_pem):
cert_out, chain_out = cert_and_chain_from_fullchain(fullchain)
self.assertEqual(cert_out, cert_pem)
self.assertEqual(chain_out, chain_pem)
self.assertRaises(errors.Error, cert_and_chain_from_fullchain, cert_pem)
