def test_format_as1_date_from_certs(self): test_cases = [ {'path': 'valid/cert.pem', 'year': 2027, 'month': 2, 'day': 25, }, {'path': 'invalid/expired_cert.pem', 'year': 2017, 'month': 2, 'day': 4, }, {'path': 'invalid/glbc_le_stage_cert.pem', 'year': 2017, 'month': 8, 'day': 22, }, ] for tc in test_cases: path = os.path.join(helpers.DATA_DIR, 'https', tc['path']) with open(path, 'r') as f: cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read()) s = cert.get_notAfter() date = letsencrypt.convert_asn1_date(s) self.assertEquals(date.year, tc['year']) self.assertEquals(date.month, tc['month']) self.assertEquals(date.day, tc['day'])
def acme_cert_renewal_checks(self, store): cert = load_certificate(FILETYPE_PEM, GLSettings.memory_copy.private.https_cert) expiration_date = letsencrypt.convert_asn1_date(cert.get_notAfter()) t = timedelta(days=self.acme_try_renewal) renewal_window = datetime.now() + t if not expiration_date < renewal_window: # We will not apply for the renewal of the certificate return try: db_acme_cert_issuance(store) except Exception as e: self.acme_failures = +1 log.err('ACME certificate renewal failed with: %s' % e) raise try: yield GLSettings.appstate.process_supervisor.shutdown() yield GLSettings.appstate.process_supervisor.maybe_launch_https_workers( ) except Exception as e: self.acme_failures = +1 log.err('Restart of HTTPS workers failed with: %s' % e) raise
def cert_expiration_checks(self, store): priv_fact = models.config.PrivateFactory(store) if not priv_fact.get_val(u'https_enabled'): return cert = load_certificate(FILETYPE_PEM, priv_fact.get_val(u'https_cert')) expiration_date = letsencrypt.convert_asn1_date(cert.get_notAfter()) # Acme renewal checks if priv_fact.get_val(u'acme') and datetime.now( ) > expiration_date - timedelta(days=self.acme_try_renewal): try: db_acme_cert_issuance(store) except Exception as excep: self.acme_failures = +1 log.err('ACME certificate renewal failed with: %s', excep) raise self.should_restart_https = True self.acme_failures = 0 # Regular certificates expiration checks elif datetime.now() > expiration_date - timedelta( days=self.notify_expr_within): log.info('The HTTPS Certificate is expiring on %s', expiration_date) if not State.tenant_cache[ 1].notif.disable_admin_notification_emails: self.certificate_mail_creation(store, expiration_date)
def cert_expiration_checks(self, session, tid): priv_fact = models.config.ConfigFactory(session, tid, 'node') if not priv_fact.get_val(u'https_enabled'): return cert = load_certificate(FILETYPE_PEM, priv_fact.get_val(u'https_cert')) expiration_date = letsencrypt.convert_asn1_date(cert.get_notAfter()) expiration_date_iso = datetime_to_ISO8601(expiration_date) # Acme renewal checks if priv_fact.get_val(u'acme') and datetime.now() > expiration_date - timedelta(days=self.acme_try_renewal): try: db_acme_cert_issuance(session, tid) except Exception as exc: log.err('Automatic HTTPS renewal failed: %s', exc, tid=tid) # Send an email to the admin cause this requires user intervention if not self.state.tenant_cache[tid].notification.disable_admin_notification_emails: self.certificate_mail_creation(session, 'https_certificate_renewal_failure', tid, expiration_date_iso) else: self.should_restart_https = True # Regular certificates expiration checks elif datetime.now() > expiration_date - timedelta(days=self.notify_expr_within): log.info('The HTTPS Certificate is expiring on %s', expiration_date, tid=tid) if not self.state.tenant_cache[tid].notification.disable_admin_notification_emails: self.certificate_mail_creation(session, 'https_certificate_expiration', tid, expiration_date_iso)
def test_format_asn1_date(self): s = b'20170827153000Z' d = letsencrypt.convert_asn1_date(s) self.assertEqual(d.year, 2017) self.assertEqual(d.month, 8) self.assertEqual(d.day, 27)
def db_serialize(session, tid): c = ConfigFactory(session, tid).get_val('https_chain') if len(c) == 0: return {'name': 'chain', 'set': False} x509 = crypto.load_certificate(crypto.FILETYPE_PEM, c) expr_date = letsencrypt.convert_asn1_date(x509.get_notAfter()) return { 'name': 'chain', 'issuer': tls.parse_issuer_name(x509), 'expiration_date': expr_date, 'set': True, }
def cert_expiration_checks(self, store): if not GLSettings.memory_copy.private.https_enabled: return cert = load_certificate(FILETYPE_PEM, GLSettings.memory_copy.private.https_cert) expiration_date = letsencrypt.convert_asn1_date(cert.get_notAfter()) t = timedelta(days=self.notify_expr_within) expiration_window = datetime.now() + t if not expiration_date < expiration_window: log.debug('The HTTPS certificate is not going to expire within target window.') return if GLSettings.memory_copy.notif.disable_admin_notification_emails: log.info('Certificate expiring on %s, admin notif email suppressed' % expiration_date) else: self.certificate_mail_creation(store, expiration_date)
def db_serialize(session, tid): c = ConfigFactory(session, tid).get_val('https_cert') if not c: return { 'name': 'cert', 'set': False } log.err(c) c = """{}""".format(c) x509 = crypto.load_certificate(crypto.FILETYPE_PEM, c) expr_date = letsencrypt.convert_asn1_date(x509.get_notAfter()) return { 'name': 'cert', 'issuer': tls.parse_issuer_name(x509), 'expiration_date': expr_date, 'set': True, }
def cert_expiration_checks(self, session, tid): now = datetime.now() priv_fact = models.config.ConfigFactory(session, tid) if not priv_fact.get_val('https_enabled'): return cert = load_certificate(FILETYPE_PEM, priv_fact.get_val('https_cert')) expiration_date = letsencrypt.convert_asn1_date(cert.get_notAfter()) # Acme renewal checks if priv_fact.get_val('acme') and now > expiration_date - timedelta( days=self.acme_try_renewal): try: db_acme_cert_request(session, tid) except Exception as exc: log.err('Automatic HTTPS renewal failed: %s', exc, tid=tid) # Send an email to the admin cause this requires user intervention if now > expiration_date - timedelta(days=self.notify_expr_within) and \ not self.state.tenant_cache[tid].notification.disable_admin_notification_emails: self.certificate_mail_creation( session, 'https_certificate_renewal_failure', tid, expiration_date) tls_config = load_tls_dict(session, tid) self.state.snimap.unload(tid) self.state.snimap.load(tid, tls_config) # Regular certificates expiration checks elif now > expiration_date - timedelta(days=self.notify_expr_within): log.info('The HTTPS Certificate is expiring on %s', expiration_date, tid=tid) if not self.state.tenant_cache[ tid].notification.disable_admin_notification_emails: self.certificate_mail_creation(session, 'https_certificate_expiration', tid, expiration_date)