def request_reissue(certificate, commit): """ Reissuing certificate and handles any exceptions. :param certificate: :param commit: :return: """ status = FAILURE_METRIC_STATUS try: print("[+] {0} is eligible for re-issuance".format(certificate.name)) # set the lemur identity for all cli commands identity_changed.send(current_app._get_current_object(), identity=Identity(1)) details = get_certificate_primitives(certificate) print_certificate_details(details) if commit: new_cert = reissue_certificate(certificate, replace=True) print("[+] New certificate named: {0}".format(new_cert.name)) status = SUCCESS_METRIC_STATUS except Exception as e: sentry.captureException() print( "[!] Failed to reissue certificates. Reason: {}".format( e ) ) metrics.send('certificate_reissue', 'counter', 1, metric_tags={'status': status})
def certificate_reissue(): """ This celery task reissues certificates which are pending reissue :return: """ function = f"{__name__}.{sys._getframe().f_code.co_name}" task_id = None if celery.current_task: task_id = celery.current_task.request.id log_data = { "function": function, "message": "reissuing certificates", "task_id": task_id, } if task_id and is_task_active(function, task_id, None): log_data["message"] = "Skipping task: Task is already active" current_app.logger.debug(log_data) return current_app.logger.debug(log_data) # set the lemur identity identity_changed.send(current_app._get_current_object(), identity=Identity(1)) for certificate in certificate_service.get_all_pending_reissue(): log_data["message"] = f"{certificate.name} is eligible for re-issuance" current_app.logger.info(log_data) details = certificate_service.get_certificate_primitives(certificate) details, errors = CertificateOutputSchema().dump(details) current_app.logger.info( "Re-issuing certificate", extra=dict( certificate={ "common_name": details["commonName"], "sans": ",".join(x["value"] for x in details["extensions"] ["subAltNames"]["names"]), "authority_name": details["authority"]["name"], "validity_start": details["validityStart"], "validity_end": details["validityEnd"], }), ) new_cert = certificate_service.reissue_certificate(certificate, replace=True) log_data["message"] = f"New certificate named:{new_cert.name}" current_app.logger.info(log_data) log_data["message"] = "reissuance completed" current_app.logger.info(log_data) metrics.send(f"{function}.success", "counter", 1) return log_data
def request_reissue(certificate, commit): """ Reissuing certificate and handles any exceptions. :param certificate: :param commit: :return: """ status = FAILURE_METRIC_STATUS try: print("[+] {0} is eligible for re-issuance".format(certificate.name)) # set the lemur identity for all cli commands identity_changed.send(current_app._get_current_object(), identity=Identity(1)) details = get_certificate_primitives(certificate) print_certificate_details(details) if commit: new_cert = reissue_certificate(certificate, replace=True) print("[+] New certificate named: {0}".format(new_cert.name)) status = SUCCESS_METRIC_STATUS except Exception as e: sentry.captureException() current_app.logger.exception("Error reissuing certificate.", exc_info=True) print( "[!] Failed to reissue certificates. Reason: {}".format( e ) ) metrics.send('certificate_reissue', 'counter', 1, metric_tags={'status': status})
def test_reissue_certificate(issuer_plugin, crypto_authority, certificate, logged_in_user): from lemur.certificates.service import reissue_certificate # test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead. certificate.authority = crypto_authority new_cert = reissue_certificate(certificate) assert new_cert
def rotate(new_certificate_name, old_certificate_name, commit=False): from lemur.certificates.service import get_by_name, reissue_certificate, get_certificate_primitives from lemur.endpoints.service import rotate_certificate old_cert = get_by_name(old_certificate_name) if not old_cert: sys.stdout.write("[-] No certificate found with name: {0}\n".format( old_certificate_name)) sys.exit(1) if new_certificate_name: new_cert = get_by_name(new_certificate_name) if not new_cert: sys.stdout.write( "[-] No certificate found with name: {0}\n".format( old_certificate_name)) sys.exit(1) if commit: sys.stdout.write("[!] Running in COMMIT mode.\n") if not new_certificate_name: sys.stdout.write( "[!] No new certificate provided. Attempting to re-issue old certificate: {0}.\n" .format(old_certificate_name)) details = get_certificate_primitives(old_cert) print_certificate_details(details) if commit: new_cert = reissue_certificate(old_cert, replace=True) sys.stdout.write("[+] Issued new certificate named: {0}\n".format( new_cert.name)) sys.stdout.write("[+] Done! \n") if len(old_cert.endpoints) > 0: for endpoint in old_cert.endpoints: sys.stdout.write( "[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}\n" .format(name=endpoint.name, dnsname=endpoint.dnsname, port=endpoint.port, type=endpoint.type)) sys.stdout.write( "[+] Rotating certificate from: {0} to: {1}\n".format( old_certificate_name, new_cert.name)) if commit: rotate_certificate(endpoint, new_cert) sys.stdout.write("[+] Done! \n") else: sys.stdout.write( "[!] Certificate not found on any existing endpoints. Nothing to rotate.\n" )
def test_reissue_certificate( issuer_plugin, crypto_authority, certificate, logged_in_user ): from lemur.certificates.service import reissue_certificate from lemur.authorities.service import update_options from lemur.tests.conf import LEMUR_DEFAULT_ORGANIZATION # test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead. certificate.authority = crypto_authority new_cert = reissue_certificate(certificate) assert new_cert assert new_cert.key_type == "RSA2048" assert new_cert.organization != certificate.organization # Check for default value since authority does not have cab_compliant option set assert new_cert.organization == LEMUR_DEFAULT_ORGANIZATION assert new_cert.description.startswith(f"Reissued by Lemur for cert ID {certificate.id}") # update cab_compliant option to false for crypto_authority to maintain subject details update_options(crypto_authority.id, '[{"name": "cab_compliant","value":false}]') new_cert = reissue_certificate(certificate) assert new_cert.organization == certificate.organization
def reissue_and_rotate(old_certificate, new_certificate=None, commit=False, message=False): if not new_certificate: # we don't want to re-issue if it's already been replaced if not old_certificate.replaced: details = get_certificate_primitives(old_certificate) print_certificate_details(details) if commit: new_certificate = reissue_certificate(old_certificate, replace=True) print("[+] Issued new certificate named: {0}".format( new_certificate.name)) time.sleep(10) print( "[!] Sleeping to ensure that certificate propagates before rotating." ) else: new_certificate = old_certificate print("[+] Done!") else: if len(old_certificate.replaced) > 1: raise Exception( "Unable to rotate certificate based on replacement, found more than one!" ) else: new_certificate = old_certificate.replaced[0] print("[!] Certificate has been replaced by: {0}".format( old_certificate.replaced[0].name)) if len(old_certificate.endpoints) > 0: for endpoint in old_certificate.endpoints: print( "[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}" .format(name=endpoint.name, dnsname=endpoint.dnsname, port=endpoint.port, type=endpoint.type)) print("[+] Rotating certificate from: {0} to: {1}".format( old_certificate.name, new_certificate.name)) if commit: rotate_certificate(endpoint, new_certificate) print("[+] Done!") if message: send_rotation_notification(old_certificate)
def request_reissue(certificate, notify, commit): """ Reissuing certificate and handles any exceptions. :param certificate: :param notify: :param commit: :return: """ status = FAILURE_METRIC_STATUS notify = notify and certificate.notify try: print("[+] {0} is eligible for re-issuance".format(certificate.name)) # set the lemur identity for all cli commands identity_changed.send(current_app._get_current_object(), identity=Identity(1)) details = get_certificate_primitives(certificate) print_certificate_details(details) if commit: new_cert = reissue_certificate(certificate, notify=notify, replace=True) print("[+] New certificate named: {0}".format(new_cert.name)) if notify and isinstance( new_cert, Certificate): # let celery handle PendingCertificates send_reissue_no_endpoints_notification(certificate, new_cert) status = SUCCESS_METRIC_STATUS except Exception as e: capture_exception(extra={"certificate_name": str(certificate.name)}) current_app.logger.exception( f"Error reissuing certificate: {certificate.name}", exc_info=True) print( f"[!] Failed to reissue certificate: {certificate.name}. Reason: {e}" ) if notify: send_reissue_failed_notification(certificate) metrics.send( "certificate_reissue", "counter", 1, metric_tags={ "status": status, "certificate": certificate.name }, )
def request_reissue(certificate, commit): """ Reissuing certificate and handles any exceptions. :param certificate: :param commit: :return: """ details = get_certificate_primitives(certificate) print_certificate_details(details) if commit: new_cert = reissue_certificate(certificate, replace=True) metrics.send('certificate_reissue_success', 'counter', 1) print("[+] New certificate named: {0}".format(new_cert.name))
def request_reissue(certificate, commit): """ Reissuing certificate and handles any exceptions. :param certificate: :param commit: :return: """ # set the lemur identity for all cli commands identity_changed.send(current_app._get_current_object(), identity=Identity(1)) details = get_certificate_primitives(certificate) print_certificate_details(details) if commit: new_cert = reissue_certificate(certificate, replace=True) metrics.send('certificate_reissue_success', 'counter', 1) print("[+] New certificate named: {0}".format(new_cert.name))
def reissue(old_certificate_name, commit=False): old_cert = get_by_name(old_certificate_name) if not old_cert: print("[-] No certificate found with name: {0}".format( old_certificate_name)) sys.exit(1) if commit: print("[!] Running in COMMIT mode.") details = get_certificate_primitives(old_cert) print_certificate_details(details) if commit: new_cert = reissue_certificate(old_cert, replace=True) print("[+] Issued new certificate named: {0}".format(new_cert.name)) print("[+] Done!")
def reissue_and_rotate(old_certificate, new_certificate=None, commit=False, message=False): if not new_certificate: # we don't want to re-issue if it's already been replaced if not old_certificate.replaced: details = get_certificate_primitives(old_certificate) print_certificate_details(details) if commit: new_certificate = reissue_certificate(old_certificate, replace=True) print("[+] Issued new certificate named: {0}".format( new_certificate.name)) print("[+] Done!") else: new_certificate = old_certificate.replaced print("[!] Certificate has been replaced by: {0}".format( old_certificate.replaced.name)) if len(old_certificate.endpoints) > 0: for endpoint in old_certificate.endpoints: print( "[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}" .format(name=endpoint.name, dnsname=endpoint.dnsname, port=endpoint.port, type=endpoint.type)) print("[+] Rotating certificate from: {0} to: {1}".format( old_certificate.name, new_certificate.name)) if commit: rotate_certificate(endpoint, new_certificate) print("[+] Done!") if message: send_rotation_notification(old_certificate)
def reissue(old_certificate_name, commit=False): from lemur.certificates.service import get_by_name, reissue_certificate, get_certificate_primitives old_cert = get_by_name(old_certificate_name) if not old_cert: sys.stdout.write("[-] No certificate found with name: {0}\n".format( old_certificate_name)) sys.exit(1) if commit: sys.stdout.write("[!] Running in COMMIT mode.\n") details = get_certificate_primitives(old_cert) print_certificate_details(details) if commit: new_cert = reissue_certificate(old_cert, replace=True) sys.stdout.write("[+] Issued new certificate named: {0}\n".format( new_cert.name)) sys.stdout.write("[+] Done! \n")
def reissue(old_certificate_name, validity_start, validity_end, commit): """ Reissues certificate with the same parameters as it was originally issued with. If not time period is provided, reissues certificate as valid from today to today + length of original. """ old_cert = get_by_name(old_certificate_name) if not old_cert: print("[-] No certificate found with name: {0}".format( old_certificate_name)) sys.exit(1) if commit: print("[!] Running in COMMIT mode.") details = get_certificate_primitives(old_cert) print_certificate_details(details) if commit: new_cert = reissue_certificate(old_cert, replace=True) print("[+] Issued new certificate named: {0}".format(new_cert.name)) print("[+] Done!")
def test_reissue_certificate(issuer_plugin, authority, certificate): from lemur.certificates.service import reissue_certificate new_cert = reissue_certificate(certificate) assert new_cert