def should_autorenew(self): """Should we now try to autorenew the most recent cert version? This is a policy question and does not only depend on whether the cert is expired. (This considers whether autorenewal is enabled, whether the cert is revoked, and whether the time interval for autorenewal has been reached.) Note that this examines the numerically most recent cert version, not the currently deployed version. :returns: whether an attempt should now be made to autorenew the most current cert version in this lineage :rtype: bool """ if self.autorenewal_is_enabled(): # Consider whether to attempt to autorenew this cert now # Renewals on the basis of revocation if self.ocsp_revoked(self.latest_common_version()): return True # Renewals on the basis of expiry time interval = self.configuration.get("renew_before_expiry", "10 days") autorenew_interval = parse_time_interval(interval) expiry = crypto_util.notAfter(self.version( "cert", self.latest_common_version())) now = datetime.datetime.utcnow().replace(tzinfo=pytz.UTC) remaining = expiry - now if remaining < autorenew_interval: return True return False
def should_autodeploy(self, interactive=False): """Should this lineage now automatically deploy a newer version? This is a policy question and does not only depend on whether there is a newer version of the cert. (This considers whether autodeployment is enabled, whether a relevant newer version exists, and whether the time interval for autodeployment has been reached.) :param bool interactive: set to True to examine the question regardless of whether the renewal configuration allows automated deployment (for interactive use). Default False. :returns: whether the lineage now ought to autodeploy an existing newer cert version :rtype: bool """ if interactive or self.autodeployment_is_enabled(): if self.has_pending_deployment(): interval = self.configuration.get("deploy_before_expiry", "5 days") expiry = crypto_util.notAfter(self.current_target("cert")) now = pytz.UTC.fromutc(datetime.datetime.utcnow()) if expiry < add_time_interval(now, interval): return True return False
def should_autodeploy(self): """Should this lineage now automatically deploy a newer version? This is a policy question and does not only depend on whether there is a newer version of the cert. (This considers whether autodeployment is enabled, whether a relevant newer version exists, and whether the time interval for autodeployment has been reached.) :returns: whether the lineage now ought to autodeploy an existing newer cert version :rtype: bool """ if self.autodeployment_is_enabled(): if self.has_pending_deployment(): interval = self.configuration.get("deploy_before_expiry", "5 days") autodeploy_interval = parse_time_interval(interval) expiry = crypto_util.notAfter(self.current_target("cert")) now = datetime.datetime.utcnow().replace(tzinfo=pytz.UTC) remaining = expiry - now if remaining < autodeploy_interval: return True return False
def _report_new_cert(cert_path, fullchain_path): """Reports the creation of a new certificate to the user. :param str cert_path: path to cert :param str fullchain_path: path to full chain """ expiry = crypto_util.notAfter(cert_path).date() reporter_util = zope.component.getUtility(interfaces.IReporter) if fullchain_path: # Print the path to fullchain.pem because that's what modern webservers # (Nginx and Apache2.4) will want. and_chain = "and chain have" path = fullchain_path else: # Unless we're in .csr mode and there really isn't one and_chain = "has " path = cert_path # XXX Perhaps one day we could detect the presence of known old webservers # and say something more informative here. msg = ("Congratulations! Your certificate {0} been saved at {1}." " Your cert will expire on {2}. To obtain a new version of the " "certificate in the future, simply run Let's Encrypt again." .format(and_chain, path, expiry)) reporter_util.add_message(msg, reporter_util.MEDIUM_PRIORITY)
def _report_new_cert(cert_path, fullchain_path): """Reports the creation of a new certificate to the user. :param str cert_path: path to cert :param str fullchain_path: path to full chain """ expiry = crypto_util.notAfter(cert_path).date() reporter_util = zope.component.getUtility(interfaces.IReporter) if fullchain_path: # Print the path to fullchain.pem because that's what modern webservers # (Nginx and Apache2.4) will want. and_chain = "and chain have" path = fullchain_path else: # Unless we're in .csr mode and there really isn't one and_chain = "has " path = cert_path # XXX Perhaps one day we could detect the presence of known old webservers # and say something more informative here. msg = ("Congratulations! Your certificate {0} been saved at {1}." " Your cert will expire on {2}. To obtain a new version of the " "certificate in the future, simply run Let's Encrypt again.".format( and_chain, path, expiry)) reporter_util.add_message(msg, reporter_util.MEDIUM_PRIORITY)
def should_autorenew(self): """Should we now try to autorenew the most recent cert version? This is a policy question and does not only depend on whether the cert is expired. (This considers whether autorenewal is enabled, whether the cert is revoked, and whether the time interval for autorenewal has been reached.) Note that this examines the numerically most recent cert version, not the currently deployed version. :returns: whether an attempt should now be made to autorenew the most current cert version in this lineage :rtype: bool """ if self.autorenewal_is_enabled(): # Consider whether to attempt to autorenew this cert now # Renewals on the basis of revocation if self.ocsp_revoked(self.latest_common_version()): return True # Renewals on the basis of expiry time interval = self.configuration.get("renew_before_expiry", "10 days") autorenew_interval = parse_time_interval(interval) expiry = crypto_util.notAfter( self.version("cert", self.latest_common_version())) now = datetime.datetime.utcnow().replace(tzinfo=pytz.UTC) remaining = expiry - now if remaining < autorenew_interval: return True return False
def should_autorenew(self): """Should we now try to autorenew the most recent cert version? This is a policy question and does not only depend on whether the cert is expired. (This considers whether autorenewal is enabled, whether the cert is revoked, and whether the time interval for autorenewal has been reached.) Note that this examines the numerically most recent cert version, not the currently deployed version. :returns: whether an attempt should now be made to autorenew the most current cert version in this lineage :rtype: bool """ if self.autorenewal_is_enabled(): # Consider whether to attempt to autorenew this cert now # Renewals on the basis of revocation if self.ocsp_revoked(self.latest_common_version()): logger.debug("Should renew, certificate is revoked.") return True # Renewals on the basis of expiry time interval = self.configuration.get("renew_before_expiry", "10 days") expiry = crypto_util.notAfter(self.version( "cert", self.latest_common_version())) now = pytz.UTC.fromutc(datetime.datetime.utcnow()) if expiry < add_time_interval(now, interval): logger.debug("Should renew, certificate " "has been expired since %s.", expiry.strftime("%Y-%m-%d %H:%M:%S %Z")) return True return False
def _report_new_cert(cert_path): """Reports the creation of a new certificate to the user.""" expiry = crypto_util.notAfter(cert_path).date() reporter_util = zope.component.getUtility(interfaces.IReporter) reporter_util.add_message("Congratulations! Your certificate has been " "saved at {0} and will expire on {1}. To obtain " "a new version of the certificate in the " "future, simply run Let's Encrypt again.".format( cert_path, expiry), reporter_util.MEDIUM_PRIORITY)
def should_autorenew(self, interactive=False): """Should we now try to autorenew the most recent cert version? This is a policy question and does not only depend on whether the cert is expired. (This considers whether autorenewal is enabled, whether the cert is revoked, and whether the time interval for autorenewal has been reached.) Note that this examines the numerically most recent cert version, not the currently deployed version. :param bool interactive: set to True to examine the question regardless of whether the renewal configuration allows automated renewal (for interactive use). Default False. :returns: whether an attempt should now be made to autorenew the most current cert version in this lineage :rtype: bool """ if interactive or self.autorenewal_is_enabled(): # Consider whether to attempt to autorenew this cert now # Renewals on the basis of revocation if self.ocsp_revoked(self.latest_common_version()): logger.debug("Should renew, certificate is revoked.") return True # Renews some period before expiry time default_interval = constants.RENEWER_DEFAULTS[ "renew_before_expiry"] interval = self.configuration.get("renew_before_expiry", default_interval) expiry = crypto_util.notAfter( self.version("cert", self.latest_common_version())) now = pytz.UTC.fromutc(datetime.datetime.utcnow()) if expiry < add_time_interval(now, interval): logger.debug( "Should renew, less than %s before certificate " "expiry %s.", interval, expiry.strftime("%Y-%m-%d %H:%M:%S %Z")) return True return False
def should_autorenew(self, interactive=False): """Should we now try to autorenew the most recent cert version? This is a policy question and does not only depend on whether the cert is expired. (This considers whether autorenewal is enabled, whether the cert is revoked, and whether the time interval for autorenewal has been reached.) Note that this examines the numerically most recent cert version, not the currently deployed version. :param bool interactive: set to True to examine the question regardless of whether the renewal configuration allows automated renewal (for interactive use). Default False. :returns: whether an attempt should now be made to autorenew the most current cert version in this lineage :rtype: bool """ if interactive or self.autorenewal_is_enabled(): # Consider whether to attempt to autorenew this cert now # Renewals on the basis of revocation if self.ocsp_revoked(self.latest_common_version()): logger.debug("Should renew, certificate is revoked.") return True # Renews some period before expiry time default_interval = constants.RENEWER_DEFAULTS["renew_before_expiry"] interval = self.configuration.get("renew_before_expiry", default_interval) expiry = crypto_util.notAfter(self.version("cert", self.latest_common_version())) now = pytz.UTC.fromutc(datetime.datetime.utcnow()) if expiry < add_time_interval(now, interval): logger.debug( "Should renew, less than %s before certificate " "expiry %s.", interval, expiry.strftime("%Y-%m-%d %H:%M:%S %Z"), ) return True return False
def test_notAfter(self): from letsencrypt.crypto_util import notAfter self.assertEqual(notAfter(CERT_PATH).isoformat(), '2014-12-18T22:34:45+00:00')
def test_notAfter(self): from letsencrypt.crypto_util import notAfter self.assertEqual( notAfter(CERT_PATH).isoformat(), '2014-12-18T22:34:45+00:00')