def validate_site_configuration(site, valid_vhosts):
validation_errors = []
if site['VHost'] is not None:
vhost = apache_util.parse_connection_address_from_vhost(site['VHost'])
if vhost not in valid_vhosts:
if (os_version == "RedHatEnterpriseServer"
or os_version == "CentOS"):
validation_errors.append(
'Apache VHost "{}:{}" not found. Please check with "httpd -t -D DUMP_VHOSTS".'
.format(vhost[0], vhost[1]))
if (os_version == "Debian" or os_version == "Ubuntu"):
validation_errors.append(
'Apache VHost "{}:{}" not found. Please check with "apache2ctl -t -D DUMP_VHOSTS".'
.format(vhost[0], vhost[1]))
keytalk_provider = site['KeyTalkProvider']
keytalk_service = site['KeyTalkService']
if keytalk_provider and keytalk_provider not in util.get_keytalk_providers(
):
validation_errors.append('Unknown KeyTalkProvider "%s".' %
(keytalk_provider))
elif keytalk_service and keytalk_service not in util.get_keytalk_services(
keytalk_provider):
validation_errors.append(
'Unknown KeyTalkService "%s" for KeyTalkProvider "%s"."' %
(keytalk_service, keytalk_provider))
return validation_errors
def test_parse_connection_address_from_vhost(self):
self.assertEqual(apache_util.parse_connection_address_from_vhost(
"192.168.1.1:3001"), ("192.168.1.1", 3001))
self.assertEqual(apache_util.parse_connection_address_from_vhost(
"*:3001"), ("localhost", 3001))
self.assertEqual(apache_util.parse_connection_address_from_vhost(
"_default_:8080"), ("localhost", 8080))
self.assertEqual(apache_util.parse_connection_address_from_vhost(
"_default_:*"), ("localhost", 443))
self.assertEqual(apache_util.parse_connection_address_from_vhost(
"192.168.1.1"), ("192.168.1.1", 443))
self.assertEqual(apache_util.parse_connection_address_from_vhost(
"[2001:4860:4860::8888]"), ("[2001:4860:4860::8888]", 443))
self.assertEqual(apache_util.parse_connection_address_from_vhost(
"[2001:4860:4860::8888]:8443"), ("[2001:4860:4860::8888]", 8443))
def is_cert_renewal_needed(site):
vhost = site['VHost']
server_name = site.get('ServerName')
if (not os.path.isfile(
apache_util.get_apache_ssl_cert_path(
vhost, server_name))) or (not os.path.isfile(
apache_util.get_apache_ssl_key_path(vhost, server_name))):
Logger.info(
"Certificate for {} {} does not exist and needs renewal".format(
vhost, server_name or ''))
return True
host, port = apache_util.parse_connection_address_from_vhost(vhost)
try:
pem_cert = ssl.get_server_certificate((host, port))
except socket.error as e:
raise Exception(
'Could not retrieve server certificate from "{}:{}": {}'.format(
host, port, e))
# Check whether the cert is expired
cert_expired, cert_expiration_utc = util.is_cert_expired(
pem_cert, vhost, site['KeyTalkProvider'], site['KeyTalkService'],
Logger)
if cert_expired:
Logger.info(
"Certificate for {} {} effectively expires at {} UTC and needs renewal"
.format(vhost, server_name or '', cert_expiration_utc))
return True
# Check whether the cert is revoked
if util.is_cert_revoked(pem_cert, Logger):
Logger.info(
"Certificate for {} {} has been revoked and needs renewal".format(
vhost, server_name or ''))
return True
# The cert doesn't need renewal
Logger.info(
"Certificate for {} {} effectively expires at {} UTC and does not require renewal (run with {} to renew anyway)"
.format(vhost, server_name or '', cert_expiration_utc, force_arg))
return False