def validate_site_configuration(site, valid_vhosts): validation_errors = [] if site['VHost'] is not None: vhost = apache_util.parse_connection_address_from_vhost(site['VHost']) if vhost not in valid_vhosts: if (os_version == "RedHatEnterpriseServer" or os_version == "CentOS"): validation_errors.append( 'Apache VHost "{}:{}" not found. Please check with "httpd -t -D DUMP_VHOSTS".' .format(vhost[0], vhost[1])) if (os_version == "Debian" or os_version == "Ubuntu"): validation_errors.append( 'Apache VHost "{}:{}" not found. Please check with "apache2ctl -t -D DUMP_VHOSTS".' .format(vhost[0], vhost[1])) keytalk_provider = site['KeyTalkProvider'] keytalk_service = site['KeyTalkService'] if keytalk_provider and keytalk_provider not in util.get_keytalk_providers( ): validation_errors.append('Unknown KeyTalkProvider "%s".' % (keytalk_provider)) elif keytalk_service and keytalk_service not in util.get_keytalk_services( keytalk_provider): validation_errors.append( 'Unknown KeyTalkService "%s" for KeyTalkProvider "%s"."' % (keytalk_service, keytalk_provider)) return validation_errors
def test_parse_connection_address_from_vhost(self): self.assertEqual(apache_util.parse_connection_address_from_vhost( "192.168.1.1:3001"), ("192.168.1.1", 3001)) self.assertEqual(apache_util.parse_connection_address_from_vhost( "*:3001"), ("localhost", 3001)) self.assertEqual(apache_util.parse_connection_address_from_vhost( "_default_:8080"), ("localhost", 8080)) self.assertEqual(apache_util.parse_connection_address_from_vhost( "_default_:*"), ("localhost", 443)) self.assertEqual(apache_util.parse_connection_address_from_vhost( "192.168.1.1"), ("192.168.1.1", 443)) self.assertEqual(apache_util.parse_connection_address_from_vhost( "[2001:4860:4860::8888]"), ("[2001:4860:4860::8888]", 443)) self.assertEqual(apache_util.parse_connection_address_from_vhost( "[2001:4860:4860::8888]:8443"), ("[2001:4860:4860::8888]", 8443))
def is_cert_renewal_needed(site): vhost = site['VHost'] server_name = site.get('ServerName') if (not os.path.isfile( apache_util.get_apache_ssl_cert_path( vhost, server_name))) or (not os.path.isfile( apache_util.get_apache_ssl_key_path(vhost, server_name))): Logger.info( "Certificate for {} {} does not exist and needs renewal".format( vhost, server_name or '')) return True host, port = apache_util.parse_connection_address_from_vhost(vhost) try: pem_cert = ssl.get_server_certificate((host, port)) except socket.error as e: raise Exception( 'Could not retrieve server certificate from "{}:{}": {}'.format( host, port, e)) # Check whether the cert is expired cert_expired, cert_expiration_utc = util.is_cert_expired( pem_cert, vhost, site['KeyTalkProvider'], site['KeyTalkService'], Logger) if cert_expired: Logger.info( "Certificate for {} {} effectively expires at {} UTC and needs renewal" .format(vhost, server_name or '', cert_expiration_utc)) return True # Check whether the cert is revoked if util.is_cert_revoked(pem_cert, Logger): Logger.info( "Certificate for {} {} has been revoked and needs renewal".format( vhost, server_name or '')) return True # The cert doesn't need renewal Logger.info( "Certificate for {} {} effectively expires at {} UTC and does not require renewal (run with {} to renew anyway)" .format(vhost, server_name or '', cert_expiration_utc, force_arg)) return False