Skip to content

GitLab

Commit 3cee4cc8 authored by Adrien Dorsaz's avatar Adrien Dorsaz
Browse files
Options

Merge comment and log.info lines. 

Set try count to begin with 1 and do 10 tries.
parent e199e3d4
Hide whitespace changes
Inline Side-by-side
Showing with 14 additions and 20 deletions
acme_dns_tiny.py
View file @ 3cee4cc8
......@@ -55,6 +55,7 @@ def get_crt(config, log=LOGGER):
# helper function to get url from Link HTTP headers
def _get_url_link(headers, rel):
log.info("Looking for {0} in headers: {1}".format(rel, headers))
linkheaders = [link.strip() for link in dict(headers)["Link"].split(',')]
url = [re.match(r'<(?P<url>.*)>.*;rel=(' + re.escape(rel) + r'|("([a-z][a-z0-9\.\-]*\s+)*' + re.escape(rel) + r'[\s"]))', link).groupdict()
for link in linkheaders][0]["url"]
......@@ -66,8 +67,7 @@ def get_crt(config, log=LOGGER):
acme_config = json.loads(directory.read().decode("utf8"))
current_terms = acme_config.get("meta", {}).get("terms-of-service")
# create DNS keyring and resolver
log.info("Prepare DNS tools...")
log.info("Prepare DNS keyring and resolver.")
keyring = dns.tsigkeyring.from_text({config["TSIGKeyring"]["KeyName"]: config["TSIGKeyring"]["KeyValue"]})
nameserver = []
try:
......@@ -86,8 +86,7 @@ def get_crt(config, log=LOGGER):
resolver.nameservers = nameserver
resolver.retry_servfail = True
# parse account key to get public key
log.info("Parsing account key...")
log.info("Parsing account key looking for public key.")
accountkey = _openssl("rsa", ["-in", config["acmednstiny"]["AccountKeyFile"], "-noout", "-text"])
pub_hex, pub_exp = re.search(
r"modulus:\n\s+00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)",
......@@ -105,8 +104,7 @@ def get_crt(config, log=LOGGER):
accountkey_json = json.dumps(header["jwk"], sort_keys=True, separators=(",", ":"))
thumbprint = _b64(hashlib.sha256(accountkey_json.encode("utf8")).digest())
# find domains
log.info("Parsing CSR...")
log.info("Parsing CSR looking for domains.")
csr = _openssl("req", ["-in", config["acmednstiny"]["CSRFile"], "-noout", "-text"]).decode("utf8")
domains = set([])
common_name = re.search(r"Subject:.*? CN=([^\s,;/]+)", csr)
......@@ -163,7 +161,7 @@ def get_crt(config, log=LOGGER):
# verify each domain
for domain in domains:
log.info("Verifying {0}...".format(domain))
log.info("Verifying domain: {0}".format(domain))
# get new challenge
code, result, headers = _send_signed_request(acme_config["new-authz"], {
......@@ -173,8 +171,7 @@ def get_crt(config, log=LOGGER):
if code != 201:
raise ValueError("Error requesting challenges: {0} {1}".format(code, result))
# make and install DNS resource record
log.info("Create DNS RR...")
log.info("Create and install DNS TXT challenge resource.")
challenge = [c for c in json.loads(result.decode("utf8"))["challenges"] if c["type"] == "dns-01"][0]
token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge["token"])
keyauthorization = "{0}.{1}".format(token, thumbprint)
......@@ -184,13 +181,12 @@ def get_crt(config, log=LOGGER):
try:
_update_dns(dnsrr_set, "add")
except dns.exception.DNSException as dnsexception:
raise ValueError("Error updating DNS: {0} : {1}".format(type(dnsexception).__name__, str(dnsexception)))
raise ValueError("Error updating DNS records: {0} : {1}".format(type(dnsexception).__name__, str(dnsexception)))
# notify challenge are met
log.info("Wait {0} then start self challenge checks.".format(config["acmednstiny"].getint("CheckChallengeDelay")))
time.sleep(config["acmednstiny"].getint("CheckChallengeDelay"))
log.info("Self challenge check...")
challenge_verified = False
number_check_fail = 0
number_check_fail = 1
while challenge_verified is False:
try:
log.info('Try {0}: Check ressource with value "{1}" exits on nameservers: {2}'.format(number_check_fail+1, keydigest64, resolver.nameservers))
......@@ -207,7 +203,7 @@ def get_crt(config, log=LOGGER):
if challenge_verified is False:
number_check_fail = number_check_fail + 1
time.sleep(2)
log.info("Ask CA server to perform check...")
log.info("Ask ACME server to perform checks.")
code, result, headers = _send_signed_request(challenge["uri"], {
"resource": "challenge",
"keyAuthorization": keyauthorization,
......@@ -215,7 +211,7 @@ def get_crt(config, log=LOGGER):
if code != 202:
raise ValueError("Error triggering challenge: {0} {1}".format(code, result))
# wait for challenge to be verified
log.info("Waiting challenge to be verified.")
try:
while True:
try:
......@@ -227,7 +223,7 @@ def get_crt(config, log=LOGGER):
if challenge_status["status"] == "pending":
time.sleep(2)
elif challenge_status["status"] == "valid":
log.info("{0} verified!".format(domain))
log.info("Domain {0} verified!".format(domain))
break
else:
raise ValueError("{0} challenge did not pass: {1}".format(
......@@ -235,8 +231,7 @@ def get_crt(config, log=LOGGER):
finally:
_update_dns(dnsrr_set, "delete")
# get the new certificate
log.info("Signing certificate...")
log.info("Ask to sign certificate.")
csr_der = _openssl("req", ["-in", config["acmednstiny"]["CSRFile"], "-outform", "DER"])
code, result, headers = _send_signed_request(acme_config["new-cert"], {
"resource": "new-cert",
......@@ -256,8 +251,7 @@ def get_crt(config, log=LOGGER):
certificate_parent_url, code, result))
certificate_parent = "\n".join(textwrap.wrap(base64.b64encode(result).decode("utf8"), 64))
# return signed certificate!
log.info("Certificate signed!")
log.info("Certificate signed and received.")
return """-----BEGIN CERTIFICATE-----\n{0}\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n{1}\n-----END CERTIFICATE-----\n""".format(
certificate, certificate_parent)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment