acertmgr/acertmgr/__init__.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Automated Certificate Manager using ACME
# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.
# Copyright (c) Rudolf Mayerhofer, 2019.
# available under the ISC license, see LICENSE

import grp
import io
import os
import pwd
import stat
import subprocess

from acertmgr import configuration, tools
from acertmgr.authority import authority
from acertmgr.modes import challenge_handler


# @brief fetch new certificate from letsencrypt
# @param settings the domain's configuration options
def cert_get(settings):
    print("Getting certificate for %s" % settings['domainlist'])

    acme = authority(settings['authority'])
    acme.register_account()

    # create challenge handlers for this certificate
    challenge_handlers = dict()
    for domain in settings['domainlist']:
        # Create the challenge handler
        challenge_handlers[domain] = challenge_handler(settings['handlers'][domain])

    # create ssl key
    key_file = settings['key_file']
    key_length = settings['key_length']
    if os.path.isfile(key_file):
        key = tools.read_pem_file(key_file, key=True)
    else:
        print("SSL key not found at '{0}'. Creating {1} bit key.".format(key_file, key_length))
        key = tools.new_ssl_key(key_file, key_length)

    # create ssl csr
    csr_file = settings['csr_file']
    if os.path.isfile(csr_file) and str(settings['csr_static']).lower() == 'true':
        print('Loading CSR from {}'.format(csr_file))
        cr = tools.read_pem_file(csr_file, csr=True)
    else:
        print('Generating CSR for {}'.format(settings['domainlist']))
        must_staple = str(settings.get('cert_must_staple')).lower() == "true"
        cr = tools.new_cert_request(settings['domainlist'], key, must_staple)
        tools.write_pem_file(cr, csr_file)

    # request cert with csr
    crt, ca = acme.get_crt_from_csr(cr, settings['domainlist'], challenge_handlers)

    #  if resulting certificate is valid: store in final location
    if tools.is_cert_valid(crt, settings['ttl_days']):
        print("Certificate '{}' renewed and valid until {}".format(crt, crt.not_valid_after))
        tools.write_pem_file(crt, settings['cert_file'], stat.S_IREAD)
        if (not str(settings.get('ca_static')).lower() == 'true' or not os.path.exists(settings['ca_file'])) \
                and ca is not None:
            tools.write_pem_file(ca, settings['ca_file'])


# @brief put new certificate in place
# @param settings the domain's configuration options
# @return the action to be executed after the certificate update
def cert_put(settings):
    # TODO error handling
    ca_file = settings['ca_file']
    crt_user = settings['user']
    crt_group = settings['group']
    crt_perm = settings['perm']
    crt_path = settings['path']
    crt_format = settings['format'].split(",")
    crt_format = [str.strip(x) for x in crt_format]
    crt_action = settings['action']

    key_file = settings['key_file']
    crt_final = settings['cert_file']

    with io.open(crt_path, "w+") as crt_fd:
        for fmt in crt_format:
            if fmt == "crt":
                src_fd = io.open(crt_final, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            if fmt == "key":
                src_fd = io.open(key_file, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            if fmt == "ca":
                if not os.path.isfile(ca_file):
                    raise FileNotFoundError("The CA certificate file (%s) is missing!" % ca_file)
                src_fd = io.open(ca_file, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            else:
                # TODO error handling
                pass

    # set owner and permissions
    uid = pwd.getpwnam(crt_user).pw_uid
    gid = grp.getgrnam(crt_group).gr_gid
    try:
        os.chown(crt_path, uid, gid)
    except OSError:
        print('Warning: Could not set certificate file ownership!')
    try:
        os.chmod(crt_path, int(crt_perm, 8))
    except OSError:
        print('Warning: Could not set certificate file permissions!')

    return crt_action


def cert_revoke(cert, configs, reason=None):
    domains = set(tools.get_cert_domains(cert))
    for config in configs:
        if domains == set(config['domainlist']):
            acme = authority(config['authority'])
            acme.register_account()
            acme.revoke_crt(cert, reason)
            return


def main():
    # load config
    runtimeconfig, domainconfigs = configuration.load()
    if runtimeconfig.get('mode') == 'revoke':
        # Mode: revoke certificate
        print("Revoking {}".format(runtimeconfig['revoke']))
        cert_revoke(tools.read_pem_file(runtimeconfig['revoke']), domainconfigs, runtimeconfig['revoke_reason'])
    else:
        # Mode: issue certificates (implicit)
        # post-update actions (run only once)
        actions = set()
        superseded = set()
        exceptions = list()
        # check certificate validity and obtain/renew certificates if needed
        for config in domainconfigs:
            try:
                cert = None
                if os.path.isfile(config['cert_file']):
                    cert = tools.read_pem_file(config['cert_file'])
                if not cert or not tools.is_cert_valid(cert, config['ttl_days']) or (
                        'force_renew' in runtimeconfig and
                        all(d in config['domainlist'] for d in runtimeconfig['force_renew'])):
                    cert_get(config)
                    if str(config.get('cert_revoke_superseded')).lower() == 'true' and cert:
                        superseded.add(cert)
            except Exception as e:
                print("Certificate issue/renew failed: {}".format(e))
                exceptions.append(e)

        # deploy new certificates after all are renewed
        deployment_success = True
        for config in domainconfigs:
            try:
                for cfg in config['actions']:
                    if not tools.target_is_current(cfg['path'], config['cert_file']):
                        print("Updating '{}' due to newer version".format(cfg['path']))
                        actions.add(cert_put(cfg))
            except Exception as e:
                print("Certificate deployment failed: {}".format(e))
                exceptions.append(e)
                deployment_success = False

        # run post-update actions
        for action in actions:
            if action is not None:
                try:
                    # Run actions in a shell environment (to allow shell syntax) as stated in the configuration
                    output = subprocess.check_output(action, shell=True, stderr=subprocess.STDOUT)
                    print("Executed '{}' successfully: {}".format(action, output))
                except subprocess.CalledProcessError as e:
                    print("Execution of '{}' failed with error '{}': {}".format(e.cmd, e.returncode, e.output))
                    exceptions.append(e)
                    deployment_success = False

        # revoke old certificates as superseded
        if deployment_success:
            for superseded_cert in superseded:
                try:
                    print("Revoking previous certificate '{}' valid until {} as superseded".format(
                        superseded_cert,
                        superseded_cert.not_valid_after))
                    cert_revoke(superseded_cert, domainconfigs, reason=4)  # reason=4 is superseded
                except Exception as e:
                    print("Certificate supersede revoke failed: {}".format(e))
                    exceptions.append(e)

        # throw a RuntimeError with all exceptions caught while working if there were any
        if len(exceptions) > 0:
            raise RuntimeError("{} exception(s) occurred during runtime: {}".format(len(exceptions), exceptions))
Use whichever python is available The code is not specific to python2, so any python should do 2016-02-13 00:56:47 +01:00			`#!/usr/bin/env python`
Initial commit 2016-01-10 15:00:43 +01:00			`# -- coding: utf-8 --`

			`# Automated Certificate Manager using ACME`
Change copyright information 2016-04-04 01:17:58 +02:00			`# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`# Copyright (c) Rudolf Mayerhofer, 2019.`
Change copyright information 2016-04-04 01:17:58 +02:00			`# available under the ISC license, see LICENSE`
Initial commit 2016-01-10 15:00:43 +01:00
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`import grp`
Optimize imports 2019-02-18 20:45:28 +01:00			`import io`
Initial commit 2016-01-10 15:00:43 +01:00			`import os`
Implement cert_put and use live API 2016-01-21 16:43:49 +01:00			`import pwd`
Adjust permissions of certificates For the internal store of certificates in the configuration directory, a permission of user read only is absolutely sufficient Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de> 2016-04-10 02:45:29 +02:00			`import stat`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`import subprocess`

fix broken references from move and add legacy run script 2019-02-20 11:49:30 +01:00			`from acertmgr import configuration, tools`
acertmgr: Move factories to their packages and reuse objects with same config 2019-03-28 09:18:28 +01:00			`from acertmgr.authority import authority`
			`from acertmgr.modes import challenge_handler`
modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00

Add minor functionality and code comments 2016-01-10 15:43:11 +01:00			`# @brief fetch new certificate from letsencrypt`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`# @param settings the domain's configuration options`
			`def cert_get(settings):`
configuration: remove redundant 'domains' parameter, just use domainlist 2019-03-28 13:59:44 +01:00			`print("Getting certificate for %s" % settings['domainlist'])`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
acertmgr: Move factories to their packages and reuse objects with same config 2019-03-28 09:18:28 +01:00			`acme = authority(settings['authority'])`
acertmgr: rework how files are handled in general - Remove unnecessary tempfiles and keep as much in memory as possible - Unify the way PEM files are written and read 2019-03-24 17:15:30 +01:00			`acme.register_account()`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
acertmgr: rework how files are handled in general - Remove unnecessary tempfiles and keep as much in memory as possible - Unify the way PEM files are written and read 2019-03-24 17:15:30 +01:00			`# create challenge handlers for this certificate`
modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00			`challenge_handlers = dict()`
acertmgr: Fix wrong variable (works due to global var at this point) 2019-02-18 20:43:13 +01:00			`for domain in settings['domainlist']:`
modes: Use classes to easily allow different types of challenge handling 2019-01-08 08:19:50 +01:00			`# Create the challenge handler`
acertmgr: Move factories to their packages and reuse objects with same config 2019-03-28 09:18:28 +01:00			`challenge_handlers[domain] = challenge_handler(settings['handlers'][domain])`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
acertmgr: rework how files are handled in general - Remove unnecessary tempfiles and keep as much in memory as possible - Unify the way PEM files are written and read 2019-03-24 17:15:30 +01:00			`# create ssl key`
			`key_file = settings['key_file']`
			`key_length = settings['key_length']`
			`if os.path.isfile(key_file):`
			`key = tools.read_pem_file(key_file, key=True)`
			`else:`
			`print("SSL key not found at '{0}'. Creating {1} bit key.".format(key_file, key_length))`
			`key = tools.new_ssl_key(key_file, key_length)`

			`# create ssl csr`
acertmgr: store CSR and support static CSR usage Store the generated CSR for later review/usage and allow the stored CSR to be used for future request. Configuration directives csr_file (path) and csr_static (=true) have been added for this. This allows simplified deployment of DANE/TLSA due the former requiring updates to DNS with every public key change, which will not be the case with a static CSR. A new CSR can be triggered manually by deleting the CSR file upon which the next certificate will require an update of any TLSA records in DNS. This may also be used to specify a custom CSR to use, as long as the csr_file path and the domains in the CSR match the ones given in the acertmgr configuration. 2019-03-24 17:22:04 +01:00			`csr_file = settings['csr_file']`
			`if os.path.isfile(csr_file) and str(settings['csr_static']).lower() == 'true':`
			`print('Loading CSR from {}'.format(csr_file))`
			`cr = tools.read_pem_file(csr_file, csr=True)`
			`else:`
			`print('Generating CSR for {}'.format(settings['domainlist']))`
acertmgr: add support for the ocsp must-staple extension Introduces a new config directive and requires at least cryptography 2.1 2019-03-29 08:37:50 +01:00			`must_staple = str(settings.get('cert_must_staple')).lower() == "true"`
			`cr = tools.new_cert_request(settings['domainlist'], key, must_staple)`
acertmgr: store CSR and support static CSR usage Store the generated CSR for later review/usage and allow the stored CSR to be used for future request. Configuration directives csr_file (path) and csr_static (=true) have been added for this. This allows simplified deployment of DANE/TLSA due the former requiring updates to DNS with every public key change, which will not be the case with a static CSR. A new CSR can be triggered manually by deleting the CSR file upon which the next certificate will require an update of any TLSA records in DNS. This may also be used to specify a custom CSR to use, as long as the csr_file path and the domains in the CSR match the ones given in the acertmgr configuration. 2019-03-24 17:22:04 +01:00			`tools.write_pem_file(cr, csr_file)`
acertmgr: rework how files are handled in general - Remove unnecessary tempfiles and keep as much in memory as possible - Unify the way PEM files are written and read 2019-03-24 17:15:30 +01:00
			`# request cert with csr`
			`crt, ca = acme.get_crt_from_csr(cr, settings['domainlist'], challenge_handlers)`

			`# if resulting certificate is valid: store in final location`
			`if tools.is_cert_valid(crt, settings['ttl_days']):`
acertmgr: Add option to supersede previous cert on renewal Add option to automatically revoke the previous certificate with reason superseded after deployment and all actions have been successful. 2019-03-28 00:34:53 +01:00			`print("Certificate '{}' renewed and valid until {}".format(crt, crt.not_valid_after))`
acertmgr: rework how files are handled in general - Remove unnecessary tempfiles and keep as much in memory as possible - Unify the way PEM files are written and read 2019-03-24 17:15:30 +01:00			`tools.write_pem_file(crt, settings['cert_file'], stat.S_IREAD)`
configuration: unify how ca_file and ca_static are determined ensure legacy compatibility (also include defaults case) and update README.md 2019-03-28 12:33:59 +01:00			`if (not str(settings.get('ca_static')).lower() == 'true' or not os.path.exists(settings['ca_file'])) \`
			`and ca is not None:`
acertmgr: rework how files are handled in general - Remove unnecessary tempfiles and keep as much in memory as possible - Unify the way PEM files are written and read 2019-03-24 17:15:30 +01:00			`tools.write_pem_file(ca, settings['ca_file'])`
Adds some different small improvements Add a check that the server key is present Add a check for temporaty file conflicts Use python3-compatible functions Skip more things when there is nothing to be done Add a few more comments/TODOs 2016-01-10 18:07:00 +01:00
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00
Improve error handling and tempfile creation 2016-01-12 17:41:48 +01:00			`# @brief put new certificate in place`
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00			`# @param settings the domain's configuration options`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`# @return the action to be executed after the certificate update`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`def cert_put(settings):`
			`# TODO error handling`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`ca_file = settings['ca_file']`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_user = settings['user']`
			`crt_group = settings['group']`
			`crt_perm = settings['perm']`
			`crt_path = settings['path']`
			`crt_format = settings['format'].split(",")`
			`crt_format = [str.strip(x) for x in crt_format]`
			`crt_action = settings['action']`

configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`key_file = settings['key_file']`
			`crt_final = settings['cert_file']`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`with io.open(crt_path, "w+") as crt_fd:`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`for fmt in crt_format:`
			`if fmt == "crt":`
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`src_fd = io.open(crt_final, "r")`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`if fmt == "key":`
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`src_fd = io.open(key_file, "r")`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`if fmt == "ca":`
			`if not os.path.isfile(ca_file):`
			`raise FileNotFoundError("The CA certificate file (%s) is missing!" % ca_file)`
Fix python3 compatibility 2019-01-21 16:18:47 +01:00			`src_fd = io.open(ca_file, "r")`
Refactor and cleanup codebase 2019-01-08 08:12:20 +01:00			`crt_fd.write(src_fd.read())`
			`src_fd.close()`
			`else:`
			`# TODO error handling`
			`pass`

			`# set owner and permissions`
			`uid = pwd.getpwnam(crt_user).pw_uid`
			`gid = grp.getgrnam(crt_group).gr_gid`
			`try:`
			`os.chown(crt_path, uid, gid)`
			`except OSError:`
			`print('Warning: Could not set certificate file ownership!')`
			`try:`
			`os.chmod(crt_path, int(crt_perm, 8))`
			`except OSError:`
			`print('Warning: Could not set certificate file permissions!')`

			`return crt_action`
Initial commit 2016-01-10 15:00:43 +01:00

acertmgr: Add support for account.key based certificate revocation 2019-03-27 21:00:21 +01:00			`def cert_revoke(cert, configs, reason=None):`
			`domains = set(tools.get_cert_domains(cert))`
			`for config in configs:`
			`if domains == set(config['domainlist']):`
acertmgr: Move factories to their packages and reuse objects with same config 2019-03-28 09:18:28 +01:00			`acme = authority(config['authority'])`
acertmgr: Add support for account.key based certificate revocation 2019-03-27 21:00:21 +01:00			`acme.register_account()`
			`acme.revoke_crt(cert, reason)`
			`return`


fix broken references from move and add legacy run script 2019-02-20 11:49:30 +01:00			`def main():`
configuration: Split into separate module 2019-01-22 09:05:41 +01:00			`# load config`
configuration: add seperate configuration for runtime options 2019-03-27 15:17:17 +01:00			`runtimeconfig, domainconfigs = configuration.load()`
acertmgr: Add support for account.key based certificate revocation 2019-03-27 21:00:21 +01:00			`if runtimeconfig.get('mode') == 'revoke':`
			`# Mode: revoke certificate`
			`print("Revoking {}".format(runtimeconfig['revoke']))`
			`cert_revoke(tools.read_pem_file(runtimeconfig['revoke']), domainconfigs, runtimeconfig['revoke_reason'])`
			`else:`
			`# Mode: issue certificates (implicit)`
			`# post-update actions (run only once)`
			`actions = set()`
acertmgr: Add option to supersede previous cert on renewal Add option to automatically revoke the previous certificate with reason superseded after deployment and all actions have been successful. 2019-03-28 00:34:53 +01:00			`superseded = set()`
acertmgr: log exceptions during processing, raise afterward If anything goes wrong during cert_get/cert_put/running actions/cert_revoke superseded do not fail completely and continue with the remaining domains to process. Print all exceptions and after processing raise a RuntimeError 2019-03-28 14:34:06 +01:00			`exceptions = list()`
acertmgr: Add support for account.key based certificate revocation 2019-03-27 21:00:21 +01:00			`# check certificate validity and obtain/renew certificates if needed`
			`for config in domainconfigs:`
acertmgr: log exceptions during processing, raise afterward If anything goes wrong during cert_get/cert_put/running actions/cert_revoke superseded do not fail completely and continue with the remaining domains to process. Print all exceptions and after processing raise a RuntimeError 2019-03-28 14:34:06 +01:00			`try:`
			`cert = None`
			`if os.path.isfile(config['cert_file']):`
			`cert = tools.read_pem_file(config['cert_file'])`
			`if not cert or not tools.is_cert_valid(cert, config['ttl_days']) or (`
			`'force_renew' in runtimeconfig and`
			`all(d in config['domainlist'] for d in runtimeconfig['force_renew'])):`
			`cert_get(config)`
			`if str(config.get('cert_revoke_superseded')).lower() == 'true' and cert:`
			`superseded.add(cert)`
			`except Exception as e:`
			`print("Certificate issue/renew failed: {}".format(e))`
			`exceptions.append(e)`
acertmgr: Add support for account.key based certificate revocation 2019-03-27 21:00:21 +01:00
acertmgr: deploy certificates after all are renewed as certificate renewal might take some time (on DNS-01 especially) it is a good idea to wait with deployment until all certificates are finished renewing and copy them to their destinations then + run actions 2019-03-28 00:20:55 +01:00			`# deploy new certificates after all are renewed`
acertmgr: log exceptions during processing, raise afterward If anything goes wrong during cert_get/cert_put/running actions/cert_revoke superseded do not fail completely and continue with the remaining domains to process. Print all exceptions and after processing raise a RuntimeError 2019-03-28 14:34:06 +01:00			`deployment_success = True`
acertmgr: deploy certificates after all are renewed as certificate renewal might take some time (on DNS-01 especially) it is a good idea to wait with deployment until all certificates are finished renewing and copy them to their destinations then + run actions 2019-03-28 00:20:55 +01:00			`for config in domainconfigs:`
acertmgr: log exceptions during processing, raise afterward If anything goes wrong during cert_get/cert_put/running actions/cert_revoke superseded do not fail completely and continue with the remaining domains to process. Print all exceptions and after processing raise a RuntimeError 2019-03-28 14:34:06 +01:00			`try:`
			`for cfg in config['actions']:`
			`if not tools.target_is_current(cfg['path'], config['cert_file']):`
			`print("Updating '{}' due to newer version".format(cfg['path']))`
			`actions.add(cert_put(cfg))`
			`except Exception as e:`
			`print("Certificate deployment failed: {}".format(e))`
			`exceptions.append(e)`
			`deployment_success = False`
acertmgr: Add support for account.key based certificate revocation 2019-03-27 21:00:21 +01:00
			`# run post-update actions`
			`for action in actions:`
			`if action is not None:`
			`try:`
			`# Run actions in a shell environment (to allow shell syntax) as stated in the configuration`
			`output = subprocess.check_output(action, shell=True, stderr=subprocess.STDOUT)`
			`print("Executed '{}' successfully: {}".format(action, output))`
			`except subprocess.CalledProcessError as e:`
acertmgr: Add option to supersede previous cert on renewal Add option to automatically revoke the previous certificate with reason superseded after deployment and all actions have been successful. 2019-03-28 00:34:53 +01:00			`print("Execution of '{}' failed with error '{}': {}".format(e.cmd, e.returncode, e.output))`
acertmgr: log exceptions during processing, raise afterward If anything goes wrong during cert_get/cert_put/running actions/cert_revoke superseded do not fail completely and continue with the remaining domains to process. Print all exceptions and after processing raise a RuntimeError 2019-03-28 14:34:06 +01:00			`exceptions.append(e)`
			`deployment_success = False`
acertmgr: Add option to supersede previous cert on renewal Add option to automatically revoke the previous certificate with reason superseded after deployment and all actions have been successful. 2019-03-28 00:34:53 +01:00
			`# revoke old certificates as superseded`
acertmgr: log exceptions during processing, raise afterward If anything goes wrong during cert_get/cert_put/running actions/cert_revoke superseded do not fail completely and continue with the remaining domains to process. Print all exceptions and after processing raise a RuntimeError 2019-03-28 14:34:06 +01:00			`if deployment_success:`
acertmgr: Add option to supersede previous cert on renewal Add option to automatically revoke the previous certificate with reason superseded after deployment and all actions have been successful. 2019-03-28 00:34:53 +01:00			`for superseded_cert in superseded:`
acertmgr: log exceptions during processing, raise afterward If anything goes wrong during cert_get/cert_put/running actions/cert_revoke superseded do not fail completely and continue with the remaining domains to process. Print all exceptions and after processing raise a RuntimeError 2019-03-28 14:34:06 +01:00			`try:`
			`print("Revoking previous certificate '{}' valid until {} as superseded".format(`
			`superseded_cert,`
			`superseded_cert.not_valid_after))`
			`cert_revoke(superseded_cert, domainconfigs, reason=4) # reason=4 is superseded`
			`except Exception as e:`
			`print("Certificate supersede revoke failed: {}".format(e))`
			`exceptions.append(e)`

			`# throw a RuntimeError with all exceptions caught while working if there were any`
			`if len(exceptions) > 0:`
			`raise RuntimeError("{} exception(s) occurred during runtime: {}".format(len(exceptions), exceptions))`