From 989d3b585ac8cab3e3e6777694022695b291a310 Mon Sep 17 00:00:00 2001 From: Kishi85 Date: Tue, 2 Apr 2019 10:24:58 +0200 Subject: [PATCH] authority.v1/2: do not re-authorize already valid domains Skipping re-authorization when not necessary speeds up cert renewal. --- acertmgr/authority/v1.py | 10 ++++++++-- acertmgr/authority/v2.py | 22 ++++++++++++++-------- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/acertmgr/authority/v1.py b/acertmgr/authority/v1.py index 9ff30ee..473a5e5 100644 --- a/acertmgr/authority/v1.py +++ b/acertmgr/authority/v1.py @@ -94,6 +94,7 @@ class ACMEAuthority(AbstractACMEAuthority): challenges = dict() tokens = dict() + authdomains = list() # verify each domain try: for domain in domains: @@ -108,7 +109,11 @@ class ACMEAuthority(AbstractACMEAuthority): raise ValueError("Error requesting challenges: {0} {1}".format(code, result)) # create the challenge - challenges[domain] = [c for c in json.loads(result.decode('utf8'))['challenges'] if + authz = json.loads(result.decode('utf8')) + if authz.get('status', 'no-status-found') == 'valid': + log("{} has already been verified".format(domain)) + continue + challenges[domain] = [c for c in authz['challenges'] if c['type'] == challenge_handlers[domain].get_challenge_type()][0] tokens[domain] = re.sub(r"[^A-Za-z0-9_\-]", "_", challenges[domain]['token']) @@ -116,9 +121,10 @@ class ACMEAuthority(AbstractACMEAuthority): raise ValueError("No challenge handler given for domain: {0}".format(domain)) challenge_handlers[domain].create_challenge(domain, account_thumbprint, tokens[domain]) + authdomains.append(domain) # after all challenges are created, start processing authorizations - for domain in domains: + for domain in authdomains: challenge_handlers[domain].start_challenge(domain, account_thumbprint, tokens[domain]) try: log("Starting key authorization") diff --git a/acertmgr/authority/v2.py b/acertmgr/authority/v2.py index 824cee8..e8b238e 100644 --- a/acertmgr/authority/v2.py +++ b/acertmgr/authority/v2.py @@ -169,20 +169,26 @@ class ACMEAuthority(AbstractACMEAuthority): authorization['_domain'] = "*.{}".format(authorization['identifier']['value']) if \ 'wildcard' in authorization and authorization['wildcard'] else authorization['identifier']['value'] + + if authorization.get('status', 'no-status-found') == 'valid': + log("{} has already been authorized".format(authorization['_domain'])) + continue + if authorization['_domain'] not in challenge_handlers: + raise ValueError("No challenge handler given for domain: {0}".format(authorization['_domain'])) log("Authorizing {0}".format(authorization['_domain'])) # create the challenge - matching_challenges = [c for c in authorization['challenges'] if - c['type'] == challenge_handlers[authorization['_domain']].get_challenge_type()] + ctype = challenge_handlers[authorization['_domain']].get_challenge_type() + matching_challenges = [c for c in authorization['challenges'] if c['type'] == ctype] if len(matching_challenges) == 0: - raise ValueError("Error no challenge matching {0} found: {1}".format( - challenge_handlers[authorization['_domain']].get_challenge_type(), authorization)) + raise ValueError("Error no challenge matching {0} found: {1}".format(ctype, authorization)) + authorization['_challenge'] = matching_challenges[0] + if authorization['_challenge'].get('status', 'no-status-found') == 'valid': + log("{} has already been authorized using {}".format(authorization['_domain'], ctype)) + continue + authorization['_token'] = re.sub(r"[^A-Za-z0-9_\-]", "_", authorization['_challenge']['token']) - - if authorization['_domain'] not in challenge_handlers: - raise ValueError("No challenge handler given for domain: {0}".format(authorization['_domain'])) - challenge_handlers[authorization['_domain']].create_challenge(authorization['identifier']['value'], account_thumbprint, authorization['_token'])