From c1740083a4871c4d7560f68a7661bc7b0fb4d4ea Mon Sep 17 00:00:00 2001 From: moepman Date: Mon, 11 Jan 2016 21:44:40 +0100 Subject: [PATCH] Merge pull request #3 from davidklaftenegger/master Improved error checks --- README.md | 2 +- acertmgr.py | 35 ++++++++++++++++++++++------------- 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index f6b9c73..1c88edb 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Requirements * Python (2.7+ and 3.4+ should work) * PyYAML - * acme\_tiny (`acme_tiny.py` placed next to `acertmgr.py`) + * acme\_tiny (`acme_tiny.py` in $PYTHONHOME or $PYTHONPATH or placed next to `acertmgr.py`) Configuration ------------- diff --git a/acertmgr.py b/acertmgr.py index 4908b5b..e257bdf 100755 --- a/acertmgr.py +++ b/acertmgr.py @@ -21,6 +21,11 @@ ACME_CONFD=ACME_DIR + "domains.d/" CHALLENGE_DIR="/var/www/acme/" LE_CA="https://acme-staging.api.letsencrypt.org" + +class InvalidCertificateError(Exception): + pass + + # @brief check whether existing certificate is still valid or expiring soon # @param crt_file string containing the path to the certificate file # @param ttl_days the minimum amount of days for which the certificate must be valid @@ -36,17 +41,17 @@ def cert_isValid(crt_file, ttl_days): if m: valid_from = dateutil.parser.parse(m.group(1), ignoretz=True) else: - raise "No notBefore date found, something seems wrong!" + raise InvalidCertificateError("No notBefore date found") m = re.search("notAfter=(.+)", vc) if m: valid_to = dateutil.parser.parse(m.group(1), ignoretz=True) else: - raise "No notAfter date found, something seems wrong!" + raise InvalidCertificateError("No notAfter date found") now = datetime.datetime.now() if valid_from > now: - raise "A Certificate seems to be from the future, something seems wrong!" + raise InvalidCertificateError("Certificate seems to be from the future") expiry_limit = now + dateutil.relativedelta.relativedelta(days=+ttl_days) if valid_to < expiry_limit: @@ -62,25 +67,29 @@ def cert_get(domain, settings): print("Getting certificate for %s." % domain) key_file = ACME_DIR + "server.key" - if not os.path.exists(key_file): - raise "The server key file (%s) is missing!" % key_file + if not os.path.isfile(key_file): + raise FileNotFoundError("The server key file (%s) is missing!" % key_file) acc_file = ACME_DIR + "account.key" - if not os.path.exists(acc_file): - raise "The account key file (%s) is missing!" % acc_file + if not os.path.isfile(acc_file): + raise FileNotFoundError("The account key file (%s) is missing!" % acc_file) csr_file = "/tmp/%s.csr" % domain crt_file = "/tmp/%s.crt" % domain if os.path.lexists(csr_file) or os.path.lexists(crt_file): - raise "A temporary file already exists!" + raise FileExistsError("A temporary file already exists!") - cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-subj', '/CN=%s' % domain]) + try: + cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-subj', '/CN=%s' % domain]) - # get certificate - crt = acme_tiny.get_crt(acc_file, csr_file, CHALLENGE_DIR, CA = LE_CA) - with open(crt_file, "w") as crt_fd: - crt_fd.write(crt) + # get certificate + crt = acme_tiny.get_crt(acc_file, csr_file, CHALLENGE_DIR, CA = LE_CA) + with open(crt_file, "w") as crt_fd: + crt_fd.write(crt) + except Exception: + os.remove(csr_file) + raise # TODO check if resulting certificate is valid