acertmgr: don't fail when no issuer CA can be retrieved

Do not fail if there is no issuer CA download possible in any way. Just let the user provide the (static) CA certifiate at ca_file or fail during certificate deployment.
2019-03-23 08:28:02 +01:00 · 2019-03-23 08:28:02 +01:00 · cda4be09f4
parent c0d23631b6
commit cda4be09f4
2 changed files with 10 additions and 4 deletions
--- a/acertmgr/init.py
+++ b/acertmgr/init.py
@ -95,7 +95,7 @@ def cert_get(settings):
            crt_final = settings['cert_file']
            shutil.copy2(crt_file, crt_final)
            os.chmod(crt_final, stat.S_IREAD)
-            if "static_ca" in settings and not settings['static_ca']:
+            if "static_ca" in settings and not settings['static_ca'] and ca is not None:
                with io.open(settings['ca_file'], "w") as ca_fd:
                    ca_fd.write(tools.convert_cert_to_pem(ca))
    finally:
--- a/acertmgr/tools.py
+++ b/acertmgr/tools.py
@ -118,11 +118,17 @@ def download_issuer_ca(cert):
            break

    if not ca_issuers:
-        raise Exception("Could not determine issuer CA for given certificate: {}".format(cert))
+        print("Could not determine issuer CA for given certificate: {}".format(cert))
+        return None

    print("Downloading CA certificate from {}".format(ca_issuers))
-    cadata = get_url(ca_issuers).read()
-    return x509.load_der_x509_certificate(cadata, default_backend())
+    resp = get_url(ca_issuers)
+    code = resp.getcode()
+    if  code >= 400:
+        print("Could not download issuer CA (error {}) for given certificate: {}".format(code, cert))
+        return None
+
+    return x509.load_der_x509_certificate(resp.read(), default_backend())


 # @brief convert certificate to PEM format