From cda4be09f4752042d6dfded7c04e0b16207fec59 Mon Sep 17 00:00:00 2001 From: Kishi85 Date: Sat, 23 Mar 2019 08:28:02 +0100 Subject: [PATCH] acertmgr: don't fail when no issuer CA can be retrieved Do not fail if there is no issuer CA download possible in any way. Just let the user provide the (static) CA certifiate at ca_file or fail during certificate deployment. --- acertmgr/__init__.py | 2 +- acertmgr/tools.py | 12 +++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/acertmgr/__init__.py b/acertmgr/__init__.py index 7e30be3..9d288dc 100755 --- a/acertmgr/__init__.py +++ b/acertmgr/__init__.py @@ -95,7 +95,7 @@ def cert_get(settings): crt_final = settings['cert_file'] shutil.copy2(crt_file, crt_final) os.chmod(crt_final, stat.S_IREAD) - if "static_ca" in settings and not settings['static_ca']: + if "static_ca" in settings and not settings['static_ca'] and ca is not None: with io.open(settings['ca_file'], "w") as ca_fd: ca_fd.write(tools.convert_cert_to_pem(ca)) finally: diff --git a/acertmgr/tools.py b/acertmgr/tools.py index 29199d4..d11c1b2 100644 --- a/acertmgr/tools.py +++ b/acertmgr/tools.py @@ -118,11 +118,17 @@ def download_issuer_ca(cert): break if not ca_issuers: - raise Exception("Could not determine issuer CA for given certificate: {}".format(cert)) + print("Could not determine issuer CA for given certificate: {}".format(cert)) + return None print("Downloading CA certificate from {}".format(ca_issuers)) - cadata = get_url(ca_issuers).read() - return x509.load_der_x509_certificate(cadata, default_backend()) + resp = get_url(ca_issuers) + code = resp.getcode() + if code >= 400: + print("Could not download issuer CA (error {}) for given certificate: {}".format(code, cert)) + return None + + return x509.load_der_x509_certificate(resp.read(), default_backend()) # @brief convert certificate to PEM format