1
0
mirror of https://github.com/moepman/acertmgr.git synced 2025-01-04 01:25:24 +01:00

acertmgr: log exceptions during processing, raise afterward

If anything goes wrong during cert_get/cert_put/running
actions/cert_revoke superseded do not fail completely and continue with
the remaining domains to process. Print all exceptions and after
processing raise a RuntimeError
This commit is contained in:
Kishi85 2019-03-28 14:34:06 +01:00
parent 7e4c350a4f
commit fe7a064604

View File

@ -137,27 +137,37 @@ def main():
# post-update actions (run only once) # post-update actions (run only once)
actions = set() actions = set()
superseded = set() superseded = set()
exceptions = list()
# check certificate validity and obtain/renew certificates if needed # check certificate validity and obtain/renew certificates if needed
for config in domainconfigs: for config in domainconfigs:
cert = None try:
if os.path.isfile(config['cert_file']): cert = None
cert = tools.read_pem_file(config['cert_file']) if os.path.isfile(config['cert_file']):
if not cert or not tools.is_cert_valid(cert, config['ttl_days']) or ( cert = tools.read_pem_file(config['cert_file'])
'force_renew' in runtimeconfig and if not cert or not tools.is_cert_valid(cert, config['ttl_days']) or (
all(d in config['domainlist'] for d in runtimeconfig['force_renew'])): 'force_renew' in runtimeconfig and
cert_get(config) all(d in config['domainlist'] for d in runtimeconfig['force_renew'])):
if str(config.get('cert_revoke_superseded')).lower() == 'true' and cert: cert_get(config)
superseded.add(cert) if str(config.get('cert_revoke_superseded')).lower() == 'true' and cert:
superseded.add(cert)
except Exception as e:
print("Certificate issue/renew failed: {}".format(e))
exceptions.append(e)
# deploy new certificates after all are renewed # deploy new certificates after all are renewed
deployment_success = True
for config in domainconfigs: for config in domainconfigs:
for cfg in config['actions']: try:
if not tools.target_is_current(cfg['path'], config['cert_file']): for cfg in config['actions']:
print("Updating '{}' due to newer version".format(cfg['path'])) if not tools.target_is_current(cfg['path'], config['cert_file']):
actions.add(cert_put(cfg)) print("Updating '{}' due to newer version".format(cfg['path']))
actions.add(cert_put(cfg))
except Exception as e:
print("Certificate deployment failed: {}".format(e))
exceptions.append(e)
deployment_success = False
# run post-update actions # run post-update actions
all_actions_success = True
for action in actions: for action in actions:
if action is not None: if action is not None:
try: try:
@ -166,12 +176,21 @@ def main():
print("Executed '{}' successfully: {}".format(action, output)) print("Executed '{}' successfully: {}".format(action, output))
except subprocess.CalledProcessError as e: except subprocess.CalledProcessError as e:
print("Execution of '{}' failed with error '{}': {}".format(e.cmd, e.returncode, e.output)) print("Execution of '{}' failed with error '{}': {}".format(e.cmd, e.returncode, e.output))
all_actions_success = False exceptions.append(e)
deployment_success = False
# revoke old certificates as superseded # revoke old certificates as superseded
if all_actions_success: if deployment_success:
for superseded_cert in superseded: for superseded_cert in superseded:
print("Revoking previous certificate '{}' valid until {} as superseded".format( try:
superseded_cert, print("Revoking previous certificate '{}' valid until {} as superseded".format(
superseded_cert.not_valid_after)) superseded_cert,
cert_revoke(superseded_cert, domainconfigs, reason=4) # reason=4 is superseded superseded_cert.not_valid_after))
cert_revoke(superseded_cert, domainconfigs, reason=4) # reason=4 is superseded
except Exception as e:
print("Certificate supersede revoke failed: {}".format(e))
exceptions.append(e)
# throw a RuntimeError with all exceptions caught while working if there were any
if len(exceptions) > 0:
raise RuntimeError("{} exception(s) occurred during runtime: {}".format(len(exceptions), exceptions))