acertmgr: log exceptions during processing, raise afterward

If anything goes wrong during cert_get/cert_put/running actions/cert_revoke superseded do not fail completely and continue with the remaining domains to process. Print all exceptions and after processing raise a RuntimeError
2025-01-01 04:21:51 +01:00 · 2019-03-28 14:34:06 +01:00 · 2019-03-28 14:34:06 +01:00 · fe7a064604
commit fe7a064604
parent 7e4c350a4f
1 changed files with 39 additions and 20 deletions
--- a/acertmgr/init.py
+++ b/acertmgr/init.py
@ -137,27 +137,37 @@ def main():
        # post-update actions (run only once)
        actions = set()
        superseded = set()
        exceptions = list()
        # check certificate validity and obtain/renew certificates if needed
        for config in domainconfigs:
-            cert = None
+            try:
-            if os.path.isfile(config['cert_file']):
+                cert = None
-                cert = tools.read_pem_file(config['cert_file'])
+                if os.path.isfile(config['cert_file']):
-            if not cert or not tools.is_cert_valid(cert, config['ttl_days']) or (
+                    cert = tools.read_pem_file(config['cert_file'])
-                    'force_renew' in runtimeconfig and
+                if not cert or not tools.is_cert_valid(cert, config['ttl_days']) or (
-                    all(d in config['domainlist'] for d in runtimeconfig['force_renew'])):
+                        'force_renew' in runtimeconfig and
-                cert_get(config)
+                        all(d in config['domainlist'] for d in runtimeconfig['force_renew'])):
-                if str(config.get('cert_revoke_superseded')).lower() == 'true' and cert:
+                    cert_get(config)
-                    superseded.add(cert)
+                    if str(config.get('cert_revoke_superseded')).lower() == 'true' and cert:
                        superseded.add(cert)
            except Exception as e:
                print("Certificate issue/renew failed: {}".format(e))
                exceptions.append(e)
        # deploy new certificates after all are renewed
        deployment_success = True
        for config in domainconfigs:
-            for cfg in config['actions']:
+            try:
-                if not tools.target_is_current(cfg['path'], config['cert_file']):
+                for cfg in config['actions']:
-                    print("Updating '{}' due to newer version".format(cfg['path']))
+                    if not tools.target_is_current(cfg['path'], config['cert_file']):
-                    actions.add(cert_put(cfg))
+                        print("Updating '{}' due to newer version".format(cfg['path']))
                        actions.add(cert_put(cfg))
            except Exception as e:
                print("Certificate deployment failed: {}".format(e))
                exceptions.append(e)
                deployment_success = False
        # run post-update actions
        all_actions_success = True
        for action in actions:
            if action is not None:
                try:
@ -166,12 +176,21 @@ def main():
                    print("Executed '{}' successfully: {}".format(action, output))
                except subprocess.CalledProcessError as e:
                    print("Execution of '{}' failed with error '{}': {}".format(e.cmd, e.returncode, e.output))
-                    all_actions_success = False
+                    exceptions.append(e)
                    deployment_success = False
        # revoke old certificates as superseded
-        if all_actions_success:
+        if deployment_success:
            for superseded_cert in superseded:
-                print("Revoking previous certificate '{}' valid until {} as superseded".format(
+                try:
-                    superseded_cert,
+                    print("Revoking previous certificate '{}' valid until {} as superseded".format(
-                    superseded_cert.not_valid_after))
+                        superseded_cert,
-                cert_revoke(superseded_cert, domainconfigs, reason=4)  # reason=4 is superseded
+                        superseded_cert.not_valid_after))
                    cert_revoke(superseded_cert, domainconfigs, reason=4)  # reason=4 is superseded
                except Exception as e:
                    print("Certificate supersede revoke failed: {}".format(e))
                    exceptions.append(e)
        # throw a RuntimeError with all exceptions caught while working if there were any
        if len(exceptions) > 0:
            raise RuntimeError("{} exception(s) occurred during runtime: {}".format(len(exceptions), exceptions))