Merge branch 'devel'

Author: grindsa

.github/workflows/acme_sh-application-test.yml

@@ -140,6 +140,11 @@ jobs:
         docker-compose up -d
         docker-compose logs
 
+    - name: "[ WAIT ] Sleep for 10s"
+      uses: juliangruber/sleep-action@v1
+      with:
+        time: 10s
+
     - name: "Test http://acme-srv/directory is accessable"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
@@ -252,6 +257,11 @@ jobs:
         docker-compose up -d
         docker-compose logs
 
+    - name: "[ WAIT ] Sleep for 10s"
+      uses: juliangruber/sleep-action@v1
+      with:
+        time: 10s
+
     - name: "Test http://acme-srv/directory is accessable"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
@@ -364,6 +374,11 @@ jobs:
         docker-compose up -d
         docker-compose logs
 
+    - name: "[ WAIT ] Sleep for 10s"
+      uses: juliangruber/sleep-action@v1
+      with:
+        time: 10s
+
     - name: "Test http://acme-srv/directory is accessable"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 

.github/workflows/lego-application-test.yml

@@ -111,6 +111,11 @@ jobs:
         docker-compose up -d
         docker-compose logs
 
+    - name: "[ WAIT ] Sleep for 10s"
+      uses: juliangruber/sleep-action@v1
+      with:
+        time: 10s
+
     - name: "Test http://acme-srv/directory is accessable"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
@@ -194,6 +199,11 @@ jobs:
         docker-compose up -d
         docker-compose logs
 
+    - name: "[ WAIT ] Sleep for 10s"
+      uses: juliangruber/sleep-action@v1
+      with:
+        time: 10s
+
     - name: "Test http://acme-srv/directory is accessable"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
@@ -277,6 +287,11 @@ jobs:
         docker-compose up -d
         docker-compose logs
 
+    - name: "[ WAIT ] Sleep for 10s"
+      uses: juliangruber/sleep-action@v1
+      with:
+        time: 10s
+
     - name: "Test http://acme-srv/directory is accessable"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 

.github/workflows/python-test.yml

@@ -61,13 +61,13 @@ jobs:
           pylint --rcfile=".github/pylintrc" acme_srv/ || pylint-exit $?
       - name: "Pylint folder: tools"
         run: |
-          pylint --rcfile=".github/pylintrc" tools/ || pylint-exit $?
+          pylint --rcfile=".github/pylintrc" tools/*.py || pylint-exit $?
       - name: "Pylint folder: examples/db_handler"
         run: |
-          pylint --rcfile=".github/pylintrc" examples/db_handler/ || pylint-exit $?
+          pylint --rcfile=".github/pylintrc" examples/db_handler/*.py || pylint-exit $?
       - name: "Pylint folder: examples/ca_handler"
         run: |
-          pylint --rcfile=".github/pylintrc" examples/ca_handler/ || pylint-exit $?
+          pylint --rcfile=".github/pylintrc" examples/ca_handler/*.py || pylint-exit $?
 
       - name: "Linting with pycodestyle"
         run: |

CHANGES.md

@@ -5,6 +5,15 @@ This is a high-level summary of the most important changes. For a full list of
 changes, see the [git commit log](https://github.com/grindsa/acme2certifier/commits)
 and pick the appropriate release branch.
 
+## Changes in 0.19.3
+
+**Features and Improvements**:
+
+- disable TLSv1.0 and TLSv1.1 fallback when conduction TLS-ALP=1 challenge validation
+- python3-cryptography will be installed via pip to fulfill dependencies from pyOpenssl
+- Changed encoding detection library from chardet to charset_normalizer
+- [lgtm](https://lgtm.com/projects/g/grindsa/acme2certifier/context:python) conformance
+
 ## Changes in 0.19.2
 
 **Features and Improvements**:

acme_srv/helper.py

@@ -425,7 +425,7 @@ def fqdn_in_san_check(logger, san_list, fqdn):
                     result = True
                     break
             except Exception:
-                pass
+                logger.error('ERROR: fqdn_in_san_check() SAN split failed: {0}'.format(san))
 
     logger.debug('fqdn_in_san_check() ended with: {}'.format(result))
     return result
@@ -880,6 +880,10 @@ def servercert_get(logger, hostname, port=443, proxy_server=None):
     context = ssl.create_default_context()
     context.check_hostname = False
     context.verify_mode = ssl.CERT_NONE
+    # reject insecure ssl version
+    context.options |= ssl.OP_NO_SSLv3
+    context.options |= ssl.OP_NO_TLSv1
+    context.options |= ssl.OP_NO_TLSv1_1
 
     if proxy_server:
         (proxy_proto, proxy_addr, proxy_port) = proxystring_convert(logger, proxy_server)
@@ -888,7 +892,8 @@ def servercert_get(logger, hostname, port=443, proxy_server=None):
             sock.setproxy(proxy_proto, proxy_addr, port=proxy_port)
     try:
         sock.connect((hostname, port))
-        with context.wrap_socket(sock, server_hostname=hostname) as sslsock:  # lgtm [py/insecure-protocol]
+        with context.wrap_socket(sock, server_hostname=hostname) as sslsock:
+            logger.debug('servercert_get() configure proxy: {0}:{1} version: {2}'.format(hostname, port, sslsock.version()))
             der_cert = sslsock.getpeercert(True)
             # from binary DER format to PEM
             if der_cert:

acme_srv/version.py

@@ -3,5 +3,5 @@
 # 1) we don't load dependencies by storing it in __init__.py
 # 2) we can import it in setup.py for the same reason
 # 3) we can import it into your module module
-__version__ = '0.19.2'
+__version__ = '0.19.3'
 __dbversion__ = '0.18'

examples/Docker/apache2/django/Dockerfile

@@ -14,7 +14,6 @@ RUN apt-get install --no-install-recommends -y \
     python3-mysqldb \
     python3-pymysql \
     python3-psycopg2 \
-    python3-cryptography \
     python3-yaml \
  && rm -rf /var/lib/apt/lists/*
 

examples/Docker/apache2/wsgi/Dockerfile

@@ -9,7 +9,6 @@ RUN apt-get install --no-install-recommends -y \
     apache2-data \
     libapache2-mod-wsgi-py3 \
     curl \
-    python3-cryptography \
  && rm -rf /var/lib/apt/lists/*
 
 # install python requirements

examples/Docker/nginx/django/Dockerfile

@@ -15,7 +15,6 @@ RUN apt-get install --no-install-recommends -y \
     python3-pymysql \
     python3-psycopg2 \
     python3-yaml \
-    python3-cryptography \
  && rm -rf /var/lib/apt/lists/*
 
 # install python requirements

examples/Docker/nginx/wsgi/Dockerfile

@@ -9,7 +9,6 @@ RUN apt-get install --no-install-recommends -y \
     uwsgi \
     uwsgi-plugin-python3 \
     curl \
-    python3-cryptography \
 && rm -rf /var/lib/apt/lists/*
 
 # install python requirements

examples/acme2certifier_wsgi.py

@@ -24,7 +24,7 @@
 CONFIG = load_config()
 try:
     DEBUG = CONFIG.getboolean('DEFAULT', 'debug')
-except BaseException:
+except Exception:
     DEBUG = False
 
 

examples/ca_handler/cmp_ca_handler.py

@@ -73,7 +73,7 @@ def _csr_san_get(self, csr):
                 if value:
                     o_list.append(value)
             except Exception:
-                pass
+                self.logger.error('ERROR: CAhandler._csr_san_get(): SAN split failed: {0}'.format(san))
 
         if o_list:
             sans = '"{0}"'.format(', '.join(o_list))

examples/ca_handler/xca_ca_handler.py

@@ -486,7 +486,7 @@ def _requestname_get(self, csr):
             try:
                 (_identifiier, request_name,) = san_list[0].split(':')
             except Exception:
-                pass
+                self.logger.error('ERROR: CAhandler._request_name_get(): SAN split failed: {0}'.format(san_list))
 
         self.logger.debug('CAhandler._request_name_get() ended with: {0}'.format(request_name))
         return request_name
@@ -697,7 +697,7 @@ def enroll(self, csr):
             request_name = self._requestname_get(csr)
             if request_name:
                 # import CSR to database
-                _csr_info = self._csr_import(csr, request_name)
+                _csr_info = self._csr_import(csr, request_name)  # lgtm [py/unused-local-variable]
 
                 # prepare the CSR to be signed
                 csr = build_pem_file(self.logger, None, b64_url_recode(self.logger, csr), None, True)

requirements.txt

@@ -1,12 +1,13 @@
 setuptools
 jwcrypto
+cryptography
 pyOpenssl
 dnspython
 certsrv[ntlm]
 pytz
 configparser
 python-dateutil
-requests[use_chardet_on_py3]
+requests
 pysocks
 josepy
 acme

test/test_cmp_ca_handler.py

@@ -294,6 +294,15 @@ def test_031_csr_san_get(self, mock_san):
         olist = []
         self.assertEqual('"bar1, bar2"', self.cahandler._csr_san_get('csr'))
 
+    @patch('examples.ca_handler.cmp_ca_handler.csr_san_get')
+    def test_032_csr_san_get(self, mock_san):
+        """ test _csr_san_get  - single damaged san """
+        mock_san.return_value = ['foo:bar1', 'bar2']
+        olist = []
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('"bar1"', self.cahandler._csr_san_get('csr'))
+        self.assertIn('ERROR:test_a2c:ERROR: CAhandler._csr_san_get(): SAN split failed: bar2', lcm.output)
+
     def test_032_poll(self):
         """ test trigger """
         self.assertEqual(('Method not implemented.', None, None, 'poll_identifier', False), self.cahandler.poll('cert_name', 'poll_identifier', 'csr'))

test/test_helper.py

@@ -1050,6 +1050,14 @@ def test_149_fqdn_in_san_check(self):
         san_list = ['foo1.bar.local', 'DNS:foo.bar.local']
         self.assertTrue(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
+    def test_150_fqdn_in_san_check(self):
+        """ successful check two entries one match """
+        fqdn = 'foo.bar.local'
+        san_list = ['foo1.bar.local']
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.fqdn_in_san_check(self.logger, san_list, fqdn))
+        self.assertIn('ERROR:test_a2c:ERROR: fqdn_in_san_check() SAN split failed: foo1.bar.local', lcm.output)
+
     def test_150_sha256_hash_hex(self):
         """ sha256 digest as hex file """
         self.assertEqual('2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae', self.sha256_hash_hex(self.logger, 'foo'))

test/test_xca_ca_handler.py

@@ -462,7 +462,9 @@ def test_059_requestname_get(self, mock_cn, mock_san):
         """ CAhandler._requestname_get empty cn empty san"""
         mock_cn.return_value = None
         mock_san.return_value = []
-        self.assertFalse(self.cahandler._requestname_get('csr'))
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.cahandler._requestname_get('csr'))
+        self.assertIn("ERROR:test_a2c:ERROR: CAhandler._request_name_get(): SAN split failed: []", lcm.output)
 
     @patch('examples.ca_handler.xca_ca_handler.csr_san_get')
     @patch('examples.ca_handler.xca_ca_handler.csr_cn_get')
@@ -483,11 +485,21 @@ def test_061_requestname_get(self, mock_cn, mock_san):
     @patch('examples.ca_handler.xca_ca_handler.csr_san_get')
     @patch('examples.ca_handler.xca_ca_handler.csr_cn_get')
     def test_062_requestname_get(self, mock_cn, mock_san):
-        """ CAhandler._requestname_get empty cn empty dsmaged san"""
+        """ CAhandler._requestname_get empty cn empty damaged san"""
         mock_cn.return_value = None
         mock_san.return_value = ['dns:foo', 'bar']
         self.assertEqual('foo', self.cahandler._requestname_get('csr'))
 
+    @patch('examples.ca_handler.xca_ca_handler.csr_san_get')
+    @patch('examples.ca_handler.xca_ca_handler.csr_cn_get')
+    def test_063_requestname_get(self, mock_cn, mock_san):
+        """ CAhandler._requestname_get empty cn empty damaged san"""
+        mock_cn.return_value = None
+        mock_san.return_value = ['foo', 'bar']
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(None, self.cahandler._requestname_get('csr'))
+        self.assertIn("ERROR:test_a2c:ERROR: CAhandler._request_name_get(): SAN split failed: ['foo', 'bar']", lcm.output)
+
     def test_063_cert_insert(self):
         """ CAhandler._revocation_insert with empty rev_dic """
         rev_dic = {}