komuw / sewer Goto Github PK

Which version of python are you using?

2

What operating system and version of operating system are you uing?

ubuntu

What version of sewer are you using?

0.1.1

What did you do? (be as detailed as you can)

tried to import sewer

What did you expect to see/happen/not happen?

sewer to be imported

What did you actually see/happen?

File "/vagrant/apps/common_app/tasks.py", line 10, in <module>
    import sewer
  File "/usr/local/lib/python2.7/dist-packages/sewer/__init__.py", line 2, in <module>
    from dns_providers import CloudFlareDns  # noqa: F401
ImportError: No module named dns_providers

the only thing you should specify is api key and email

use either; https://github.com/Instagram/MonkeyType
or https://github.com/dropbox/pyannotate

the instagram one seems better since it doesn't generate type comments.

https://letsencrypt.org/2017/06/14/acme-v2-api.html

https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605

probably setup:

• https://readthedocs.org/
• gitubPages
• custom domain(or subdomain as part of my homepage)

Which version of python are you using?

Python 2.7.12

What operating system and version of operating system are you uing?

Ubuntu 16.04

What version of sewer are you using?

0.2.4

What did you do? (be as detailed as you can)

Adding aurora DNS provider

What did you expect to see/happen/not happen?

Getting a certificate, but got a error. Sees attachement for full output

What did you actually see/happen?

I think some specific information is expected form the function create_dns_record and delete_dns_record. But it is not clear to me what this is en in what format it is expected.

Paste here the log output generated by sewer, if any. Please remember to remove any sensitive items from the log before pasting here.

see output.log

See also aurora.txt to see code from the provider.
aurora.txt
output.txt

The method get_certicate[1] is misnamed, it ought to be: get_certificate

1. https://github.com/komuW/sewer/blob/master/sewer/ACMEclient.py#L367

Currently, we only handle the best-case/success path for most of the API calls to acme/letsencrypt.
For example, during registration[1] we currently are assuming that registration succeeds. We need to be able to handle all other scenarios(http status codes) that can be returned and display useful errors messages to users when we can.

1. https://github.com/komuW/sewer/blob/master/sewer/ACMEclient.py#L247

Now that we merged, #36, we need to add test coverage to ci

• if say this call; https://github.com/komuW/sewer/blob/master/sewer/ACMEclient.py#L392 fails::
  we should still call the dns provider to clear the TXT record we had created.

after merging in dupport for auroraDNS; #38 we need to add tests for it.

https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-6.6

To request that a certificate be revoked, the client sends a POST
   request to the ACME server's revoke-cert URI.  The body of the POST
   is a JWS object whose JSON payload contains the certificate to be
   revoked:

   certificate (required, string):  The certificate to be revoked, in
      the base64url-encoded version of the DER format.  (Note: This
      field uses the same modified Base64 encoding rules used elsewhere
      in this document, so it is different from PEM.)

   POST /acme/revoke-cert HTTP/1.1
   Host: example.com

   {
     "resource": "revoke-cert",
     "certificate": "MIIEDTCCAvegAwIBAgIRAP8..."
   }
   /* Signed as JWS */

   Revocation requests are different from other ACME request in that
   they can be signed either with an account key pair or the key pair in
   the certificate.  Before revoking a certificate, the server MUST
   verify that the key used to sign the request is authorized to revoke
   the certificate.  The server SHOULD consider at least the following
   keys authorized for a given certificate:

   o  the public key in the certificate.

   o  an account key that is authorized to act for all of the
      identifier(s) in the certificate.
If the revocation succeeds, the server responds with status code 200
   (OK).  If the revocation fails, the server returns an error.

sewer --version should output the running/installed sewer version

We need to make sure that the cli: https://github.com/komuW/sewer/blob/master/sewer/cli.py works as expected

add ability to pass in an email during acme registration

We should only get certificate[1], if the challenge status check[2] succeded.

1. https://github.com/komuW/sewer/blob/master/sewer/ACMEclient.py#L402
2. https://github.com/komuW/sewer/blob/master/sewer/ACMEclient.py#L400

Which version of python are you using?

2

What operating system and version of operating system are you uing?

ubuntu 16.04

What version of sewer are you using?

0.1.6

What did you do? (be as detailed as you can)

use sewer from cli to try and get certificates

What did you expect to see/happen/not happen?

• get certificates

What did you actually see/happen?

acme_register_response: {u'status': 429, u'type': u'urn:acme:error:rateLimited', u'detail': u'Error creating new registration :: too many registrations for this IP'}

the TOS url can change at anytime. We should stop hard coding it and instead get the correct url at runtime.

• we need to add pre-commit checks to ci. some of the things we can check for as part of this is, check that we do not have any pdb, or print statements in code.

• add tests

Which version of python are you using?

2

What operating system and version of operating system are you uing?

ubtuntu 16.04

What version of sewer are you using?

0.2.1

What did you do? (be as detailed as you can)

tried getting certs

What did you expect to see/happen/not happen?

get certs

What did you actually see/happen?

Traceback (most recent call last):
  File "/usr/local/bin/sewer", line 7, in <module>
    from sewer.cli import main
  File "/usr/local/lib/python2.7/dist-packages/sewer/__init__.py", line 1, in <module>
    from .ACMEclient import ACMEclient
  File "/usr/local/lib/python2.7/dist-packages/sewer/ACMEclient.py", line 12, in <module>
    import Crypto.PublicKey.RSA
ImportError: No module named Crypto.PublicKey.RSA

Subject Alternative Name

Which version of python are you using?

2.7

What operating system and version of operating system are you uing?

ubuntu 16.04

What version of sewer are you using?

0.2.6

What did you do? (be as detailed as you can)

ran:

sewer --dns "cloudflare" --email some-meail  --domains some-domain --action run --endpoint staging
usage: sewer [-h] [--version] [--account_key ACCOUNT_KEY] --dns {cloudflare,
             aurora} --domains DOMAINS [--bundle_name BUNDLE_NAME]
             [--endpoint {production,staging}] [--email EMAIL] --action
             {run,renew}
sewer: error: argument --dns: invalid choice: 'cloudflare' (choose from 'cloudflare, aurora')

What did you expect to see/happen/not happen?

get a certififcate from staging

What did you actually see/happen?

usage: sewer [-h] [--version] [--account_key ACCOUNT_KEY] --dns {cloudflare,
             aurora} --domains DOMAINS [--bundle_name BUNDLE_NAME]
             [--endpoint {production,staging}] [--email EMAIL] --action
             {run,renew}
sewer: error: argument --dns: invalid choice: 'cloudflare' (choose from 'cloudflare, aurora')

Paste here the log output generated by sewer, if any. Please remember to remove any sensitive items from the log before pasting here.

usage: sewer [-h] [--version] [--account_key ACCOUNT_KEY] --dns {cloudflare,
             aurora} --domains DOMAINS [--bundle_name BUNDLE_NAME]
             [--endpoint {production,staging}] [--email EMAIL] --action
             {run,renew}
sewer: error: argument --dns: invalid choice: 'cloudflare' (choose from 'cloudflare, aurora')

Take a look at this issue in lego: go-acme/lego#383

https://community.letsencrypt.org/t/jws-post-content-type-header-enforcement/55055

We should run it as part of ci and run integration tests against it.

Which version of python are you using?

2.7.13

What operating system and version of operating system are you uing?

Mac 10.13.1

What version of sewer are you using?

Latest

What did you do? (be as detailed as you can)

Tried to create a certificate with an existing account key

What did you expect to see/happen/not happen?

To get a cert

What did you actually see/happen?

Got an exception

Paste here the log output generated by sewer, if any. Please remember to remove any sensitive items from the log before pasting here.

    221         # private key public exponent in hex format
--> 222         exponent = "{0:x}".format(public_key_public_numbers.e)
    223         exponent = "0{0}".format(exponent) if len(exponent) % 2 else exponent
    224         # private key modulus in hex format

AttributeError: 'EllipticCurvePublicNumbers' object has no attribute 'e'

Looked at previous versions of the cryptography library and couldn't find any with an "e" attribute. Any idea's where this came from? I'm using cryptography 2.1.3

Which version of python are you using?

3.6.3

What operating system and version of operating system are you uing?

Running in Lambda

What version of sewer are you using?

0.5.1

What did you do? (be as detailed as you can)

I made a request for a SAN certificate for *.domain.com and SAN domain.com

What did you expect to see/happen/not happen?

A SAN cert would get issued for *.example.com and example.com, using route53 efficiently.

What did you actually see/happen?

I can make this work using route53, but the problem is that I have to make multiple modifications to my TXT entry, since Route53 treats TXT entries as a single DNS entry with multiple values (ie. on every request to create_dns_entry, I have to check if the record exists, and if so, append another TXT value to it. Then during deletion, I have to query for the entire DNS record so I can properly delete it).

It would be really helpful if DNS providers for sewer could either:
a) be handed all the DNS changes at once so they can optimize how they create entries or
b) receive a function call when all DNS changes that sewer determines need to be made have been sent to it via create_dns_record

Which version of python are you using?

3.6.3

What operating system and version of operating system are you uing?

Ubuntu 17.10

What version of sewer are you using?

0.5.0

What did you do? (be as detailed as you can)

virtualenv -p python3.6 sewer
cd sewer
bin/pip install apache-libcloud==2.1.0  # (because otherwise: https://issues.apache.org/jira/browse/LIBCLOUD-946)
bin/pip install sewer
export CLOUDFLARE_EMAIL=****
export CLOUDFLARE_API_KEY=****
bin/sewer --dns cloudflare --domain mdx.no --alt_domains '*.mdx.no' --email ****@gmail.com --action run --endpoint staging --loglevel DEBUG

What did you expect to see/happen/not happen?

Valid certificate

What did you actually see/happen?

Exception

Paste here the log output generated by sewer, if any. Please remember to remove any sensitive items from the log before pasting here.

chosen_dns_provider. Using cloudflare as dns provider.
chosen_dns_provider. Using cloudflare as dns provider.
intialise_success, sewer_version=0.5.0, domain_names=['mdx.no', '*.mdx.no'], acme_server=https://acme-staging...
intialise_success, sewer_version=0.5.0, domain_names=['mdx.no', '*.mdx.no'], acme_server=https://acme-staging...
intialise_success, sewer_version=0.5.0, domain_names=['mdx.no', '*.mdx.no'], acme_server=https://acme-staging...
account key succesfully written to current directory.
account key succesfully written to current directory.
account key succesfully written to current directory.
acme_register
acme_register
acme_register
acme_register_success
acme_register_success
acme_register_success
apply_for_cert_issuance
apply_for_cert_issuance
apply_for_cert_issuance
apply_for_cert_issuance_success
apply_for_cert_issuance_success
apply_for_cert_issuance_success
get_challenge
get_challenge
get_challenge
get_challenge_success
get_challenge_success
get_challenge_success
create_dns_record
create_dns_record
create_dns_record
delete_dns_record
delete_dns_record
delete_dns_record
delete_dns_record_success
delete_dns_record_success
delete_dns_record_success
create_dns_record_end
create_dns_record_end
create_dns_record_end
check_authorization_status
check_authorization_status
check_authorization_status
check_authorization_status_success
check_authorization_status_success
check_authorization_status_success
respond_to_challenge
respond_to_challenge
respond_to_challenge
respond_to_challenge_success
respond_to_challenge_success
respond_to_challenge_success
get_challenge
get_challenge
get_challenge
get_challenge_success
get_challenge_success
get_challenge_success
create_dns_record
create_dns_record
create_dns_record
delete_dns_record
delete_dns_record
delete_dns_record
delete_dns_record_success
delete_dns_record_success
delete_dns_record_success
create_dns_record_end
create_dns_record_end
create_dns_record_end
check_authorization_status
check_authorization_status
check_authorization_status
check_authorization_status_success
check_authorization_status_success
check_authorization_status_success
respond_to_challenge
respond_to_challenge
respond_to_challenge
respond_to_challenge_success
respond_to_challenge_success
respond_to_challenge_success
send_csr
send_csr
send_csr
Error: Unable to issue certificate. error=Error sending csr: status_code=400 response={'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'Order\'s status ("invalid") was not pending', 'status': 400}
Error: Unable to issue certificate. error=Error sending csr: status_code=400 response={'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'Order\'s status ("invalid") was not pending', 'status': 400}
Error: Unable to issue certificate. error=Error sending csr: status_code=400 response={'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'Order\'s status ("invalid") was not pending', 'status': 400}
delete_dns_record
delete_dns_record
delete_dns_record
delete_dns_record_success
delete_dns_record_success
delete_dns_record_success
delete_dns_record
delete_dns_record
delete_dns_record
delete_dns_record_success
delete_dns_record_success
delete_dns_record_success
Traceback (most recent call last):
  File "bin/sewer", line 11, in <module>
    sys.exit(main())
  File "/home/paal/.venvs/sewer/lib/python3.6/site-packages/sewer/cli.py", line 204, in main
    certificate = client.cert()
  File "/home/paal/.venvs/sewer/lib/python3.6/site-packages/sewer/client.py", line 665, in cert
    return self.get_certificate()
  File "/home/paal/.venvs/sewer/lib/python3.6/site-packages/sewer/client.py", line 654, in get_certificate
    raise e
  File "/home/paal/.venvs/sewer/lib/python3.6/site-packages/sewer/client.py", line 649, in get_certificate
    certificate_url = self.send_csr(finalize_url)
  File "/home/paal/.venvs/sewer/lib/python3.6/site-packages/sewer/client.py", line 489, in send_csr
    response=self.log_response(send_csr_response)))
ValueError: Error sending csr: status_code=400 response={'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'Order\'s status ("invalid") was not pending', 'status': 400}

if you try to get a cert for a domain, and acme issues a acme_challenge, you add it to DNS
but before acme can validate it you abort operation.

Now, if you try to get a certificate again, you'll get an error:

check_challenge_status_response 
{u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'No TXT record found at _acme-challenge.www.example.com'}, u'type': u'dns-01'}

ValueError: Error fetching signed certificate: status_code=403 response={u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Error creating new cert :: authorizations for these names not found or expired: example.com'}

This is because we already have a pending authorization(for that time we aborted).
Sewer, should attempt to clear all/any pending authz at the start

• it's already possible to use the staging letsencrypt endpoint while using sewer as a python lib.
  But it's not possible to do the same while using the cli.

yo python3 FTW.

Hi there, thanks for all of your work on this client! 🎉

Occasionally Let's Encrypt bumps into problems with requests from specific ACME clients. When that happens, it's much easier to diagnose if the client sends a distinct user-agent following the recommendations from the ACME spec.

Section 6.1 of ACME Draft-07 has this "SHOULD" recommendation for clients that would be a good starting point:

ACME clients SHOULD send a User-Agent header in accordance with [RFC7231], including the name and version of the ACME software in addition to the name and version of the underlying HTTP client
software.

Would you be willing to add a UA header to Sewer? Thanks so much!

This will fail for multiple domains

Which version of python are you using?

2

What operating system and version of operating system are you uing?

ubuntu

What version of sewer are you using?

0.1.8

What did you do? (be as detailed as you can)

try get certificate

What did you expect to see/happen/not happen?

get cert

What did you actually see/happen?

didn't get cert

Paste here the log output generated by sewer, if any. Please remember to remove any sensitive items from the log before pasting here.

this is cause there are pending authz and we either have to for them to clear https://letsencrypt.org/docs/rate-limits/

Hi
Can you please inform me how can I get the:

• intermediate certificate
• chain certificate

Also, why when the result of certificate = self.download_certificate(certificate_url) are 2 certificates? Can you help me to identify each one?

Thank you very much

Which version of python are you using?

2

What operating system and version of operating system are you uing?

ubuntu 16.04

What version of sewer are you using?

0.1.6

What did you do? (be as detailed as you can)

use sewer from cli to try and get certificates

What did you expect to see/happen/not happen?

• get certificates

What did you actually see/happen?

sewer cli got stuck at check_challenge

2017-07-15 12:08.44 make_signed_acme_request       ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient domain_name=example.com
2017-07-15 12:08.44 get_acme_header                ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient domain_name=example.com
2017-07-15 12:08.44 sign_message                   ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient domain_name=example.com
2017-07-15 12:08.44 check_challenge                ACME_CERTIFICATE_AUTHORITY_URL=https://acme-v01.api.letsencrypt.org client_name=ACMEclient domain_name=example.com

https://github.com/python/typeshed/blob/master/CONTRIBUTING.md

https://developers.digitalocean.com/documentation/v2/#create-a-new-domain-record

We should validate the users input especially for domain name. We need to ensure that they are domain/subdomain names and not urls etc.

Alternatively, we could have users enter whatever they want we try and extract domain names from there.

Since we are already using: https://cryptography.io/en/latest/
we should use it for everything and replace everywhere we are using pyopenssl: https://github.com/komuW/sewer/blob/master/sewer/ACMEclient.py#L11 with it.