Making certificate check more robust

Some operators may have externally managed certificates that do not
conform to the originally expected certificate pattern of

---BEGIN CERTIFICATE-----
foo
-----END CERTIFICATE-----

and may instead include additional information on the subject/issuer. In
these cases the current regex will fail to load certs that can be parsed
with the existing cfssl command. Addressing this by tightening up the
regex prior to trying to obtain certificate information.

Change-Id: Ief9993632718caa46b52761b49a97621f134ca53
Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
This commit is contained in:
Alexander Hughes 2020-12-29 15:21:45 -05:00
parent 8ad13a330e
commit 452734fb72

View File

@ -301,8 +301,9 @@ def check_cert_expiry(site_name, duration=60):
if result['schema'] in cert_schemas: if result['schema'] in cert_schemas:
text = result['data'] text = result['data']
header_pattern = '-----BEGIN CERTIFICATE-----' header_pattern = '-----BEGIN CERTIFICATE-----'
find_pattern = r'%s.*?(?=%s|$)' % ( footer_pattern = '-----END CERTIFICATE-----'
header_pattern, header_pattern) find_pattern = r'%s.*?%s' % (
header_pattern, footer_pattern)
certs = re.findall(find_pattern, text, re.DOTALL) certs = re.findall(find_pattern, text, re.DOTALL)
for cert in certs: for cert in certs:
cert_info = pki_util.check_expiry(cert) cert_info = pki_util.check_expiry(cert)