Making certificate check more robust
Some operators may have externally managed certificates that do not conform to the originally expected certificate pattern of ---BEGIN CERTIFICATE----- foo -----END CERTIFICATE----- and may instead include additional information on the subject/issuer. In these cases the current regex will fail to load certs that can be parsed with the existing cfssl command. Addressing this by tightening up the regex prior to trying to obtain certificate information. Change-Id: Ief9993632718caa46b52761b49a97621f134ca53 Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
This commit is contained in:
parent
8ad13a330e
commit
452734fb72
@ -301,8 +301,9 @@ def check_cert_expiry(site_name, duration=60):
|
|||||||
if result['schema'] in cert_schemas:
|
if result['schema'] in cert_schemas:
|
||||||
text = result['data']
|
text = result['data']
|
||||||
header_pattern = '-----BEGIN CERTIFICATE-----'
|
header_pattern = '-----BEGIN CERTIFICATE-----'
|
||||||
find_pattern = r'%s.*?(?=%s|$)' % (
|
footer_pattern = '-----END CERTIFICATE-----'
|
||||||
header_pattern, header_pattern)
|
find_pattern = r'%s.*?%s' % (
|
||||||
|
header_pattern, footer_pattern)
|
||||||
certs = re.findall(find_pattern, text, re.DOTALL)
|
certs = re.findall(find_pattern, text, re.DOTALL)
|
||||||
for cert in certs:
|
for cert in certs:
|
||||||
cert_info = pki_util.check_expiry(cert)
|
cert_info = pki_util.check_expiry(cert)
|
||||||
|
Loading…
Reference in New Issue
Block a user