Commit c15f6a11 authored by Vincent Pelletier's avatar Vincent Pelletier

cli.updater: Split next_deadline computation.

Also, document why CA certificate expiration is not tracked explicitly.
parent c2fdf7d2
......@@ -732,6 +732,7 @@ def updater(argv=None, until=utils.until):
'%Y-%m-%d %H:%M:%S +0000'
)
now = until(next_deadline)
next_deadline = now + max_sleep
if args.cas_ca != args.ca and updateCAFile(cas_url, args.cas_ca):
client = CaucaseClient(
ca_url=ca_url,
......@@ -740,6 +741,9 @@ def updater(argv=None, until=utils.until):
if updateCAFile(ca_url, args.ca):
print 'Got new CA'
updated = True
# Note: CRL expiration should happen several time during CA renewal
# period, so it should not be needed to keep track of CA expiration
# for next deadline.
ca_crt_list = [
utils.load_ca_certificate(x)
for x in utils.getCertList(args.ca)
......@@ -747,10 +751,13 @@ def updater(argv=None, until=utils.until):
if updateCRLFile(ca_url, args.crl, ca_crt_list):
print 'Got new CRL'
updated = True
next_deadline = min(
next_deadline,
utils.load_crl(open(args.crl).read(), ca_crt_list).next_update,
)
crt_pem, key_pem, key_path = utils.getKeyPair(args.crt, args.key)
crt = utils.load_certificate(crt_pem, ca_crt_list, None)
next_deadline = crt.not_valid_after - threshold
if next_deadline <= now:
if crt.not_valid_after - threshold <= now:
print 'Renewing', args.crt
new_key_pem, new_crt_pem = client.renewCertificate(
old_crt=crt,
......@@ -771,11 +778,11 @@ def updater(argv=None, until=utils.until):
) as key_file:
key_file.write(new_key_pem)
crt_file.write(new_crt_pem)
crt = utils.load_certificate(utils.getCert(args.crt), ca_crt_list, None)
updated = True
next_deadline = min(
next_deadline,
utils.load_crl(open(args.crl).read(), ca_crt_list).next_update,
now + max_sleep,
crt.not_valid_after - threshold,
)
if updated:
if args.on_renew is not None:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment