From: ale Date: Fri, 7 Feb 2014 18:56:50 +0000 (+0000) Subject: always revoke the certificate, even if it is already expired X-Git-Url: https://v.licheni.net/stack/cam.git/commitdiff_plain/09eeaa8aa8624de64ea1860f79a3075dd1875c5f?ds=inline;hp=2397de7d1d5a2617b9a72e087d4514c7203a3e21 always revoke the certificate, even if it is already expired --- diff --git a/cam/ca.py b/cam/ca.py index f8a202f..0bf7fcf 100644 --- a/cam/ca.py +++ b/cam/ca.py @@ -160,7 +160,10 @@ class CA(object): expiry = cert.get_expiration_date() if expiry and expiry > time.time(): - log.warn('certificate is still valid, revoking previous version') + log.warn('certificate is still valid') + + if cert.exists(): + log.warn('revoking previous version') self.revoke(cert) log.info('generating new certificate %s', cert.name) diff --git a/cam/cert.py b/cam/cert.py index 9254fb0..9aab798 100644 --- a/cam/cert.py +++ b/cam/cert.py @@ -32,8 +32,11 @@ class Cert(object): self.private_key_file = os.path.join(ca.basedir, 'private', '%s.key' % name) + def exists(self): + return os.path.exists(self.public_key_file) + def get_fingerprint(self, digest='sha1'): - if os.path.exists(self.public_key_file): + if self.exists(): output = openssl_wrap.run('x509', '-in', self.public_key_file, '-noout', '-fingerprint', '-%s' % digest) m = re.search(r'=(.*)$', output) @@ -42,7 +45,7 @@ class Cert(object): return None def get_expiration_date(self): - if os.path.exists(self.public_key_file): + if self.exists(): output = openssl_wrap.run('x509', '-in', self.public_key_file, '-noout', '-dates') m = re.search(r'notAfter=(.*)', output)