Commit 59a9d02f authored by Joshua Tauberer's avatar Joshua Tauberer

check that installed certificates are for the domains we are using the certificates for

parent 3d4eadd4
......@@ -108,7 +108,7 @@ def buy_ssl_certificate(api_key, domain, command, env):
# Check before we overwrite something we shouldn't.
if os.path.exists(ssl_certificate):
cert_status = check_certificate(ssl_certificate)
cert_status = check_certificate(None, ssl_certificate)
if cert_status != "SELF-SIGNED":
print("Please back up and delete the file %s so I can save your new certificate." % ssl_certificate)
sys.exit(1)
......
......@@ -223,7 +223,7 @@ def check_ssl_cert(domain, env):
# Check that the certificate is good.
cert_status = check_certificate(ssl_certificate)
cert_status = check_certificate(domain, ssl_certificate)
if cert_status == "SELF-SIGNED":
fingerprint = shell('check_output', [
......@@ -265,9 +265,44 @@ def check_ssl_cert(domain, env):
print(cert_status)
print("")
def check_certificate(ssl_certificate):
def check_certificate(domain ,ssl_certificate):
# Use openssl verify to check the status of a certificate.
# First check that the certificate is for the right domain. The domain
# must be found in the Subject Common Name (CN) or be one of the
# Subject Alternative Names.
cert_dump = shell('check_output', [
"openssl", "x509",
"-in", ssl_certificate,
"-noout", "-text", "-nameopt", "rfc2253",
])
cert_dump = cert_dump.split("\n")
certificate_names = set()
while len(cert_dump) > 0:
line = cert_dump.pop(0)
# Grab from the Subject Common Name. We include the indentation
# at the start of the line in case maybe the cert includes the
# common name of some other referenced entity (which would be
# indented, I hope).
m = re.match(" Subject: CN=([^,]+)", line)
if m:
certificate_names.add(m.group(1))
# Grab from the Subject Alternative Name, which is a comma-delim
# list of names, like DNS:mydomain.com, DNS:otherdomain.com.
m = re.match(" X509v3 Subject Alternative Name:", line)
if m:
names = re.split(",\s*", cert_dump.pop(0).strip())
for n in names:
m = re.match("DNS:(.*)", n)
if m:
certificate_names.add(m.group(1))
if domain is not None and domain not in certificate_names:
return "This certificate is for the wrong domain names. It is for %s." % \
", ".join(sorted(certificate_names))
# In order to verify with openssl, we need to split out any
# intermediary certificates in the chain (if any) from our
# certificate (at the top). They need to be passed separately.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment