renew_cert merge requestshttps://gitlab.domainepublic.net/Neutrinet/renew_cert/-/merge_requests2023-09-29T16:11:07Zhttps://gitlab.domainepublic.net/Neutrinet/renew_cert/-/merge_requests/4Check ca server certificate expiration date2023-09-29T16:11:07ZHgOCheck ca server certificate expiration dateHgOHgOhttps://gitlab.domainepublic.net/Neutrinet/renew_cert/-/merge_requests/1Migrate to python32019-09-22T16:45:54ZHgOMigrate to python3*Created by: hidrarga*
I'm proposing to move renew_from_cube.py, which was nothing more than a Yunohost wrapper for the renewal script, and to put it directly inside the [Neutrinet app](https://github.com/Neutrinet/neutrinet_ynh).
So...*Created by: hidrarga*
I'm proposing to move renew_from_cube.py, which was nothing more than a Yunohost wrapper for the renewal script, and to put it directly inside the [Neutrinet app](https://github.com/Neutrinet/neutrinet_ynh).
So, the main (and only) script is now renew.py, which you can safely run from your computer. If you want to run this script on a cube, there will be a bash script on the Neutrinet app repository. I'm just waiting for Ilja to make his own changes on the packaging stuff. I can also provide the bash script here meanwhile, so that you can review it, but we'll have to move it later on. Let me know what you prefer.
There are quite a lot of changes in this pull request:
- Use pyOpenSSL instead of making system calls to openssl
- Use Argparse, the built-in argument parser in python. I also added a bunch of parameters (see the README.md)
- Use the built-in python logger. By default it only display info (and more critical) messages, but we can choose to display debug messages as well with the `-v` option.
- [Based on this article](https://www.peterbe.com/plog/best-practice-with-retries-with-requests), use a retry session for the queries to the Neutrinet API
- Check that the public part of the client certificate (when provided) will be soon expired before starting the renewal. Before the migration, this task was done by the renew_from_cube.py script, but it's better to move it here, because when you run it on your computer, you'd expect that the script checks the expiration date before renewing.
- Let the user provide the target directory. This part is necessary for the Neutrinet app that will renew the certificates on the cube, because otherwise it would be too difficult to get back the newly generated target directory… Note that when you don't provide the target directory, the directory is generated as before.
- Remove the dependency to StringIO [as it is not needed in python3](https://stackoverflow.com/questions/11914472/stringio-in-python3), and use BytesIO instead.
I successfully tested the script on my machine and on a cube.https://gitlab.domainepublic.net/Neutrinet/renew_cert/-/merge_requests/2Fix install documentation2019-09-28T10:41:04ZHgOFix install documentation*Created by: hidrarga*
As @Psycojoker pointed out, I forgot to adapt the install steps for python3.
I'm also adding the software requirements needed by pyOpenSSL.*Created by: hidrarga*
As @Psycojoker pointed out, I forgot to adapt the install steps for python3.
I'm also adding the software requirements needed by pyOpenSSL.https://gitlab.domainepublic.net/Neutrinet/renew_cert/-/merge_requests/3Correct CN field certificate2020-04-28T15:40:12ZTharyrokCorrect CN field certificateFor ispng to recognize the certificate as a renewal and not as a new client, the CN field of the certificate must match.
When the CN changes, ISPng can become crazy and not recognize the client. Instead, it will create a brand new IPv...For ispng to recognize the certificate as a renewal and not as a new client, the CN field of the certificate must match.
When the CN changes, ISPng can become crazy and not recognize the client. Instead, it will create a brand new IPv6-only client.
The idea is to retrieve the CN from ISPng for the first IPv4 client that we find.
If there isn't any IPv4 client, then we retrieve the CN from the first IPv6-only client.
Otherwise, we set the CN to the user's login.
This MR introduces some new arguments:
- `-f --force`: Force the certificate renewal, even when it's not needed
- `-e --email`: Set the certificate's email. This might be useful for debugging.
- `-n --common_name`: Set the certificate's CN. With this argument, we can override the CN discovery described above, which might be useful for debugging.
A bug might still occur if the user has more than one IPv4 clients... A workaround would be to search a client with the current tun0 IP, but we don't really know if this case actually exists... TharyrokTharyrok