cli.updater: Split next_deadline computation.

Also, document why CA certificate expiration is not tracked explicitly.

cli.updater: Split next_deadline computation.
Also, document why CA certificate expiration is not tracked explicitly.
c15f6a11 · Vincent Pelletier · c2fdf7d2 · c15f6a11
Commit c15f6a11 authored May 04, 2018 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 4 deletions

caucase/cli.py caucase/cli.py +11 -4

No files found.
--- a/caucase/cli.py
+++ b/caucase/cli.py
@@ -732,6 +732,7 @@ def updater(argv=None, until=utils.until):
        '%Y-%m-%d %H:%M:%S +0000'
      )
      now = until(next_deadline)
+      next_deadline = now + max_sleep
      if args.cas_ca != args.ca and updateCAFile(cas_url, args.cas_ca):
        client = CaucaseClient(
          ca_url=ca_url,
@@ -740,6 +741,9 @@ def updater(argv=None, until=utils.until):
      if updateCAFile(ca_url, args.ca):
        print 'Got new CA'
        updated = True
+        # Note: CRL expiration should happen several time during CA renewal
+        # period, so it should not be needed to keep track of CA expiration
+        # for next deadline.
      ca_crt_list = [
        utils.load_ca_certificate(x)
        for x in utils.getCertList(args.ca)
@@ -747,10 +751,13 @@ def updater(argv=None, until=utils.until):
      if updateCRLFile(ca_url, args.crl, ca_crt_list):
        print 'Got new CRL'
        updated = True
+        next_deadline = min(
+          next_deadline,
+          utils.load_crl(open(args.crl).read(), ca_crt_list).next_update,
+        )
      crt_pem, key_pem, key_path = utils.getKeyPair(args.crt, args.key)
      crt = utils.load_certificate(crt_pem, ca_crt_list, None)
-      next_deadline = crt.not_valid_after - threshold
+      if crt.not_valid_after - threshold <= now:
-      if next_deadline <= now:
        print 'Renewing', args.crt
        new_key_pem, new_crt_pem = client.renewCertificate(
          old_crt=crt,
@@ -771,11 +778,11 @@ def updater(argv=None, until=utils.until):
          ) as key_file:
            key_file.write(new_key_pem)
            crt_file.write(new_crt_pem)
+        crt = utils.load_certificate(utils.getCert(args.crt), ca_crt_list, None)
        updated = True
      next_deadline = min(
        next_deadline,
-        utils.load_crl(open(args.crl).read(), ca_crt_list).next_update,
+        crt.not_valid_after - threshold,
-        now + max_sleep,
      )
      if updated:
        if args.on_renew is not None: