begin implementing OCSP checking for "certificates"

2026-05-28 04:34:11 -04:00 · 2016-12-21 14:38:20 -08:00 · 2016-12-21 14:38:20 -08:00 · 40e29bb95f
commit 40e29bb95f
parent 15d2a0ffde
2 changed files with 16 additions and 6 deletions
--- a/certbot/cert_manager.py
+++ b/certbot/cert_manager.py
@ -8,6 +8,7 @@ import zope.component

 from certbot import errors
 from certbot import interfaces
+from certbot import ocsp
 from certbot import storage
 from certbot import util

@ -170,11 +171,17 @@ def _report_human_readable(parsed_certs):
    certinfo = []
    for cert in parsed_certs:
        now = pytz.UTC.fromutc(datetime.datetime.utcnow())
+        expiration_text = ""
        if cert.is_test_cert:
            expiration_text = "INVALID: TEST CERT"
        elif cert.target_expiry <= now:
            expiration_text = "INVALID: EXPIRED"
        else:
+            revoked = ocsp.revoked_status(cert.cert, cert.chain)
+            if revoked:
+                expiration_text = "INVALID: " + revoked
+
+        if not expiration_text:
            diff = cert.target_expiry - now
            if diff.days == 1:
                expiration_text = "VALID: 1 day"
@ -182,6 +189,7 @@ def _report_human_readable(parsed_certs):
                expiration_text = "VALID: {0} hour(s)".format(diff.seconds // 3600)
            else:
                expiration_text = "VALID: {0} days".format(diff.days)
+
        valid_string = "{0} ({1})".format(cert.target_expiry, expiration_text)
        certinfo.append("  Certificate Name: {0}\n"
                        "    Domains: {1}\n"
--- a/certbot/ocsp.py
+++ b/certbot/ocsp.py
@ -1,8 +1,8 @@
+"""Tools for checking certificate revocation."""
 import logging

-from letsencrypt import errors
-from letsencrypt import le_util
-
+from certbot import errors
+from certbot import util

 logger = logging.getLogger(__name__)

@ -10,6 +10,9 @@ logger = logging.getLogger(__name__)
 REV_LABEL = "**Revoked**"
 EXP_LABEL = "**Expired**"

+INSTALL_LABEL = "(Installed)"
+
+
 def revoked_status(cert_path, chain_path):
    """Get revoked status for a particular cert version.

@ -19,7 +22,7 @@ def revoked_status(cert_path, chain_path):
    :param str chain_path: Path to chain certificate

    """
-    url, _ = le_util.run_script(
+    url, _ = util.run_script(
        ["openssl", "x509", "-in", cert_path, "-noout", "-ocsp_uri"])

    url = url.rstrip()
@ -31,7 +34,7 @@ def revoked_status(cert_path, chain_path):
    # This was a PITA...
    # Thanks to "Bulletproof SSL and TLS - Ivan Ristic" for helping me out
    try:
-        output, _ = le_util.run_script(
+        output, _ = util.run_script(
            ["openssl", "ocsp",
            "-no_nonce", "-header", "Host", host,
            "-issuer", chain_path,
@ -56,4 +59,3 @@ def _translate_ocsp_query(cert_path, ocsp_output):
        raise errors.Error(
            "Unable to properly parse OCSP output: %s", ocsp_output)

-