You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/02/11 22:51:19 UTC
[GitHub] [trafficcontrol] mattjackson220 opened a new pull request #5514: Acme auto renew
mattjackson220 opened a new pull request #5514:
URL: https://github.com/apache/trafficcontrol/pull/5514
<!--
************ STOP!! ************
If this Pull Request is intended to fix a security vulnerability, DO NOT submit it! Instead, contact
the Apache Software Foundation Security Team at security@trafficcontrol.apache.org and follow the
guidelines at https://www.apache.org/security/ regarding vulnerability disclosure.
-->
## What does this PR (Pull Request) do?
<!-- Explain the changes you made here. If this fixes an Issue, identify it by
replacing the text in the checkbox item with the Issue number e.g.
- [x] This PR fixes #9001 OR is not related to any Issue
^ This will automatically close Issue number 9001 when the Pull Request is
merged (The '#' is important).
Be sure you check the box properly, see the "The following criteria are ALL
met by this PR" section for details.
-->
- [x] This PR is not related to any Issue <!-- You can check for an issue here: https://github.com/apache/trafficcontrol/issues -->
This PR updates the certificate autorenewal script to include ACME providers (previously only did Let's Encrypt)
## Which Traffic Control components are affected by this PR?
<!-- Please delete all components from this list that are NOT affected by this
Pull Request. Also, feel free to add the name of a tool or script that is
affected but not on the list.
Additionally, if this Pull Request does NOT affect documentation, please
explain why documentation is not required. -->
- Documentation
- Traffic Ops
## What is the best way to verify this PR?
<!-- Please include here ALL the steps necessary to test your Pull Request. If
it includes tests (and most should), outline here the steps needed to run the
tests. If not, lay out the manual testing procedure and please explain why
tests are unnecessary for this Pull Request. -->
Set up the necessary information in cdn.conf to allow automatic renewals
Make sure you have delivery services that have ACME certificates (and other types as well for testing)
Do a POST against the `acme_autorenew`endpoint or put in the username and password and setup the cron job to run
Verify that all expiring certs for ACME and Let's Encrypt are renewed and a summary email is sent if that is setup
Verify that docs build and look good
## If this is a bug fix, what versions of Traffic Control are affected?
<!-- If this PR fixes a bug, please list here all of the affected versions - to
the best of your knowledge. It's also pretty helpful to include a commit hash
of where 'master' is at the time this PR is opened (if it affects master),
because what 'master' means will change over time. For example, if this PR
fixes a bug that's present in master (at commit hash '1df853c8'), in v4.0.0,
and in the current 4.0.1 Release candidate (e.g. RC1), then this list would
look like:
- master (1df853c8)
- 4.0.0
- 4.0.1 (RC1)
If you don't know what other versions might have this bug, AND don't know how
to find the commit hash of 'master', then feel free to leave this section
blank (or, preferably, delete it entirely).
-->
## The following criteria are ALL met by this PR
<!-- Check the boxes to signify that the associated statement is true. To
"check a box", replace the space inside of the square brackets with an 'x'.
e.g.
- [ x] <- Wrong
- [x ] <- Wrong
- [] <- Wrong
- [*] <- Wrong
- [x] <- Correct!
-->
Tests are not included since this is entirely dependent on 3rd parties
- [x] This PR includes tests OR I have explained why tests are unnecessary
- [x] This PR includes documentation OR I have explained why documentation is unnecessary
- [x] This PR includes an update to CHANGELOG.md OR such an update is not necessary
- [x] This PR includes any and all required license headers
- [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://www.apache.org/security/) for details)
## Additional Information
<!-- If you would like to include any additional information on the PR for
potential reviewers please put it here.
Some examples of this would be:
- Before and after screenshots/gifs of the Traffic Portal if it is affected
- Links to other dependent Pull Requests
- References to relevant context (e.g. new/updates to dependent libraries,
mailing list records, blueprints)
Feel free to leave this section blank (or, preferably, delete it entirely).
-->
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on a change in pull request #5514: Acme auto renew
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on a change in pull request #5514:
URL: https://github.com/apache/trafficcontrol/pull/5514#discussion_r577068721
##########
File path: docs/source/api/v1/letsencrypt_autorenew.rst
##########
@@ -36,54 +36,20 @@ No parameters available
Response Structure
------------------
-:LetsEncryptExpirations: A list of objects with information regarding certificate expiration for all Let's Encrypt certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
-
-:SelfSignedExpirations: A list of objects with information regarding certificate expiration for all self signed certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
-
-:OtherExpirations: A list of objects with information regarding certificate expiration for all other certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
.. code-block:: http
:caption: Response Example
HTTP/1.1 200 OK
Content-Type: application/json
- { "response": {
- "LetsEncryptExpirations": [
- {
- "XmlId":"demo2",
- "Version":1,
- "Expiration":"2020-08-18T13:53:06Z",
- "AuthType":"Lets Encrypt",
- "Error":null
- }
- ],
- "SelfSignedExpirations": [
- {
- "XmlId":"demo1",
- "Version":3,
- "Expiration":"2020-08-18T13:53:06Z",
- "AuthType":"Self Signed",
- "Error":null
- }
- ],
- "OtherExpirations":null
- }}
+ { "alerts": [
+ {
+ "text": "This endpoint is deprecated, please use letsencrypt/autorenew instead",
+ "level": "warning"
+ },
+ {
+ "text": "Beginning async call to renew certificates. This may take a few minutes.",
+ "level": "success"
+ }
+ ]}
Review comment:
alright, in that case: good work fixing it
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on a change in pull request #5514: Acme auto renew
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on a change in pull request #5514:
URL: https://github.com/apache/trafficcontrol/pull/5514#discussion_r577066210
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/acme.go
##########
@@ -192,7 +191,8 @@ func renewAcmeCerts(cfg *config.Config, dsName string, ctx context.Context, curr
return nil, nil, http.StatusOK
}
-func getAcmeAccountConfig(cfg *config.Config, acmeProvider string) *config.ConfigAcmeAccount {
+// GetAcmeAccountConfig returns the ACME account information from cdn.conf for a given provider
Review comment:
GoDoc comments should end with a `.`
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/autorenewcerts.go
##########
@@ -91,7 +102,16 @@ func RenewCertificates(w http.ResponseWriter, r *http.Request) {
go RunAutorenewal(existingCerts, inf.Config, ctx, inf.User)
- api.WriteRespAlert(w, r, tc.SuccessLevel, "Beginning async call to renew Let's Encrypt certificates. This may take a few minutes.")
+ var alerts tc.Alerts
+ if deprecated {
+ alerts.AddAlerts(api.CreateDeprecationAlerts(deprecation))
+ }
+
+ alerts.AddAlert(tc.Alert{
+ Text: "Beginning async call to renew certificates. This may take a few minutes.",
Review comment:
Looks like an extra space here between "certificates." and "This"
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] mattjackson220 commented on a change in pull request #5514: Acme auto renew
Posted by GitBox <gi...@apache.org>.
mattjackson220 commented on a change in pull request #5514:
URL: https://github.com/apache/trafficcontrol/pull/5514#discussion_r576932822
##########
File path: docs/source/api/v4/acme_autorenew.rst
##########
@@ -0,0 +1,49 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-acnme-autorenew:
+
+******************
+``acme_autorenew``
+******************
+
+``POST``
+========
+Generates SSL certificates and private keys for all :term:`Delivery Services` that have certificates expiring within the configured time. This uses:abbr:`ACME (Automatic Certificate Management Environment)` or Let's Encrypt depending on the certificate.
+
+:Auth. Required: Yes
+:Roles Required: "admin" or "operations"
+:Response Type: Object
+
+Request Structure
+-----------------
+No parameters available
+
+
+Response Structure
+------------------
+
+.. code-block:: http
+ :caption: Response Example
+
+ HTTP/1.1 200 OK
Review comment:
oh thats good to know! ill update these to 202 and then get a different PR in for the status endpoint!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] mattjackson220 commented on a change in pull request #5514: Acme auto renew
Posted by GitBox <gi...@apache.org>.
mattjackson220 commented on a change in pull request #5514:
URL: https://github.com/apache/trafficcontrol/pull/5514#discussion_r576932240
##########
File path: docs/source/api/v1/letsencrypt_autorenew.rst
##########
@@ -36,54 +36,20 @@ No parameters available
Response Structure
------------------
-:LetsEncryptExpirations: A list of objects with information regarding certificate expiration for all Let's Encrypt certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
-
-:SelfSignedExpirations: A list of objects with information regarding certificate expiration for all self signed certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
-
-:OtherExpirations: A list of objects with information regarding certificate expiration for all other certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
.. code-block:: http
:caption: Response Example
HTTP/1.1 200 OK
Content-Type: application/json
- { "response": {
- "LetsEncryptExpirations": [
- {
- "XmlId":"demo2",
- "Version":1,
- "Expiration":"2020-08-18T13:53:06Z",
- "AuthType":"Lets Encrypt",
- "Error":null
- }
- ],
- "SelfSignedExpirations": [
- {
- "XmlId":"demo1",
- "Version":3,
- "Expiration":"2020-08-18T13:53:06Z",
- "AuthType":"Self Signed",
- "Error":null
- }
- ],
- "OtherExpirations":null
- }}
+ { "alerts": [
+ {
+ "text": "This endpoint is deprecated, please use letsencrypt/autorenew instead",
+ "level": "warning"
+ },
+ {
+ "text": "Beginning async call to renew certificates. This may take a few minutes.",
+ "level": "success"
+ }
+ ]}
Review comment:
i think these were just bad docs. the other way was the original plan but then it took too long so i switched it to be async and the other info was sent in an email instead of as the response. i dont think that version was ever released
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 merged pull request #5514: Acme auto renew
Posted by GitBox <gi...@apache.org>.
ocket8888 merged pull request #5514:
URL: https://github.com/apache/trafficcontrol/pull/5514
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on a change in pull request #5514: Acme auto renew
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on a change in pull request #5514:
URL: https://github.com/apache/trafficcontrol/pull/5514#discussion_r574889917
##########
File path: docs/source/api/v1/letsencrypt_autorenew.rst
##########
@@ -36,54 +36,20 @@ No parameters available
Response Structure
------------------
-:LetsEncryptExpirations: A list of objects with information regarding certificate expiration for all Let's Encrypt certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
-
-:SelfSignedExpirations: A list of objects with information regarding certificate expiration for all self signed certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
-
-:OtherExpirations: A list of objects with information regarding certificate expiration for all other certificates
-
- :XmlId: The :term:`Delivery Service`'s uniquely identifying :ref:`ds-xmlid`
- :Version: An integer that defines the "version" of the key - which may be thought of as the sequential generation; that is, the higher the number the more recent the key
- :Expiration: The expiration date of the certificate for the :term:`Delivery Service` in :rfc:`3339` format
- :AuthType: The authority type of the certificate for the :term:`Delivery Service`
- :Error: Any errors received in the renewal process
.. code-block:: http
:caption: Response Example
HTTP/1.1 200 OK
Content-Type: application/json
- { "response": {
- "LetsEncryptExpirations": [
- {
- "XmlId":"demo2",
- "Version":1,
- "Expiration":"2020-08-18T13:53:06Z",
- "AuthType":"Lets Encrypt",
- "Error":null
- }
- ],
- "SelfSignedExpirations": [
- {
- "XmlId":"demo1",
- "Version":3,
- "Expiration":"2020-08-18T13:53:06Z",
- "AuthType":"Self Signed",
- "Error":null
- }
- ],
- "OtherExpirations":null
- }}
+ { "alerts": [
+ {
+ "text": "This endpoint is deprecated, please use letsencrypt/autorenew instead",
+ "level": "warning"
+ },
+ {
+ "text": "Beginning async call to renew certificates. This may take a few minutes.",
+ "level": "success"
+ }
+ ]}
Review comment:
You can't change the response structure of old API versions. If there's really no way to meaningfully reproduce it, then you can just use meaningless data, but this is a breaking client change to a released API version.
##########
File path: docs/source/api/v4/acme_autorenew.rst
##########
@@ -0,0 +1,49 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-acnme-autorenew:
+
+******************
+``acme_autorenew``
+******************
+
+``POST``
+========
+Generates SSL certificates and private keys for all :term:`Delivery Services` that have certificates expiring within the configured time. This uses:abbr:`ACME (Automatic Certificate Management Environment)` or Let's Encrypt depending on the certificate.
+
+:Auth. Required: Yes
+:Roles Required: "admin" or "operations"
+:Response Type: Object
Review comment:
I think the response type is actually `undefined` here.
##########
File path: docs/source/api/v4/acme_autorenew.rst
##########
@@ -0,0 +1,49 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-acnme-autorenew:
+
+******************
+``acme_autorenew``
+******************
+
+``POST``
+========
+Generates SSL certificates and private keys for all :term:`Delivery Services` that have certificates expiring within the configured time. This uses:abbr:`ACME (Automatic Certificate Management Environment)` or Let's Encrypt depending on the certificate.
+
+:Auth. Required: Yes
+:Roles Required: "admin" or "operations"
+:Response Type: Object
+
+Request Structure
+-----------------
+No parameters available
+
+
+Response Structure
+------------------
+
+.. code-block:: http
+ :caption: Response Example
+
+ HTTP/1.1 200 OK
+ Content-Type: application/json
+
+ { "alerts": [
+ {
+ "text": "Beginning async call to renew certificates. This may take a few minutes.",
+ "level": "success"
+ }
+ ]}
Review comment:
indentation within code blocks can use spaces if you want, but the first indent that associates the code with the `.. code-block` directive **must** be a tab. I think in this particular case this won't render properly.
##########
File path: docs/source/api/v4/acme_autorenew.rst
##########
@@ -0,0 +1,49 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-acnme-autorenew:
+
+******************
+``acme_autorenew``
+******************
+
+``POST``
+========
+Generates SSL certificates and private keys for all :term:`Delivery Services` that have certificates expiring within the configured time. This uses:abbr:`ACME (Automatic Certificate Management Environment)` or Let's Encrypt depending on the certificate.
+
+:Auth. Required: Yes
+:Roles Required: "admin" or "operations"
+:Response Type: Object
+
+Request Structure
+-----------------
+No parameters available
+
+
+Response Structure
+------------------
+
+.. code-block:: http
+ :caption: Response Example
+
+ HTTP/1.1 200 OK
Review comment:
From [the API guidelines](https://traffic-control-cdn.readthedocs.io/en/latest/development/api_guidelines.html#accepted):
> _"`202 Accepted` MUST be used when the server is performing some task asynchronously (e.g. refreshing DNSSEC keys) but the status of that task cannot be ascertained at the current time._"
There's also:
> _"Endpoints that create asynchronous jobs SHOULD provide a URI to which the client may send GET requests to obtain a representation of the job’s current state in the Location HTTP header. They MAY also provide an info-level Alert that provides the same or similar information in a more human-friendly manner."_
and the section has more information on what that endpoint should look like, but that's totally optional, and can even be added at a later date in a different PR, if you want. Just wanted to put that on your radar.
##########
File path: docs/source/admin/traffic_ops.rst
##########
@@ -349,9 +356,7 @@ This file deals with the configuration parameters of running Traffic Ops itself.
.. versionadded:: 4.1
:user_email: A required email address to create an account with Let's Encrypt or to receive expiration updates. If this is not included then `rate limits <https://letsencrypt.org/docs/rate-limits>`_ may apply for the number of certificates.
- :send_expiration_email: A boolean option to send email summarizing certificate expiration status
:convert_self_signed: A boolean option to convert self signed to Let's Encrypt certificates as they expire. This only works for certificates labeled as Self Signed in the Certificate Source field.
- :renew_days_before_expiration: Set the number of days before expiration date to renew certificates.
Review comment:
Removing these configuration file properties is a breaking change that needs a major release cycle deprecation period.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org