Speed up status checks a bit by removing a redundant check if the PRIMARY_HOSTNAME certificate is signed and valid

This commit is contained in:
Joshua Tauberer 2021-04-12 18:46:35 -04:00
parent 178c587654
commit 8cda58fb22
1 changed files with 12 additions and 14 deletions

View File

@ -127,6 +127,10 @@ def build_zones(env):
from web_update import get_web_domains from web_update import get_web_domains
www_redirect_domains = set(get_web_domains(env)) - set(get_web_domains(env, include_www_redirects=False)) www_redirect_domains = set(get_web_domains(env)) - set(get_web_domains(env, include_www_redirects=False))
# For MTA-STS, we'll need to check if the PRIMARY_HOSTNAME certificate is
# singned and valid. Check that now rather than repeatedly for each domain.
env["-primary-hostname-certificate-is-valid"] = is_domain_cert_signed_and_valid(env["PRIMARY_HOSTNAME"], env)
# Build DNS records for each zone. # Build DNS records for each zone.
for domain, zonefile in zonefiles: for domain, zonefile in zonefiles:
# Build the records to put in the zone. # Build the records to put in the zone.
@ -322,24 +326,11 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
# certificate in use is not valid (e.g. because it is self-signed and a valid certificate has not # certificate in use is not valid (e.g. because it is self-signed and a valid certificate has not
# yet been provisioned). Since we cannot provision a certificate without A/AAAA records, we # yet been provisioned). Since we cannot provision a certificate without A/AAAA records, we
# always set them --- only the TXT records depend on there being valid certificates. # always set them --- only the TXT records depend on there being valid certificates.
mta_sts_enabled = False
mta_sts_records = [ mta_sts_records = [
("mta-sts", "A", env["PUBLIC_IP"], "Optional. MTA-STS Policy Host serving /.well-known/mta-sts.txt."), ("mta-sts", "A", env["PUBLIC_IP"], "Optional. MTA-STS Policy Host serving /.well-known/mta-sts.txt."),
("mta-sts", "AAAA", env.get('PUBLIC_IPV6'), "Optional. MTA-STS Policy Host serving /.well-known/mta-sts.txt."), ("mta-sts", "AAAA", env.get('PUBLIC_IPV6'), "Optional. MTA-STS Policy Host serving /.well-known/mta-sts.txt."),
] ]
if domain in get_mail_domains(env): if domain in get_mail_domains(env) and env["-primary-hostname-certificate-is-valid"] and is_domain_cert_signed_and_valid("mta-sts." + domain, env):
# Check that PRIMARY_HOSTNAME and the mta_sts domain both have valid certificates.
for d in (env['PRIMARY_HOSTNAME'], "mta-sts." + domain):
cert = get_ssl_certificates(env).get(d)
if not cert:
break # no certificate provisioned for this domain
cert_status = check_certificate(d, cert['certificate'], cert['private-key'])
if cert_status[0] != 'OK':
break # certificate is not valid
else:
# 'break' was not encountered above, so both domains are good
mta_sts_enabled = True
if mta_sts_enabled:
# Compute an up-to-32-character hash of the policy file. We'll take a SHA-1 hash of the policy # Compute an up-to-32-character hash of the policy file. We'll take a SHA-1 hash of the policy
# file (20 bytes) and encode it as base-64 (28 bytes, using alphanumeric alternate characters # file (20 bytes) and encode it as base-64 (28 bytes, using alphanumeric alternate characters
# instead of '+' and '/' which are not allowed in an MTA-STS policy id) but then just take its # instead of '+' and '/' which are not allowed in an MTA-STS policy id) but then just take its
@ -365,6 +356,13 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
return records return records
def is_domain_cert_signed_and_valid(domain, env):
cert = get_ssl_certificates(env).get(domain)
if not cert: return False # no certificate provisioned
cert_status = check_certificate(domain, cert['certificate'], cert['private-key'])
print(domain, cert_status)
return cert_status[0] == 'OK'
######################################################################## ########################################################################
def build_tlsa_record(env): def build_tlsa_record(env):