Merge pull request #5067 from jtschladen/convert-csr-to-string

Convert CSR to string
Netflix · Jan 14, 2025 · d6eee64 · d6eee64
2 parents 960f8fe + 1ff3e71
commit d6eee64
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 16 deletions.
diff --git a/lemur/common/utils.py b/lemur/common/utils.py
@@ -15,8 +15,10 @@
 import string
 
 import OpenSSL
+import josepy as jose
 import pem
 import sqlalchemy
+from certbot.crypto_util import CERT_PEM_REGEX
 from cryptography import x509
 from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm
 from cryptography.hazmat.backends import default_backend
@@ -25,13 +27,11 @@
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, Encoding, pkcs7
 from flask_restful.reqparse import RequestParser
 from sqlalchemy import and_, func
-import josepy as jose
+from sqlalchemy.dialects.postgresql import TEXT
 
-from certbot.crypto_util import CERT_PEM_REGEX
 from lemur.constants import CERTIFICATE_KEY_TYPES
 from lemur.exceptions import InvalidConfiguration
 from lemur.utils import Vault
-from sqlalchemy.dialects.postgresql import TEXT
 
 paginated_parser = RequestParser()
 
@@ -525,3 +525,9 @@ def drop_last_cert_from_chain(full_chain: str) -> str:
         ),
     ).decode()
     return pem_certificate
+
+
+def csr_to_string(csr):
+    if isinstance(csr, str):
+        return csr.encode("ascii")
+    return csr
diff --git a/lemur/plugins/lemur_acme/challenge_types.py b/lemur/plugins/lemur_acme/challenge_types.py
@@ -7,27 +7,26 @@
 
 .. moduleauthor:: Mathias Petermann <[email protected]>
 """
-from datetime import datetime, timedelta
 import json
+from datetime import datetime, timedelta
 
 from acme import challenges
 from acme.errors import WildcardUnsupportedError
 from acme.messages import errors, STATUS_VALID, ERROR_CODES
 from botocore.exceptions import ClientError
 from flask import current_app
+from retrying import retry
 from sentry_sdk import capture_exception
 
 from lemur.authorizations import service as authorization_service
+from lemur.common.utils import drop_last_cert_from_chain, csr_to_string
 from lemur.constants import ACME_ADDITIONAL_ATTEMPTS
-from lemur.common.utils import drop_last_cert_from_chain
+from lemur.destinations import service as destination_service
 from lemur.exceptions import LemurException, InvalidConfiguration
 from lemur.extensions import metrics
 from lemur.plugins.base import plugins
-from lemur.destinations import service as destination_service
 from lemur.plugins.lemur_acme.acme_handlers import AcmeHandler, AcmeDnsHandler
 
-from retrying import retry
-
 
 class AcmeChallengeMissmatchError(LemurException):
     pass
@@ -86,7 +85,7 @@ def create_certificate(self, csr, issuer_options):
         authority = issuer_options.get("authority")
         acme_client, registration = self.acme.setup_acme_client(authority)
 
-        orderr = acme_client.new_order(csr)
+        orderr = acme_client.new_order(csr_to_string(csr))
 
         chall = []
         deployed_challenges = []
@@ -266,7 +265,7 @@ def create_certificate(self, csr, issuer_options):
     @retry(stop_max_attempt_number=ACME_ADDITIONAL_ATTEMPTS, wait_fixed=5000)
     def create_certificate_immediately(self, acme_client, order_info, csr):
         try:
-            order = acme_client.new_order(csr)
+            order = acme_client.new_order(csr_to_string(csr))
         except WildcardUnsupportedError:
             metrics.send("create_certificte_immediately_wildcard_unsupported", "counter", 1)
             raise Exception(

diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py
@@ -19,7 +19,7 @@
 from sentry_sdk import capture_exception
 
 from lemur.authorizations import service as authorization_service
-from lemur.common.utils import check_validation, drop_last_cert_from_chain
+from lemur.common.utils import check_validation, drop_last_cert_from_chain, csr_to_string
 from lemur.constants import CRLReason, EMAIL_RE
 from lemur.dns_providers import service as dns_provider_service
 from lemur.exceptions import InvalidConfiguration
@@ -130,7 +130,7 @@ def get_ordered_certificate(self, pending_cert):
                 self.acme.autodetect_dns_providers(domain)
 
         try:
-            order = acme_client.new_order(pending_cert.csr)
+            order = acme_client.new_order(csr_to_string(pending_cert.csr))
         except WildcardUnsupportedError:
             metrics.send("get_ordered_certificate_wildcard_unsupported", "counter", 1)
             raise Exception(
@@ -191,10 +191,7 @@ def get_ordered_certificates(self, pending_certs):
                         self.acme.autodetect_dns_providers(domain)
 
                 try:
-                    csr = pending_cert.csr
-                    if isinstance(csr, str):
-                        csr = csr.encode("ascii")
-                    order = acme_client.new_order(csr)
+                    order = acme_client.new_order(csr_to_string(pending_cert.csr))
                 except WildcardUnsupportedError:
                     capture_exception()
                     metrics.send(