lemur icon indicating copy to clipboard operation
lemur copied to clipboard

Published 20 hours ago verified publisher icon Netflix

lemur certificate check_revoked - failed to verify - bunch of tracebacks

Open arthurzenika opened this issue 6 years ago • 3 comments 

Failed to verify
Traceback (most recent call last):
  File "/var/www/lemur/lemur/certificates/verify.py", line 107, in verify
    return ocsp_verify(cert_path, issuer_chain_path)
  File "/var/www/lemur/lemur/certificates/verify.py", line 46, in ocsp_verify
    raise Exception("Did not receive a valid response")
Exception: Did not receive a valid response

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/www/lemur/lemur/certificates/verify.py", line 110, in verify
    return crl_verify(cert_path)
  File "/var/www/lemur/lemur/certificates/verify.py", line 62, in crl_verify
    distribution_points = cert.extensions.get_extension_for_oid(x509.OID_CRL_DISTRIBUTION_POINTS).value
  File "/var/www/lemur/lib/python3.4/site-packages/cryptography/x509/extensions.py", line 103, in get_extension_for_oid
    raise ExtensionNotFound("No {0} extension was found".format(oid), oid)
cryptography.x509.extensions.ExtensionNotFound: No <ObjectIdentifier(oid=2.5.29.31, name=cRLDistributionPoints)> extension was found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/www/lemur/lemur/certificates/cli.py", line 360, in check_revoked
    status = verify_string(cert.body, cert.chain)
  File "/var/www/lemur/lemur/certificates/verify.py", line 129, in verify_string
    status = verify(cert_tmp, issuer_tmp)
  File "/var/www/lemur/lemur/certificates/verify.py", line 112, in verify
    raise Exception("Failed to verify")
Exception: Failed to verify

I'm not entirely sure if we're missing some configuration, or a python dependency or what.

arthurzenika avatar Mar 06 '18 13:03 arthurzenika

It looks like your certificate does not have a CRL in it to check, so it can't be determined if it's been revoked. Is it perhaps an internal certificate?

kevgliss avatar Mar 06 '18 16:03 kevgliss

Indeed. It doesn't have a CRL, maybe there could be an option to not get a traceback or is this a bug ?

arthurzenika avatar Mar 06 '18 16:03 arthurzenika

We could catch the exception and issue a warning instead. I'd be happy to merge a PR covering that use case.

kevgliss avatar Mar 06 '18 16:03 kevgliss