always revoke the certificate, even if it is already expired

09eeaa8a · ale · 2397de7d · 09eeaa8a · 09eeaa8a
Commit 09eeaa8a authored Feb 07, 2014 by ale
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

cam/ca.py cam/ca.py +4 -1

cam/cert.py cam/cert.py +5 -2

No files found.
--- a/cam/ca.py
+++ b/cam/ca.py
@@ -160,7 +160,10 @@ class CA(object):
        expiry = cert.get_expiration_date()
        if expiry and expiry > time.time():
-            log.warn('certificate is still valid, revoking previous version')
+            log.warn('certificate is still valid')
+        if cert.exists():
+            log.warn('revoking previous version')
            self.revoke(cert)
        log.info('generating new certificate %s', cert.name)

--- a/cam/cert.py
+++ b/cam/cert.py
@@ -32,8 +32,11 @@ class Cert(object):
        self.private_key_file = os.path.join(ca.basedir, 'private',
                                             '%s.key' % name)
+    def exists(self):
+        return os.path.exists(self.public_key_file)
    def get_fingerprint(self, digest='sha1'):
-        if os.path.exists(self.public_key_file):
+        if self.exists():
            output = openssl_wrap.run('x509', '-in', self.public_key_file,
                                      '-noout', '-fingerprint', '-%s' % digest)
            m = re.search(r'=(.*)$', output)
@@ -42,7 +45,7 @@ class Cert(object):
        return None
    def get_expiration_date(self):
-        if os.path.exists(self.public_key_file):
+        if self.exists():
            output = openssl_wrap.run('x509', '-in', self.public_key_file,
                                      '-noout', '-dates')
            m = re.search(r'notAfter=(.*)', output)