lauri/certidude
1
0
Fork 0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-22 16:25:17 +00:00
Code Issues Activity

Added preliminary Kerberos authentication support

Browse Source
This commit is contained in:
Lauri Võsandi 2015-08-16 17:21:42 +03:00
parent c5d27e8a76
commit e2f27078d1
12 changed files with 236 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
README.rst
View File

@ -21,6 +21,7 @@ Features
* Certificate numbering obfuscation, certificate serial numbers are intentionally
randomized to avoid leaking information about business practices.
* Server-side events support via for example nginx-push-stream-module.
* Kerberos based authentication
TODO
@ -42,9 +43,12 @@ To install Certidude:
.. code:: bash
apt-get install -y python3 python3-netifaces python3-pip python3-dev cython3 build-essential libffi-dev libssl-dev
apt-get install -y python3 python3-pip python3-dev cython3 build-essential libffi-dev libssl-dev
pip3 install certidude
Make sure you're running PyOpenSSL 0.15+ and netifaces 0.10.4+ from PyPI,
not the outdated ones provided by APT.
Create a system user for ``certidude``:
.. code:: bash
@ -106,7 +110,7 @@ Install uWSGI:
.. code:: bash
apt-get install uwsgi uwsgi-plugin-python3
apt-get install nginx uwsgi uwsgi-plugin-python3
To set up ``nginx`` and ``uwsgi`` is suggested:
@ -132,8 +136,8 @@ Otherwise manually configure uUWSGI application in ``/etc/uwsgi/apps-available/c
callable = app
chmod-socket = 660
chown-socket = certidude:www-data
env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%(channel)s
env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
env = PUSH_PUBLISH=http://localhost/event/publish/%(channel)s
env = PUSH_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
Also enable the application:
@ -213,3 +217,71 @@ Restart the services:
service uwsgi restart
service nginx restart
Setting up Kerberos authentication
----------------------------------
Following assumes you have already set up Kerberos infrastructure and
Certidude is simply one of the servers making use of that infrastructure.
Install dependencies:
.. code:: bash
apt-get install samba-common-bin krb5-user ldap-utils
Set up Samba client configuration in ``/etc/samba/smb.conf``:
.. code:: ini
[global]
security = ads
netbios name = CERTIDUDE
workgroup = WORKGROUP
realm = EXAMPLE.LAN
kerberos method = system keytab
Set up Kerberos keytab for the web service:
.. code:: bash
KRB5_KTNAME=FILE:/etc/certidude.keytab net ads keytab add HTTP -U Administrator
Setting up authorization
------------------------
Obviously arbitrary Kerberos authenticated user should not have access to
the CA web interface.
You could either specify user name list
in ``/etc/ssl/openssl.cnf``:
.. code:: bash
admin_users=alice bob john kate
Or alternatively specify file path:
.. code:: bash
admin_users=/run/certidude/user.whitelist
Use following shell snippets eg in ``/etc/cron.hourly/update-certidude-user-whitelist``
to generate user whitelist via LDAP:
.. code:: bash
ldapsearch -H ldap://dc1.id.stipit.com -s sub -x -LLL \
-D 'cn=certidude,cn=Users,dc=id,dc=stipit,dc=com' \
-w 'certidudepass' \
-b 'ou=sso,dc=id,dc=stipit,dc=com' \
'(objectClass=user)' sAMAccountName userPrincipalName givenName sn \
| python3 -c "import ldif3; import sys; [sys.stdout.write('%s:%s:%s:%s\n' % (a.pop('sAMAccountName')[0], a.pop('userPrincipalName')[0], a.pop('givenName')[0], a.pop('sn')[0])) for _, a in ldif3.LDIFParser(sys.stdin.buffer).parse()]" \
> /run/certidude/user.whitelist
Set permissions:
.. code:: bash
chmod 700 /etc/cron.hourly/update-certidude-user-whitelist

56
certidude/api.py
View File

@ -7,6 +7,7 @@ import urllib.request
import click
from time import sleep
from certidude.wrappers import Request, Certificate
from certidude.auth import login_required
from certidude.mailer import Mailer
from pyasn1.codec.der import decoder
from datetime import datetime, date
@ -20,9 +21,20 @@ RE_HOSTNAME = "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0
def omit(**kwargs):
return dict([(key,value) for (key, value) in kwargs.items() if value])
def authorize_admin(func):
def wrapped(self, req, resp, *args, **kwargs):
kerberos_username, kerberos_realm = kwargs.get("user")
if kerberos_username not in kwargs.get("ca").admin_users:
raise falcon.HTTPForbidden("User %s not whitelisted" % kerberos_username)
kwargs["user"] = kerberos_username
return func(self, req, resp, *args, **kwargs)
return wrapped
def pop_certificate_authority(func):
def wrapped(self, req, resp, *args, **kwargs):
kwargs["ca"] = self.config.instantiate_authority(kwargs["ca"])
print(func)
return func(self, req, resp, *args, **kwargs)
return wrapped
@ -72,9 +84,11 @@ def serialize(func):
def templatize(path):
template = env.get_template(path)
def wrapper(func):
def wrapped(instance, req, resp, **kwargs):
def wrapped(instance, req, resp, *args, **kwargs):
assert not req.get_param("unicode") or req.get_param("unicode") == u"", "Unicode sanity check failed"
r = func(instance, req, resp, **kwargs)
print("templatize would call", func, "with", args, kwargs)
r = func(instance, req, resp, *args, **kwargs)
r.pop("self")
if not resp.body:
if req.get_header("Accept") == "application/json":
resp.set_header("Cache-Control", "no-cache, no-store, must-revalidate");
@ -114,9 +128,11 @@ class SignedCertificateDetailResource(CertificateAuthorityBase):
resp.stream = open(path, "rb")
resp.append_header("Content-Disposition", "attachment; filename=%s.crt" % cn)
@login_required
@pop_certificate_authority
@authorize_admin
@validate_common_name
def on_delete(self, req, resp, ca, cn):
def on_delete(self, req, resp, ca, cn, user):
ca.revoke(cn)
class SignedCertificateListResource(CertificateAuthorityBase):
@ -152,9 +168,11 @@ class RequestDetailResource(CertificateAuthorityBase):
resp.append_header("Content-Type", "application/x-x509-user-cert")
resp.append_header("Content-Disposition", "attachment; filename=%s.csr" % cn)
@login_required
@pop_certificate_authority
@authorize_admin
@validate_common_name
def on_patch(self, req, resp, ca, cn):
def on_patch(self, req, resp, ca, cn, user):
"""
Sign a certificate signing request
"""
@ -165,8 +183,10 @@ class RequestDetailResource(CertificateAuthorityBase):
resp.status = falcon.HTTP_201
resp.location = os.path.join(req.relative_uri, "..", "..", "signed", cn)
@login_required
@pop_certificate_authority
def on_delete(self, req, resp, ca, cn):
@authorize_admin
def on_delete(self, req, resp, ca, cn, user):
ca.delete_request(cn)
class RequestListResource(CertificateAuthorityBase):
@ -195,8 +215,8 @@ class RequestListResource(CertificateAuthorityBase):
remote_addr = ipaddress.ip_address(req.env["REMOTE_ADDR"])
# Check for CSR submission whitelist
if ca.request_whitelist:
for subnet in ca.request_whitelist:
if ca.request_subnets:
for subnet in ca.request_subnets:
if subnet.overlaps(remote_addr):
break
else:
@ -225,11 +245,11 @@ class RequestListResource(CertificateAuthorityBase):
# Process automatic signing if the IP address is whitelisted and autosigning was requested
if req.get_param("autosign").lower() in ("yes", "1", "true"):
for subnet in ca.autosign_whitelist:
for subnet in ca.autosign_subnets:
if subnet.overlaps(remote_addr):
try:
resp.append_header("Content-Type", "application/x-x509-user-cert")
resp.body = ca.sign(req).dump()
resp.body = ca.sign(csr).dump()
return
except FileExistsError: # Certificate already exists, try to save the request
pass
@ -245,7 +265,7 @@ class RequestListResource(CertificateAuthorityBase):
# Wait the certificate to be signed if waiting is requested
if req.get_param("wait"):
url_template = os.getenv("CERTIDUDE_EVENT_SUBSCRIBE")
url_template = os.getenv("PUSH_SUBSCRIBE")
if url_template:
# Redirect to nginx pub/sub
url = url_template % dict(channel=request.fingerprint())
@ -286,15 +306,15 @@ class CertificateAuthorityResource(CertificateAuthorityBase):
resp.append_header("Content-Disposition", "attachment; filename=%s.crt" % ca.slug)
class IndexResource(CertificateAuthorityBase):
@templatize("index.html")
@login_required
@pop_certificate_authority
def on_get(self, req, resp, ca):
return {
"authority": ca }
@templatize("index.html")
def on_get(self, req, resp, ca, user):
return locals()
class ApplicationConfigurationResource(CertificateAuthorityBase):
@validate_common_name
@pop_certificate_authority
@validate_common_name
def on_get(self, req, resp, ca, cn):
ctx = dict(
cn = cn,
@ -304,9 +324,11 @@ class ApplicationConfigurationResource(CertificateAuthorityBase):
resp.append_header("Content-Disposition", "attachment; filename=%s.ovpn" % cn)
resp.body = Template(open("/etc/openvpn/%s.template" % ca.slug).read()).render(ctx)
@validate_common_name
@login_required
@pop_certificate_authority
def on_put(self, req, resp, ca, cn=None):
@authorize_admin
@validate_common_name
def on_put(self, req, resp, user, ca, cn=None):
pkey_buf, req_buf, cert_buf = ca.create_bundle(cn)
ctx = dict(

60
certidude/auth.py Normal file
View File

@ -0,0 +1,60 @@
import click
import falcon
import kerberos
import os
import re
import socket
# Vanilla Kerberos provides only username.
# AD also embeds PAC (Privilege Attribute Certificate), which
# is supposed to be sent via HTTP headers and it contains
# the groups user is part of.
# Even then we would have to manually look up the e-mail
# address eg via LDAP, hence to keep things simple
# we simply use Kerberos to authenticate.
FQDN = socket.getaddrinfo(socket.gethostname(), 0, flags=socket.AI_CANONNAME)[0][3]
if not os.getenv("KRB5_KTNAME"):
click.echo("Kerberos keytab not specified, set environment variable 'KRB5_KTNAME'", err=True)
exit(250)
try:
principal = kerberos.getServerPrincipalDetails("HTTP", FQDN)
except kerberos.KrbError as exc:
click.echo("Failed to initialize Kerberos, reason: %s" % exc, err=True)
exit(249)
else:
click.echo("Kerberos enabled, service principal is HTTP/%s" % FQDN)
def login_required(func):
def wrapped(resource, req, resp, *args, **kwargs):
authorization = req.get_header("Authorization")
if not authorization:
resp.append_header("WWW-Authenticate", "Negotiate")
raise falcon.HTTPUnauthorized("Unauthorized", "No Kerberos ticket offered?")
token = ''.join(authorization.split()[1:])
rc, context = kerberos.authGSSServerInit("HTTP@" + FQDN)
if rc != kerberos.AUTH_GSS_COMPLETE:
raise falcon.HTTPForbidden("Forbidden", "Kerberos ticket expired?")
rc = kerberos.authGSSServerStep(context, token)
kerberos_user = kerberos.authGSSServerUserName(context).split("@")
# References lost beyond this point! Results in
# ValueError: PyCapsule_SetPointer called with null pointer
kerberos.authGSSServerClean(context)
if rc == kerberos.AUTH_GSS_COMPLETE:
kwargs["user"] = kerberos_user
return func(resource, req, resp, *args, **kwargs)
elif rc == kerberos.AUTH_GSS_CONTINUE:
raise falcon.HTTPUnauthorized("Unauthorized", "Tried GSSAPI")
else:
raise falcon.HTTPForbidden("Forbidden", "Tried GSSAPI")
return wrapped

12
certidude/cli.py
View File

@ -402,6 +402,7 @@ def certidude_setup_strongswan_client(url, config, secrets, email_address, commo
@click.option("--username", default="certidude", help="Service user account, created if necessary, 'certidude' by default")
@click.option("--hostname", default=HOSTNAME, help="nginx hostname, '%s' by default" % HOSTNAME)
@click.option("--static-path", default=os.path.join(os.path.dirname(__file__), "static"), help="Static files")
@click.option("--kerberos-keytab", default="/etc/certidude.keytab", help="Specify Kerberos keytab")
@click.option("--nginx-config", "-n",
default="/etc/nginx/nginx.conf",
type=click.File(mode="w", atomic=True, lazy=True),
@ -411,7 +412,7 @@ def certidude_setup_strongswan_client(url, config, secrets, email_address, commo
type=click.File(mode="w", atomic=True, lazy=True),
help="uwsgi configuration, /etc/uwsgi/ by default")
@click.option("--push-server", help="Push server URL, in case of different nginx instance")
def certidude_setup_production(username, hostname, push_server, nginx_config, uwsgi_config, static_path):
def certidude_setup_production(username, hostname, push_server, nginx_config, uwsgi_config, static_path, kerberos_keytab):
try:
pwd.getpwnam(username)
click.echo("Username '%s' already exists, excellent!" % username)
@ -419,8 +420,13 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw
cmd = "adduser", "--system", "--no-create-home", "--group", username
subprocess.check_call(cmd)
# cmd = "gpasswd", "-a", username, "www-data"
# subprocess.check_call(cmd)
if subprocess.call("net ads testjoin", shell=True):
click.echo("Domain membership check failed, 'net ads testjoin' returned non-zero value", stderr=True)
exit(255)
if not os.path.exists(kerberos_keytab):
subprocess.call("KRB5_KTNAME=FILE:" + kerberos_keytab + " net ads keytab add HTTP -P")
click.echo("Created Kerberos keytab in '%s'" % kerberos_keytab)
if not static_path.endswith("/"):
static_path += "/"

26
certidude/templates/index.html
View File

@ -15,12 +15,16 @@
<h1>Submit signing request</h1>
<p>Request submission is allowed from: {% for i in authority.request_whitelist %}{{ i }} {% endfor %}</p>
<p>Autosign is allowed from: {% for i in authority.autosign_whitelist %}{{ i }} {% endfor %}</p>
<p>Hi, {{user}}</p>
<p>Request submission is allowed from: {% if ca.request_subnets %}{% for i in ca.request_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}</p>
<p>Autosign is allowed from: {% if ca.autosign_subnets %}{% for i in ca.autosign_subnets %}{{ i }} {% endfor %}{% else %}nowhere{% endif %}</p>
<p>Authority administration is allowed from: {% if ca.admin_subnets %}{% for i in ca.admin_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}
<p>Authority administration allowed for: {% for i in ca.admin_users %}{{ i }} {% endfor %}</p>
<h2>IPsec gateway on OpenWrt</h2>
{% set s = authority.certificate.subject %}
{% set s = ca.certificate.subject %}
<pre>
opkg update
@ -70,15 +74,15 @@ certidude setup openvpn client {{request.url}}
<h1>Pending requests</h1>
<ul>
{% for j in authority.get_requests() %}
{% for j in ca.get_requests() %}
<li>
<a class="button" href="/api/{{authority.slug}}/request/{{j.common_name}}/">Fetch</a>
<a class="button" href="/api/{{ca.slug}}/request/{{j.common_name}}/">Fetch</a>
{% if j.signable %}
<button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/request/{{j.common_name}}/',type:'patch'});">Sign</button>
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/request/{{j.common_name}}/',type:'patch'});">Sign</button>
{% else %}
<button title="Please use certidude command-line utility to sign unusual requests" disabled>Sign</button>
{% endif %}
<button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/request/{{j.common_name}}/',type:'delete'});">Delete</button>
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/request/{{j.common_name}}/',type:'delete'});">Delete</button>
<div class="monospace">
@ -124,10 +128,10 @@ curl -f {{request.url}}/signed/$CN > $CN.crt
</pre>
<ul>
{% for j in authority.get_signed() | sort | reverse %}
{% for j in ca.get_signed() | sort | reverse %}
<li>
<a class="button" href="/api/{{authority.slug}}/signed/{{j.subject.CN}}/">Fetch</a>
<button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/signed/{{j.subject.CN}}/',type:'delete'});">Revoke</button>
<a class="button" href="/api/{{ca.slug}}/signed/{{j.subject.CN}}/">Fetch</a>
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/signed/{{j.subject.CN}}/',type:'delete'});">Revoke</button>
<div class="monospace">
{% include 'iconmonstr-certificate-15-icon.svg' %}
@ -172,7 +176,7 @@ openssl ocsp -issuer ca.pem -CAfile ca.pem -url {{request.url}}/ocsp/ -serial 0x
</pre>
-->
<ul>
{% for j in authority.get_revoked() %}
{% for j in ca.get_revoked() %}
<li>
{{j.changed}}
{{j.serial_number}} <span class="monospace">{{j.distinguished_name}}</span>

8
certidude/templates/openssl.cnf
View File

@ -17,8 +17,12 @@ emailAddress = {{email_address}}
{% endif %}
x509_extensions = {{slug}}_cert
policy = poliy_{{slug}}
request_whitelist =
autosign_whitelist = 127.0.0.0/8
# Certidude specific stuff, TODO: move to separate section?
request_subnets = 10.0.0.0/8 192.168.0.0/16 172.168.0.0/16
autosign_subnets = 127.0.0.0/8
admin_subnets = 127.0.0.0/8
admin_users =
inbox = {{inbox}}
outbox = {{outbox}}

4
certidude/templates/strongswan-client-to-site.conf
View File

@ -15,11 +15,11 @@ conn %default
conn home
auto={{auto}}
type=tunnel
left=%defaultroute # Use IP of default route for listening
leftsourceip=%config # Accept server suggested virtual IP as inner address for tunnel
leftcert={{certificate_path}} # Client certificate
leftid={{common_name}} # Client certificate identifier
leftfirewall=yes
leftfirewall=yes # Local machine may be behind NAT
right={{remote}} # Gateway IP address
rightid=%any # Allow any common name
rightsubnet=0.0.0.0/0 # Accept all subnets suggested by server

1
certidude/templates/strongswan-site-to-client.conf
View File

@ -15,6 +15,7 @@ conn %default
conn rw
auto=add
right=%any # Allow connecting from any IP address
rightsourceip={{subnet}} # Serve virtual IP-s from this pool
left={{local}} # Gateway IP address
leftcert={{certificate_path}} # Gateway certificate
leftfirewall=yes

11
certidude/templates/uwsgi.ini
View File

@ -11,13 +11,14 @@ module = certidude.wsgi
callable = app
chmod-socket = 660
chown-socket = {{username}}:www-data
buffer-size = 32768
{% if push_server %}
env = CERTIDUDE_EVENT_PUBLISH={{push_server}}/publish/%(channel)s
env = CERTIDUDE_EVENT_SUBSCRIBE={{push_server}}/subscribe/%(channel)s
env = PUSH_PUBLISH={{push_server}}/publish/%(channel)s
env = PUSH_SUBSCRIBE={{push_server}}/subscribe/%(channel)s
{% else %}
env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%(channel)s
env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
env = PUSH_PUBLISH=http://localhost/event/publish/%(channel)s
env = PUSH_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
{% endif %}
env = LANG=C.UTF-8
env = LC_ALL=C.UTF-8
env = KRB5_KTNAME={{kerberos_keytab}}

24
certidude/wrappers.py
View File

@ -27,7 +27,7 @@ def notify(func):
def wrapped(instance, csr, *args, **kwargs):
cert = func(instance, csr, *args, **kwargs)
assert isinstance(cert, Certificate), "notify wrapped function %s returned %s" % (func, type(cert))
url_template = os.getenv("CERTIDUDE_EVENT_PUBLISH")
url_template = os.getenv("PUSH_PUBLISH")
if url_template:
url = url_template % dict(channel=csr.fingerprint())
notification = urllib.request.Request(url, cert.dump().encode("ascii"))
@ -79,7 +79,7 @@ class CertificateAuthorityConfig(object):
section = "CA_" + slug
dirs = dict([(key, self.get(section, key))
for key in ("dir", "certificate", "crl", "certs", "new_certs_dir", "private_key", "revoked_certs_dir", "request_whitelist", "autosign_whitelist")])
for key in ("dir", "certificate", "crl", "certs", "new_certs_dir", "private_key", "revoked_certs_dir", "request_subnets", "autosign_subnets", "admin_subnets", "admin_users")])
# Variable expansion, eg $dir
for key, value in dirs.items():
@ -391,8 +391,7 @@ class Certificate(CertificateBase):
return self.signed <= other.signed
class CertificateAuthority(object):
def __init__(self, slug, certificate, crl, certs, new_certs_dir, revoked_certs_dir=None, private_key=None, autosign=False, autosign_whitelist=None, request_whitelist=None, email_address=None, inbox=None, outbox=None, basic_constraints="CA:FALSE", key_usage="digitalSignature,keyEncipherment", extended_key_usage="clientAuth", certificate_lifetime=5*365, revocation_list_lifetime=1):
def __init__(self, slug, certificate, crl, certs, new_certs_dir, revoked_certs_dir=None, private_key=None, autosign_subnets=None, request_subnets=None, admin_subnets=None, admin_users=None, email_address=None, inbox=None, outbox=None, basic_constraints="CA:FALSE", key_usage="digitalSignature,keyEncipherment", extended_key_usage="clientAuth", certificate_lifetime=5*365, revocation_list_lifetime=1):
self.slug = slug
self.revocation_list = crl
self.signed_dir = certs
@ -400,8 +399,9 @@ class CertificateAuthority(object):
self.revoked_dir = revoked_certs_dir
self.private_key = private_key
self.autosign_whitelist = set([ipaddress.ip_network(j) for j in autosign_whitelist.split(" ") if j])
self.request_whitelist = set([ipaddress.ip_network(j) for j in request_whitelist.split(" ") if j]).union(self.autosign_whitelist)
self.admin_subnets = set([ipaddress.ip_network(j) for j in admin_subnets.split(" ") if j])
self.autosign_subnets = set([ipaddress.ip_network(j) for j in autosign_subnets.split(" ") if j])
self.request_subnets = set([ipaddress.ip_network(j) for j in request_subnets.split(" ") if j]).union(self.autosign_subnets)
self.certificate = Certificate(open(certificate))
self.mailer = Mailer(outbox) if outbox else None
@ -411,6 +411,18 @@ class CertificateAuthority(object):
self.key_usage = key_usage
self.extended_key_usage = extended_key_usage
self.admin_emails = dict()
self.admin_users = set()
if admin_users:
if admin_users.startswith("/"):
for user in open(admin_users):
if ":" in user:
user, email, first_name, last_name = user.split(":")
self.admin_emails[user] = email
self.admin_users.add(user)
else:
self.admin_users = set([j for j in admin_users.split(" ") if j])
def _signer_exec(self, cmd, *bits):
sock = self.connect_signer()
sock.send(cmd.encode("ascii"))

4
certidude/wsgi.py
View File

@ -13,8 +13,8 @@ from certidude.api import CertificateAuthorityResource, \
config = CertificateAuthorityConfig("/etc/ssl/openssl.cnf")
assert os.getenv("CERTIDUDE_EVENT_SUBSCRIBE"), "Please set CERTIDUDE_EVENT_SUBSCRIBE to your web server's subscription URL"
assert os.getenv("CERTIDUDE_EVENT_PUBLISH"), "Please set CERTIDUDE_EVENT_PUBLISH to your web server's publishing URL"
assert os.getenv("PUSH_SUBSCRIBE"), "Please set PUSH_SUBSCRIBE to your web server's subscription URL"
assert os.getenv("PUSH_PUBLISH"), "Please set PUSH_PUBLISH to your web server's publishing URL"
app = falcon.API()
app.add_route("/api/{ca}/ocsp/", CertificateStatusResource(config))

3
setup.py
View File

@ -27,7 +27,8 @@ setup(
"humanize",
"pycrypto",
"cryptography",
"markupsafe"
"markupsafe",
"ldap3"
],
scripts=[
"misc/certidude"