Do not fallback on old expired certificate when it can't be renewed

3687dd51 · Julien Muchembled · 4fe44ea3 · 3687dd51
Commit 3687dd51 authored Apr 12, 2022 by Julien Muchembled
Show whitespace changes
Inline Side-by-side

Showing with 30 additions and 27 deletions

re6st/x509.py re6st/x509.py +30 -27

No files found.
--- a/re6st/x509.py
+++ b/re6st/x509.py
@@ -44,11 +44,11 @@ def fingerprint(cert, alg='sha1'):

 def maybe_renew(path, cert, info, renew, force=False):
    from .registry import RENEW_PERIOD
+    retry_period = 86400
+    not_after = 0 if force else notAfter(cert)
    while True:
-        if force:
-            force = False
-        else:
-            next_renew = notAfter(cert) - RENEW_PERIOD
+        while True:
+            next_renew = not_after - RENEW_PERIOD
            if time.time() < next_renew:
                return cert, next_renew
            try:
@@ -70,11 +70,14 @@ def maybe_renew(path, cert, info, renew, force=False):
            except OSError:
                pass
            os.rename(new_path, path)
+            not_after = notAfter(cert)
            logging.info("%s renewed until %s UTC",
-            info, time.asctime(time.gmtime(notAfter(cert))))
+                info, time.asctime(time.gmtime(not_after)))
        logging.error("%s not renewed. Will retry tomorrow.",
                      info, exc_info=exc_info)
-    return cert, time.time() + 86400
+        if time.time() < not_after:
+            return cert, time.time() + retry_period
+        time.sleep(retry_period)


 class VerifyError(Exception):