Noded: log the certificate and digest on noded startup
authorHelga Velroyen <helgav@google.com>
Fri, 19 Jun 2015 09:52:36 +0000 (11:52 +0200)
committerHelga Velroyen <helgav@google.com>
Mon, 6 Jul 2015 10:46:23 +0000 (12:46 +0200)
This patch adds logging of the filename and the digest of the
certificate which is loaded by noded on startup. This will
help debugging SSL problems as it will make clear whether or
not the noded is still using a stale/replaced/old server
certificate after a renewal.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

lib/http/__init__.py

index b01d6fb..596dd3d 100644 (file)
@@ -557,6 +557,12 @@ class HttpSslParams(object):
     self.ssl_cert_pem = utils.ReadFile(ssl_cert_path)
     self.ssl_cert_path = ssl_cert_path
 
+  def GetCertificateDigest(self):
+    return utils.GetCertificateDigest(cert_filename=self.ssl_cert_path)
+
+  def GetCertificateFilename(self):
+    return self.ssl_cert_path
+
   def GetKey(self):
     return OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM,
                                           self.ssl_key_pem)
@@ -615,6 +621,9 @@ class HttpBase(object):
     ctx.use_privatekey(self._ssl_key)
     ctx.use_certificate(self._ssl_cert)
     ctx.check_privatekey()
+    logging.debug("Certificate digest: %s.", ssl_params.GetCertificateDigest())
+    logging.debug("Certificate filename: %s.",
+                  ssl_params.GetCertificateFilename())
 
     if ssl_verify_peer:
       ctx.set_verify(OpenSSL.SSL.VERIFY_PEER |