0

I'm new to python, sorry if I'm missing something "obvious".

Currently I'm working on a script to generate TLSA records for DNSSEC.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from subprocess import Popen, PIPE


def makeTLSA():
    der_cert_proc = Popen(['openssl', 'x509','-in','/etc/letsencrypt/live/example.com/cert.pem','-outform','DER'], stdout=PIPE, stderr=PIPE)
    der_cert_output = der_cert_proc.communicate()[0].strip()

    return der_cert_output

print makeTLSA()

This currently only prints out the cert in DER format. But the output is different to calling

openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -outform DER

But if I change it to

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from subprocess import Popen, PIPE


def makeTLSA():
    der_cert_proc = Popen(['openssl', 'x509','-in','/etc/letsencrypt/live/example.com/cert.pem'], stdout=PIPE, stderr=PIPE)
    der_cert_output = der_cert_proc.communicate()[0].strip()

    return der_cert_output

print makeTLSA()

It outputs the same as

openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem

Python is 2.7.5 on Centos 7 box.

Tom Zych
  • 13,329
  • 9
  • 36
  • 53
Patrick Heppler
  • 181
  • 1
  • 11
  • 2
    It's not clear what your question is. Which kind of output do you want, and specifically how does it differ from what you're getting? P.S. answer by editing the question. – Tom Zych Nov 11 '15 at 14:53
  • unrelated: don't set `stderr=PIPE` unless you want to capture it. [Redirect to devnull if you want to discard the output instead](http://stackoverflow.com/q/11269575/4279) – jfs Nov 11 '15 at 15:03
  • check the exit code (`der_cert_proc`) and the error output (the second result from `.communicate()`). – jfs Nov 11 '15 at 15:06
  • It works now. Just had to change this: `return der_cert_output+'\r'` Now the result is the same as calling the openssl commands in bash – Patrick Heppler Nov 11 '15 at 15:27
  • So you have to add `\r`? But you've just called strip on the string (which removes whitespace such as `\r`). Maybe just don't call strip on the string? – Dunes Nov 11 '15 at 15:44
  • It appears you only stated your observations. What, exactly, is your question? – jww Nov 12 '15 at 04:15

1 Answers1

-1

According to https://docs.python.org/2/library/subprocess.html#popen-objects

communicate() returns a tuble with stdout and stderr, maybe the command writes some part of the response to stderr.

You can check this using both 

der_cert_output = (der_cert_proc.communicate()[0].strip() + 
                   der_cert_proc.communicate()[1].strip())

Or by dropping stderr on the command line : openssl .... 2> /dev/null

jfs
  • 399,953
  • 195
  • 994
  • 1,670
Mathias Vetsch
  • 189
  • 1
  • 3
  • note: it is pointless to call `.communicate()` more than once -- `.communicate()` waits for the process to exit. To get both stdout and stderr, set `stdout=PIPE, stderr=PIPE` and store the returned values: `stdout_output, stderr_output = der_cert_proc.communicate()` – jfs Nov 11 '15 at 22:33