certreq v0.1.0 — June 9 2026
Stanford SSL Certificate Request — Python Migration

DONE
────
Language        Perl Stanford::Certificate::* modules fully ported to Python.
                Mirrors submit → validate → NetDB → CA → collect → notify pipeline exactly.

CA backend      InCommon CA working end-to-end via incommon-mgr CLI.
                Submit CSR → auto-approved → collect PEM → emails delivered.
                Tested with green.stanford.edu (orders 20102446 → 20113893).

DB schema       MySQL schema mirrors Perl DBIx::Class models exactly.
                CertInext migration notes inline: rename order_number → ca_order_id,
                retire renewid column and legacy_expirations table.

Email           SMTP with STARTTLS + service account auth working.
                Submission confirmation and fulfilled certificate emails
                with InCommon download links delivered to raj2024@stanford.edu.

Status polling  GET /api/status/{id} polls CA and triggers collect when issued.
                Fixed: normalize_status() maps full InCommon phrases
                ("not ready: approved but not yet fulfilled", "ready") to standard tokens.
                Fixed: implicit approved=1 when CA skips straight to fulfilled.

Docker          Three-container stack: Nginx + Gunicorn/FastAPI + MySQL 8.
                Secrets from .env via Vault.
                Fixed: gunicorn binding to 0.0.0.0:8000,
                syslog crash in Docker (opt-in via CERTREQ_SYSLOG=1),
                InCommon credentials written from env vars at startup.

IN PROGRESS
───────────
NetDB           Bitmask validation ported (netdb.py): node/domain controls check,
                wildcard domain check. Skip NetDB check removed from UI.
                Integration testing in progress against Stanford NetDB service.

KAdmin          Integration stubbed. Controlled via KADMIN_AUTH_ENABLED env var.
                Blocked — staging/production environment not yet available.

BLOCKED
───────
CertInext       Stub class CertInextCA ready in certreq/ca/certinext.py.
                Each method documents the Sectigo SCM REST endpoint and field mapping.
                Switches automatically when sectigo_api_key + sectigo_org_id set in config.
                Blocked — CertInext staging/production environment not yet available.

MANUAL
──────
Cron / poll     No background scheduler yet.
                Run: docker compose exec -T app python -m certreq.cli update_all
                Suggested cron: */5 * * * * docker compose exec -T app python -m certreq.cli update_all