mongo-charms-single-kernel 1.8.8__tar.gz → 1.8.9__tar.gz

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mongo-charms-single-kernel
-Version: 1.8.8
+Version: 1.8.9
 Summary: Shared and reusable code for Mongo-related charms
 License-Expression: Apache-2.0
 License-File: LICENSE

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/pyproject.toml

@@ -38,9 +38,9 @@ dependencies = [
     "boto3 (~=1.37.12)",
     "mypy-boto3-s3 (~=1.37.0)",
     "python-ldap",
-    "charm-refresh (>=3.1.0.2,<4.0.0.0)",
+    "charm-refresh (>=3.1.0.2,<4.0.0.0)"
 ]
-version = "1.8.8"
+version = "1.8.9"
 
 [project.urls]
 homepage = "https://github.com/canonical/mongo-single-kernel-library"
@@ -137,12 +137,6 @@ httpx = "*"
 boto3 = "^1.37.12"
 mypy-boto3-s3 = "^1.37.0"
 
-[tool.poetry.group.build-refresh-version]
-optional = true
-
-[tool.poetry.group.build-refresh-version.dependencies]
-charm-refresh-build-version = "^0.4.0"
-
 [tool.ruff]
 target-version = "py310"
 line-length = 100

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/config/literals.py

@@ -34,6 +34,13 @@ class Scope(str, Enum):
     UNIT = "unit"
 
 
+class TLSType(str, Enum):
+    """TLS types."""
+
+    PEER = "peer"
+    CLIENT = "client"
+
+
 class MongoPorts(IntEnum):
     """The default Mongo ports."""
 

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/config/relations.py

@@ -35,7 +35,8 @@ class Scopes(str, Enum):
 class ExternalRequirerRelations(str, Enum):
     """The relations we require externally."""
 
-    TLS = "certificates"
+    CLIENT_TLS = "client-certificates"
+    PEER_TLS = "peer-certificates"
     S3_CREDENTIALS = "s3-credentials"
     LDAP = "ldap"
     LDAP_CERT = "ldap-certificate-transfer"

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/config/statuses.py

@@ -118,24 +118,45 @@ class MongosStatuses(Enum):
         check="Config validation failed.",
         action="Set the expose-external config to a valid value: `nodeport` or `none`.",
     )
-    MISSING_TLS_REL = StatusObject(
+    MISSING_PEER_TLS_REL = StatusObject(
         status="blocked",
-        message="TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
-        short_message="Missing certificates relation.",
+        message="Peer TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
+        short_message="Missing peer-certificates relation.",
         check="Relation validation failed.",
-        action="Add the certificates relation (tls-certificates interface) to mongos.",
+        action="Add the peer-certificates relation to mongos.",
     )
-    INVALID_TLS_REL = StatusObject(
+    INVALID_PEER_TLS_REL = StatusObject(
         status="blocked",
-        message="TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
-        short_message="Invalid certificates relation.",
+        message="Peer TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
+        short_message="Invalid peer-certificates relation.",
         check="Relation validation failed.",
-        action="Remove the certificates relation (tls-certificates interface) from this application.",
+        action="Remove the peer-certificates relation from this application.",
     )
-    CA_MISMATCH = StatusObject(
+    MISSING_CLIENT_TLS_REL = StatusObject(
         status="blocked",
-        message="The mongos CA and Config-Server CA don't match.",
-        short_message="CA mismatch.",
+        message="Client TLS must be enabled in mongos, since it is enabled on the config-server in the cluster relation.",
+        short_message="Missing client-certificates relation.",
+        check="Relation validation failed.",
+        action="Add the client-certificates relation to mongos.",
+    )
+    INVALID_CLIENT_TLS_REL = StatusObject(
+        status="blocked",
+        message="Client TLS must be disabled in mongos, since it is disabled on the config-server in the cluster relation.",
+        short_message="Invalid client-certificates relation.",
+        check="Relation validation failed.",
+        action="Remove the client-certificates relation from this application.",
+    )
+    PEER_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="The mongos peer CA and Config-Server peer CA don't match.",
+        short_message="Peer CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the certificates relations. Use the same CA for all cluster components.",
+    )
+    CLIENT_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="The mongos client CA and Config-Server client CA don't match.",
+        short_message="Client CA mismatch.",
         check="Relation validation failed.",
         action="Verify the certificates relations. Use the same CA for all cluster components.",
     )
@@ -153,6 +174,27 @@ class MongosStatuses(Enum):
         status="maintenance", message="Starting mongos.", running="blocking"
     )
 
+    @classmethod
+    def missing_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.MISSING_PEER_TLS_REL.value
+        return cls.MISSING_CLIENT_TLS_REL.value
+
+    @classmethod
+    def invalid_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.INVALID_PEER_TLS_REL.value
+        return cls.INVALID_CLIENT_TLS_REL.value
+
+    @classmethod
+    def incompatible_ca(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.PEER_CA_MISMATCH.value
+        return cls.CLIENT_CA_MISMATCH.value
+
 
 class CharmStatuses(Enum):
     """Charm Statuses."""
@@ -182,11 +224,28 @@ class CharmStatuses(Enum):
 class TLSStatuses(Enum):
     """TLS statuses."""
 
-    # RUNNING statuses:
-    DISABLING_TLS = StatusObject(
+    INVALID_PEER_PRIVATE_KEY = StatusObject(
+        status="blocked",
+        message="Invalid peer private key",
+        check="Peer private key format validation failed",
+        action="Update the peer private key secret.",
+    )
+    INVALID_CLIENT_PRIVATE_KEY = StatusObject(
+        status="blocked",
+        message="Invalid client private key",
+        check="Client private key format validation failed.",
+        action="Update the client privatekey secret.",
+    )
+    DISABLING_PEER_TLS = StatusObject(
         status="maintenance",
-        message="Disabling TLS...",
-        check="Certificates relation (tls-certificates interface) removed.",
+        message="Disabling peer TLS...",
+        check="Peer certificates relation (tls-certificates interface) removed.",
+        running="blocking",
+    )
+    DISABLING_CLIENT_TLS = StatusObject(
+        status="maintenance",
+        message="Disabling client TLS...",
+        check="Client certificates relation (tls-certificates interface) removed.",
         running="blocking",
     )
     # Enabling TLS takes a while because we wait for multiple certs so it's
@@ -343,12 +402,39 @@ class ConfigServerStatuses(Enum):
 class ShardStatuses(Enum):
     """Shard statuses."""
 
-    REQUIRES_TLS = StatusObject(status="blocked", message="Shard requires TLS to be enabled.")
-    REQUIRES_NO_TLS = StatusObject(
-        status="blocked", message="Shard has TLS enabled, but config-server does not."
+    MISSING_PEER_TLS_REL = StatusObject(
+        status="blocked", message="Shard requires peer TLS to be enabled."
     )
-    CA_MISMATCH = StatusObject(
-        status="blocked", message="Shard CA and Config-Server CA don't match."
+    INVALID_PEER_TLS_REL = StatusObject(
+        status="blocked",
+        message="Peer TLS must be disabled in shard, since it is disabled in the related config-server.",
+        short_message="Invalid peer-certificates relation.",
+        check="Relation validation failed.",
+        action="Align the peer TLS configuration in all the cluster components: remove the peer-certificates relation from the shard.",
+    )
+    MISSING_CLIENT_TLS_REL = StatusObject(
+        status="blocked", message="Shard requires client TLS to be enabled."
+    )
+    INVALID_CLIENT_TLS_REL = StatusObject(
+        status="blocked",
+        message="Peer TLS must be disabled in shard, since it is disabled in the related config-server.",
+        short_message="Invalid client-certificates relation.",
+        check="Relation validation failed.",
+        action="Align the peer TLS configuration in all the cluster components: remove the client-certificates relation from the shard.",
+    )
+    PEER_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="Shard internal CA and Config-Server internal CA don't match.",
+        short_message="Peer CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the peer-certificates relations. Use the same CA for all cluster components.",
+    )
+    CLIENT_CA_MISMATCH = StatusObject(
+        status="blocked",
+        message="Shard client CA and Config-Server client CA don't match.",
+        short_message="Client CA mismatch.",
+        check="Relation validation failed.",
+        action="Verify the client-certificates relations. Use the same CA for all cluster components.",
     )
 
     MISSING_CONF_SERVER_REL = StatusObject(
@@ -399,6 +485,27 @@ class ShardStatuses(Enum):
             message=f"Charm revision ({current_charms_version}{local_identifier}) is not up-to date with config-server.",
         )
 
+    @classmethod
+    def missing_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.MISSING_PEER_TLS_REL.value
+        return cls.MISSING_CLIENT_TLS_REL.value
+
+    @classmethod
+    def invalid_tls(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.INVALID_PEER_TLS_REL.value
+        return cls.INVALID_CLIENT_TLS_REL.value
+
+    @classmethod
+    def incompatible_ca(cls, internal: bool) -> StatusObject:
+        """Correct status."""
+        if internal:
+            return cls.PEER_CA_MISMATCH.value
+        return cls.CLIENT_CA_MISMATCH.value
+
 
 class MongodStatuses(Enum):
     """MongoD statuses."""

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/core/operator.py

@@ -37,6 +37,7 @@ from single_kernel_mongo.config.literals import (
     TrustStoreFiles,
 )
 from single_kernel_mongo.config.models import SNAP_NAME, THP_CONFIG, CharmSpec, LogRotateConfig
+from single_kernel_mongo.core.structured_config import MongoConfigModel
 from single_kernel_mongo.events.ldap import LDAPEventHandler
 from single_kernel_mongo.exceptions import (
     DeferrableFailedHookChecksError,
@@ -106,6 +107,12 @@ class OperatorProtocol(ABC, Object, ManagerStatusProtocol):
 
         def __init__(self, dependent: AbstractMongoCharm): ...
 
+    @property
+    @abstractmethod
+    def config(self) -> MongoConfigModel:
+        """The pydantic model of the config."""
+        ...
+
     @property
     @abstractmethod
     def components(self) -> tuple[ManagerStatusProtocol, ...]:

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/core/structured_config.py

@@ -100,6 +100,8 @@ class MongoConfigModel(BaseConfigModel):
     role: SerializeLiteralAsStr[MongoDBRoles]
     ldap_user_to_dn_mapping: str | None = Field(default=None, alias="ldap-user-to-dn-mapping")
     ldap_query_template: str | None = Field(default=None, alias="ldap-query-template")
+    tls_peer_private_key_id: str | None = Field(default=None, alias="tls-peer-private-key")
+    tls_client_private_key_id: str | None = Field(default=None, alias="tls-client-private-key")
 
     @field_validator("expose_external", mode="before")
     @classmethod

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/core/workload.py

@@ -93,15 +93,21 @@ class MongoPaths:
         return Path(f"{self.conf_path}/internal-ca.crt")
 
     @property
-    def tls_files(self) -> set[Path]:
-        """Set of all TLS files."""
+    def tls_peer_files(self) -> set[Path]:
+        """Set of peer TLS files."""
         return {
-            self.ext_pem_file,
-            self.ext_ca_file,
             self.int_pem_file,
             self.int_ca_file,
         }
 
+    @property
+    def tls_client_files(self) -> set[Path]:
+        """Set of client TLS files."""
+        return {
+            self.ext_pem_file,
+            self.ext_ca_file,
+        }
+
     @property
     def ldap_path(self) -> Path:
         """The LDAP conf path."""

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/events/cluster.py

@@ -136,6 +136,11 @@ class ClusterMongosEventHandler(Object):
     def _on_relation_created(self, event: RelationCreatedEvent) -> None:
         """Relation created event handler."""
         self.manager.set_relation_created_status()
+        # Edge condition: mongos was integrated with the certificates provider
+        # before being integrated with the config-server. We trigger the refresh
+        # of the certificates to use the config-server as CSR subject.
+        if self.manager.state.peer_tls_relation or self.manager.state.client_tls_relation:
+            self.dependent.tls_events.refresh_certificates()
 
     def _on_database_created(self, event: DatabaseCreatedEvent) -> None:
         """Database Created event handler.

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/events/sharding.py

@@ -162,8 +162,10 @@ class ShardEventHandler(Object):
         """SecretChanged event handler, which is used to propagate the updated passwords."""
         try:
             self.manager.handle_secret_changed(event.secret.label or "")
-        except (NotReadyError, FailedToUpdateCredentialsError):
+        except (NotReadyError, FailedToUpdateCredentialsError, DeferrableFailedHookChecksError):
             event.defer()
+        except NonDeferrableFailedHookChecksError as e:
+            logger.info(f"Skipping {str(type(event))}: {str(e)}")
         except WaitingForSecretsError:
             logger.info("Missing secrets, ignoring")
 

mongo_charms_single_kernel-1.8.9/single_kernel_mongo/events/tls.py

@@ -0,0 +1,242 @@
+#!/usr/bin/env python3
+# Copyright 2024 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+"""Manager for handling TLS events."""
+
+from __future__ import annotations
+
+import logging
+from typing import TYPE_CHECKING
+
+from ops import ConfigChangedEvent
+from ops.charm import RelationBrokenEvent, RelationCreatedEvent
+from ops.framework import EventBase, EventSource, Object
+
+from single_kernel_mongo.config.literals import CharmKind, TLSType
+from single_kernel_mongo.config.relations import ExternalRequirerRelations
+from single_kernel_mongo.config.statuses import (
+    MongosStatuses,
+    ShardStatuses,
+    TLSStatuses,
+)
+from single_kernel_mongo.core.structured_config import MongoDBRoles
+from single_kernel_mongo.exceptions import DeferrableFailedHookChecksError
+from single_kernel_mongo.lib.charms.tls_certificates_interface.v4.tls_certificates import (
+    CertificateAvailableEvent,
+    TLSCertificatesRequiresV4,
+)
+from single_kernel_mongo.state.tls_state import TlsManagementState
+from single_kernel_mongo.utils.event_helpers import defer_event_with_info_log
+
+if TYPE_CHECKING:
+    from single_kernel_mongo.abstract_charm import AbstractMongoCharm
+    from single_kernel_mongo.core.operator import OperatorProtocol
+
+logger = logging.getLogger(__name__)
+
+
+class RefreshTLSCertificatesEvent(EventBase):
+    """Event for refreshing TLS certificates."""
+
+
+class TLSEventsHandler(Object):
+    """Event Handler for managing TLS events."""
+
+    refresh_tls_certificates_event = EventSource(RefreshTLSCertificatesEvent)
+
+    def __init__(self, dependent: OperatorProtocol):
+        super().__init__(parent=dependent, key="tls")
+        self.dependent = dependent
+        self.manager = self.dependent.tls_manager
+        self.charm: AbstractMongoCharm = dependent.charm
+
+        self.peer_certificate = TLSCertificatesRequiresV4(
+            charm=self.charm,
+            relationship_name=ExternalRequirerRelations.PEER_TLS.value,
+            certificate_requests=[self.manager.get_certificate_request_attributes()],
+            private_key=self.manager.state.tls.peer_private_key,
+            refresh_events=[self.refresh_tls_certificates_event],
+        )
+
+        self.client_certificate = TLSCertificatesRequiresV4(
+            charm=self.charm,
+            relationship_name=ExternalRequirerRelations.CLIENT_TLS.value,
+            certificate_requests=[self.manager.get_certificate_request_attributes()],
+            private_key=self.manager.state.tls.client_private_key,
+            refresh_events=[self.refresh_tls_certificates_event],
+        )
+        for cert_requires in [self.peer_certificate, self.client_certificate]:
+            self.framework.observe(
+                cert_requires.on.certificate_available, self._on_certificate_available
+            )
+
+        for relation_name in [
+            ExternalRequirerRelations.PEER_TLS.value,
+            ExternalRequirerRelations.CLIENT_TLS.value,
+        ]:
+            self.framework.observe(
+                self.charm.on[relation_name].relation_created,
+                self._on_tls_relation_created,
+            )
+            self.framework.observe(
+                self.charm.on[relation_name].relation_broken,
+                self._on_tls_relation_broken,
+            )
+
+        self.framework.observe(self.charm.on.config_changed, self._on_config_changed)
+        self.framework.observe(self.charm.on.secret_changed, self._on_secret_changed)
+
+    @property
+    def tls_mapping(self) -> dict[bool, TLSCertificatesRequiresV4]:
+        """Mapping of boolean to a TLS requirer instance.
+
+        The boolean value is True if the requirer is for internal certificates,
+        and False for the client certificates.
+        """
+        return {True: self.peer_certificate, False: self.client_certificate}
+
+    def _on_tls_relation_created(self, event: RelationCreatedEvent) -> None:
+        """Handler for relation created."""
+        if self.manager.state.is_role(MongoDBRoles.MONGOS):
+            self.manager.state.statuses.delete(
+                MongosStatuses.MISSING_PEER_TLS_REL.value,
+                scope="unit",
+                component=self.dependent.name,
+            )
+            self.manager.state.statuses.delete(
+                MongosStatuses.MISSING_CLIENT_TLS_REL.value,
+                scope="unit",
+                component=self.dependent.name,
+            )
+
+        if self.manager.state.is_role(MongoDBRoles.SHARD):
+            self.manager.state.statuses.delete(
+                ShardStatuses.MISSING_PEER_TLS_REL.value,
+                scope="unit",
+                component=self.dependent.name,
+            )
+            self.manager.state.statuses.delete(
+                ShardStatuses.MISSING_CLIENT_TLS_REL.value,
+                scope="unit",
+                component=self.dependent.name,
+            )
+
+    def refresh_certificates(self) -> None:
+        """Trigger refresh TLS certificates event."""
+        logger.info(f"Requesting refresh certificates for unit: {self.charm.unit.name}.")
+        self.refresh_tls_certificates_event.emit()
+
+    def _on_tls_relation_broken(self, event: RelationBrokenEvent) -> None:
+        """Handle the relation broken event."""
+        state = self.manager.get_tls_management_state()
+        match state:
+            case TlsManagementState.UPGRADE_IN_PROGRESS:
+                defer_event_with_info_log(logger, event, str(type(event)), state.value)
+                return
+            case (
+                TlsManagementState.DB_NOT_INTIALIZED
+                | TlsManagementState.MONGOS_DB_NOT_INITIALIZED
+            ):
+                logger.info("DB never initialised, removing the TLS relation.")
+                return
+            case _:
+                pass
+
+        internal = event.relation.name == ExternalRequirerRelations.PEER_TLS.value
+        logger.debug(
+            f"Disabling {TLSType.PEER.value if internal else TLSType.CLIENT.value} TLS for unit: {self.charm.unit.name}"
+        )
+
+        status = (
+            TLSStatuses.DISABLING_PEER_TLS.value
+            if internal
+            else TLSStatuses.DISABLING_CLIENT_TLS.value
+        )
+        self.charm.status_handler.set_running_status(status, scope="unit")
+        self.manager.disable_certificates_for_unit(internal)
+        # Recomputes the statuses for those components as the tls changes are impactful
+        self._recompute_statuses()
+
+    def _on_certificate_available(self, event: CertificateAvailableEvent) -> None:
+        """Handler for the certificate available event.
+
+        This event is emitted by the TLS charm when a certificates is available.
+        """
+        state = self.manager.get_tls_management_state()
+        match state:
+            case TlsManagementState.DB_NOT_INTIALIZED | TlsManagementState.UPGRADE_IN_PROGRESS:
+                defer_event_with_info_log(logger, event, str(type(event)), state.value)
+                return
+            case TlsManagementState.MONGOS_MISSING_CONFIG_SERVER:
+                logger.info(f"{state.value} Ignoring certificate.")
+                return
+            case _:
+                pass
+
+        logger.info("Certificate available.")
+
+        cert = event.certificate
+        client_certificates, client_private_key = (
+            self.client_certificate.get_assigned_certificates()
+        )
+        peer_certificates, peer_private_key = self.peer_certificate.get_assigned_certificates()
+
+        if client_certificates and client_certificates[0].certificate == cert:
+            internal = False
+            provider_cert = client_certificates[0]
+            private_key = client_private_key.raw if client_private_key else None
+        elif peer_certificates and peer_certificates[0].certificate == cert:
+            internal = True
+            provider_cert = peer_certificates[0]
+            private_key = peer_private_key.raw if peer_private_key else None
+        else:
+            logger.error("Received certificate does not match any assigned certificates.")
+            return
+
+        logger.debug(
+            f"Received {TLSType.PEER.value if internal else TLSType.CLIENT.value} certificate."
+        )
+
+        self.manager.set_certificates(
+            secret_chain=[c.raw for c in provider_cert.chain],
+            certificate=provider_cert.certificate.raw,
+            csr=provider_cert.certificate_signing_request.raw,
+            ca=provider_cert.ca.raw,
+            private_key=private_key,
+            internal=internal,
+        )
+        if internal:
+            self.dependent.state.update_peer_ca_secrets(provider_cert.ca.raw)
+        else:
+            self.dependent.state.update_client_ca_secrets(provider_cert.ca.raw)
+
+        self.manager.enable_certificates_for_unit(internal)
+        self._recompute_statuses()
+
+    def _on_config_changed(self, event: ConfigChangedEvent) -> None:
+        """On Config Changed, validate private keys and refresh certs if needed."""
+        try:
+            self.manager.update_private_keys()
+        except DeferrableFailedHookChecksError as e:
+            defer_event_with_info_log(logger, event, "set-private-key", f"{e}")
+            return
+
+    def _on_secret_changed(self, event: ConfigChangedEvent) -> None:
+        """On Secret Changed, validate private keys and refresh certs if needed."""
+        try:
+            self.manager.update_private_keys()
+        except DeferrableFailedHookChecksError as e:
+            defer_event_with_info_log(logger, event, "set-private-key", f"{e}")
+            return
+
+    def _recompute_statuses(self):
+        """Recomputes the statuses for those components as the tls changes are impactful."""
+        if self.dependent.name == CharmKind.MONGOD:
+            self.charm.status_handler._recompute_statuses_for_scope(
+                "unit", self.dependent.shard_manager
+            )
+        else:
+            self.charm.status_handler._recompute_statuses_for_scope("unit", self.dependent)
+            if self.charm.unit.is_leader():
+                self.charm.status_handler._recompute_statuses_for_scope("app", self.dependent)

{mongo_charms_single_kernel-1.8.8 → mongo_charms_single_kernel-1.8.9}/single_kernel_mongo/exceptions.py

@@ -134,14 +134,6 @@ class InvalidArgumentForActionError(Exception):
     """Raised when arguments for an action are invalid."""
 
 
-class UnknownCertificateExpiringError(Exception):
-    """Raised when an unknown certificate is expiring."""
-
-
-class UnknownCertificateAvailableError(Exception):
-    """Raised when an unknown certificate is available."""
-
-
 class DatabaseRequestedHasNotRunYetError(Exception):
     """Raised when the database event has not run yet."""