Ejemplo n.º 1
0
 def test_310_308(self):
     # setup: nothing set
     HttpdConf(text="""
         MDomain testdomain.org www.testdomain.org mail.testdomain.org
         """).install()
     assert TestEnv.apache_restart() == 0
     assert "require-https" not in TestEnv.a2md(["list"
                                                 ])['jout']['output'][0]
     # test case: temporary redirect
     HttpdConf(text="""
         MDomain testdomain.org www.testdomain.org mail.testdomain.org
         MDRequireHttps temporary
         """).install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(
         ["list"])['jout']['output'][0]['require-https'] == "temporary"
     # test case: permanent redirect
     HttpdConf(text="""
         <MDomainSet testdomain.org>
             MDMember www.testdomain.org mail.testdomain.org
             MDRequireHttps permanent
         </MDomainSet>
         """).install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(
         ["list"])['jout']['output'][0]['require-https'] == "permanent"
Ejemplo n.º 2
0
 def test_310_307(self):
     HttpdConf(text="""
         MDPrivateKeys RSA 4096
         MDomain testdomain.org www.testdomain.org mail.testdomain.org
         """).install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(["list"])['jout']['output'][0]['privkey'] == {
         "type": "RSA",
         "bits": 4096
     }
     HttpdConf(text="""
         MDPrivateKeys RSA 2048
         MDomain testdomain.org www.testdomain.org mail.testdomain.org
         """).install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(["list"])['jout']['output'][0]['privkey'] == {
         "type": "RSA",
         "bits": 2048
     }
     HttpdConf(text="""
         MDPrivateKeys RSA 4096
         MDomain testdomain.org www.testdomain.org mail.testdomain.org
         """).install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(["list"])['jout']['output'][0]['privkey'] == {
         "type": "RSA",
         "bits": 4096
     }
Ejemplo n.º 3
0
    def test_700_009(self):
        domain = self.test_domain
        dns_list = [ domain ]
        # prepare md
        conf = HttpdConf()
        conf.add_admin( "admin@" + domain )
        conf.add_drive_mode( "auto" )
        conf.add_renew_window( "10d" )
        conf.add_md( dns_list )
        conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[])
        conf.install()

        # restart (-> drive), check that md+cert is in store, TLS is up
        assert TestEnv.apache_restart() == 0
        assert TestEnv.await_completion( [ domain ] )
        TestEnv.check_md_complete(domain)
        cert1 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') )
        # compare with what md reports as status
        stat = TestEnv.get_certificate_status(domain);
        assert stat['serial'] == cert1.get_serial()

        # create self-signed cert, with critical remaining valid duration -> drive again
        CertUtil.create_self_signed_cert( [domain], { "notBefore": -120, "notAfter": 2  }, serial=7009)
        cert3 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') )
        assert cert3.get_serial() == '1B61'
        assert TestEnv.apache_restart() == 0
        stat = TestEnv.get_certificate_status(domain);
        assert stat['serial'] == cert3.get_serial()

        # cert should renew and be different afterwards
        assert TestEnv.await_completion( [ domain ], must_renew=True )
        stat = TestEnv.get_certificate_status(domain);
        assert stat['serial'] != cert3.get_serial()
Ejemplo n.º 4
0
 def test_310_306(self):
     HttpdConf(text="""
         MDCAChallenges http-01
         MDomain testdomain.org www.testdomain.org mail.testdomain.org
         """).install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(
         ["list"])['jout']['output'][0]['ca']['challenges'] == ['http-01']
     # test case: drive mode auto
     HttpdConf(text="""
         MDCAChallenges tls-alpn-01
         MDomain testdomain.org www.testdomain.org mail.testdomain.org
         """).install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md([
         "list"
     ])['jout']['output'][0]['ca']['challenges'] == ['tls-alpn-01']
     # test case: drive mode always
     HttpdConf(text="""
         MDCAChallenges http-01 tls-alpn-01
         MDomain testdomain.org www.testdomain.org mail.testdomain.org
         """).install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(["list"
                          ])['jout']['output'][0]['ca']['challenges'] == [
                              'http-01', 'tls-alpn-01'
                          ]
Ejemplo n.º 5
0
 def test_920_001(self):
     # simple MD, drive it, check status before activation
     domain = self.test_domain
     domains = [domain]
     conf = HttpdConf()
     conf.add_admin("*****@*****.**")
     conf.add_md(domains)
     conf.add_vhost(domain)
     conf.install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.await_completion([domain], restart=False)
     # we started without a valid certificate, so we expect /.httpd/certificate-status
     # to not give information about one and - since we waited for the ACME signup
     # to complete - to give information in 'renewal' about the new cert.
     status = TestEnv.get_certificate_status(domain)
     assert not 'sha256-fingerprint' in status
     assert not 'valid' in status
     assert 'renewal' in status
     assert 'valid' in status['renewal']
     assert 'sha256-fingerprint' in status['renewal']
     # restart and activate
     # once activated, the staging must be gone and attributes exist for the active cert
     assert TestEnv.apache_restart() == 0
     status = TestEnv.get_certificate_status(domain)
     assert not 'renewal' in status
     assert 'sha256-fingerprint' in status
     assert 'valid' in status
     assert 'from' in status['valid']
Ejemplo n.º 6
0
 def test_801_002(self):
     md = TestStapling.mdA
     TestStapling.configure_httpd(md, ssl_stapling=True).install()
     assert TestEnv.apache_stop() == 0
     assert TestEnv.apache_restart() == 0
     stat = TestEnv.get_ocsp_status(md)
     assert stat['ocsp'] == "successful (0x0)"
     stat = TestEnv.get_md_status(md)
     assert not stat["stapling"]
     #
     # turn stapling on, wait for it to appear in connections
     TestStapling.configure_httpd(md, "MDStapling on",
                                  ssl_stapling=True).install()
     assert TestEnv.apache_restart() == 0
     stat = TestEnv.await_ocsp_status(md)
     assert stat['ocsp'] == "successful (0x0)"
     assert stat['verify'] == "0 (ok)"
     stat = TestEnv.get_md_status(md)
     assert stat["stapling"]
     assert stat["cert"]["ocsp"]["status"] == "good"
     assert stat["cert"]["ocsp"]["valid"]
     #
     # turn stapling off (explicitly) again, should disappear
     TestStapling.configure_httpd(md, "MDStapling off",
                                  ssl_stapling=True).install()
     assert TestEnv.apache_restart() == 0
     stat = TestEnv.get_ocsp_status(md)
     assert stat['ocsp'] == "successful (0x0)"
     stat = TestEnv.get_md_status(md)
     assert not stat["stapling"]
Ejemplo n.º 7
0
 def test_310_118(self):
     # add renew window to existing md
     TestEnv.install_test_conf("one_md");
     assert TestEnv.apache_restart() == 0
     TestEnv.install_test_conf("renew_14d");
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(["list"])['jout']['output'][0]['renew-window'] == '14d'
Ejemplo n.º 8
0
    def test_700_011(self):
        domain = "test700-011-" + TestAuto.dns_uniq
        dns_list = [ domain, "www." + domain ]

        # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
        conf = HttpdConf( TestAuto.TMP_CONF )
        conf.add_admin( "admin@" + domain )
        conf.add_drive_mode( "auto" )
        conf.add_ca_challenges( [ "tls-sni-01" ] )
        conf._add_line("MDPortMap 443:99")        
        conf.add_md( dns_list )
        conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True )
        conf.install()
        assert TestEnv.apache_restart() == 0
        self._check_md_names(domain, dns_list)
        assert TestEnv.await_error( [ domain ] )

        # now the same with a 80 mapped to a supported port 
        conf = HttpdConf( TestAuto.TMP_CONF )
        conf.add_admin( "admin@" + domain )
        conf.add_drive_mode( "auto" )
        conf.add_ca_challenges( [ "tls-sni-01" ] )
        conf._add_line("MDPortMap 443:%s" % TestEnv.HTTPS_PORT)
        conf.add_md( dns_list )
        conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True )
        conf.install()
        assert TestEnv.apache_restart() == 0
        self._check_md_names(domain, dns_list)
        assert TestEnv.await_completion( [ domain ] )
Ejemplo n.º 9
0
 def test_702_001(self):
     domain = self.test_domain
     # generate config with one MD
     domains = [domain, "www." + domain]
     conf = HttpdConf()
     conf.add_admin("admin@" + domain)
     conf.add_drive_mode("auto")
     conf.add_md(domains)
     conf.install()
     #
     # restart, check that MD is synched to store
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md(domains)
     stat = TestEnv.get_md_status(domain)
     assert stat["watched"] == 0
     #
     # add vhost for MD, restart should drive it
     conf.add_vhost(domains)
     conf.install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.await_completion([domain])
     TestEnv.check_md_complete(domain)
     stat = TestEnv.get_md_status(domain)
     assert stat["watched"] == 1
     cert = TestEnv.get_cert(domain)
     assert domain in cert.get_san_list()
     #
     # challenges should have been removed
     # file system needs to have correct permissions
     TestEnv.check_dir_empty(TestEnv.store_challenges())
     TestEnv.check_file_permissions(domain)
Ejemplo n.º 10
0
    def test_602_000(self):
        # test case: generate config with md -> restart -> drive -> generate config
        # with vhost and ssl -> restart -> check HTTPS access
        domain = self.test_domain
        domains = [domain, "www." + domain]

        # - generate config with one md
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_drive_mode("manual")
        conf.add_md(domains)
        conf.install()
        # - restart, check that md is in store
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(domains)
        # - drive
        assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md_complete(domain)
        # - append vhost to config
        conf.add_vhost(domains)
        conf.install()
        assert TestEnv.apache_restart() == 0
        # check: SSL is running OK
        cert = TestEnv.get_cert(domain)
        assert domain in cert.get_san_list()

        # check file system permissions:
        TestEnv.check_file_permissions(domain)
Ejemplo n.º 11
0
    def test_702_031(self):
        domain = self.test_domain
        nameX = "test-x." + domain
        nameA = "test-a." + domain
        nameB = "test-b." + domain
        nameC = "test-c." + domain
        dns_list = [nameX, nameA, nameB]

        # generate 1 MD and 2 vhosts
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_md(dns_list)
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       nameA,
                       aliasList=[],
                       docRoot="htdocs/a")
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       nameB,
                       aliasList=[],
                       docRoot="htdocs/b")
        conf.install()

        # restart (-> drive), check that MD was synched and completes
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(nameX, dns_list)
        assert TestEnv.await_completion([nameX])
        TestEnv.check_md_complete(nameX)

        # check: SSL is running OK
        certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                          TestEnv.HTTPS_PORT, nameA)
        assert nameA in certA.get_san_list()
        certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                          TestEnv.HTTPS_PORT, nameB)
        assert nameB in certB.get_san_list()
        assert certA.get_serial() == certB.get_serial()

        # change MD by removing 1st name and adding another
        new_list = [nameA, nameB, nameC]
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_md(new_list)
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       nameA,
                       aliasList=[],
                       docRoot="htdocs/a")
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       nameB,
                       aliasList=[],
                       docRoot="htdocs/b")
        conf.install()
        # restart, check that host still works and have new cert
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(nameX, new_list)
        assert TestEnv.await_completion([nameA])

        certA2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                           TestEnv.HTTPS_PORT, nameA)
        assert nameA in certA2.get_san_list()
        assert certA.get_serial() != certA2.get_serial()
Ejemplo n.º 12
0
    def test_702_001(self):
        domain = self.test_domain
        # generate config with one MD
        dns_list = [domain, "www." + domain]
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_drive_mode("auto")
        conf.add_md(dns_list)
        conf.install()

        # restart, check that MD is synched to store
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(domain, dns_list)
        time.sleep(2)
        # assert drive did not start
        TestEnv.check_md(domain, dns_list, TestEnv.MD_S_INCOMPLETE)
        assert TestEnv.apache_err_scan(
            re.compile('.*\[md:debug\].*no mds to drive'))

        # add vhost for MD, restart should drive it
        conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]])
        conf.install()
        assert TestEnv.apache_restart() == 0
        assert TestEnv.await_completion([domain])
        TestEnv.check_md_complete(domain)
        cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                         TestEnv.HTTPS_PORT, domain)
        assert domain in cert.get_san_list()

        # challenges should have been removed
        TestEnv.check_dir_empty(TestEnv.store_challenges())

        # file system needs to have correct permissions
        TestEnv.check_file_permissions(domain)
Ejemplo n.º 13
0
    def test_702_010(self):
        domain = self.test_domain
        dns_list = [domain, "www." + domain]

        # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_drive_mode("auto")
        conf.add_ca_challenges(["http-01"])
        conf._add_line("MDPortMap 80:99")
        conf.add_md(dns_list)
        conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]])
        conf.install()
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(domain, dns_list)
        assert not TestEnv.is_renewing(domain)

        # now the same with a 80 mapped to a supported port
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_drive_mode("auto")
        conf.add_ca_challenges(["http-01"])
        conf._add_line("MDPortMap 80:%s" % TestEnv.HTTP_PORT)
        conf.add_md(dns_list)
        conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]])
        conf.install()
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(domain, dns_list)
        assert TestEnv.await_completion([domain])
Ejemplo n.º 14
0
    def test_310_302(self):
        name = "testdomain.org"
        HttpdConf(text="""
            MDCertificateAuthority http://acme.test.org:4000/directory
            MDCertificateProtocol ACME
            MDCertificateAgreement http://acme.test.org:4000/terms/v1

            MDomain testdomain.org www.testdomain.org mail.testdomain.org
            """).install()
        assert TestEnv.apache_restart() == 0
        # setup: sync with changed ca info
        HttpdConf(text="""
            ServerAdmin mailto:[email protected]

            MDCertificateAuthority http://somewhere.com:6666/directory
            MDCertificateProtocol ACME
            MDCertificateAgreement http://somewhere.com:6666/terms/v1

            MDomain testdomain.org www.testdomain.org mail.testdomain.org
            """).install()
        assert TestEnv.apache_restart() == 0
        # check: md stays the same with previous ca info
        TestEnv.check_md([name, "www.testdomain.org", "mail.testdomain.org"],
                         state=1,
                         ca="http://somewhere.com:6666/directory",
                         protocol="ACME",
                         agreement="http://somewhere.com:6666/terms/v1")
Ejemplo n.º 15
0
 def test_702_011(self):
     domain = self.test_domain
     domains = [domain, "www." + domain]
     #
     # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
     conf = HttpdConf()
     conf.add_admin("admin@" + domain)
     conf.add_line("Protocols http/1.1 acme-tls/1")
     conf.add_drive_mode("auto")
     conf.add_ca_challenges(["tls-alpn-01"])
     conf._add_line("MDPortMap https:99")
     conf.add_md(domains)
     conf.add_vhost(domains)
     conf.install()
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md(domains)
     assert not TestEnv.is_renewing(domain)
     #
     # now the same with a 80 mapped to a supported port
     conf = HttpdConf()
     conf.add_admin("admin@" + domain)
     conf.add_line("Protocols http/1.1 acme-tls/1")
     conf.add_drive_mode("auto")
     conf.add_ca_challenges(["tls-alpn-01"])
     conf._add_line("MDPortMap https:%s" % TestEnv.HTTPS_PORT)
     conf.add_md(domains)
     conf.add_vhost(domains)
     conf.install()
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md(domains)
     assert TestEnv.await_completion([domain])
Ejemplo n.º 16
0
    def test_600_000(self):
        # test case: generate config with md -> restart -> drive -> generate config
        # with vhost and ssl -> restart -> check HTTPS access
        domain = self.test_domain
        dnsList = [domain, "www." + domain]
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_drive_mode("manual")
        conf.add_md(dnsList)
        conf.install()
        # - restart, check that md is in store
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(domain, dnsList)
        # - drive
        assert TestEnv.a2md(["-vvvv", "drive", domain])['rv'] == 0
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md_complete(domain)
        # - append vhost to config
        conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dnsList[1]])
        conf.install()
        assert TestEnv.apache_restart() == 0
        # check: SSL is running OK
        cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                         TestEnv.HTTPS_PORT, domain)
        assert domain in cert.get_san_list()

        # check file system permissions:
        TestEnv.check_file_permissions(domain)
Ejemplo n.º 17
0
    def test_500_203(self):
        # test case: reproduce issue with initially wrong agreement URL
        domain = "test500-203-" + TestDrive.dns_uniq
        name = "www." + domain
        # setup: prepare md with invalid TOS url
        conf = HttpdConf( TestDrive.TMP_CONF, acmeTos=TestEnv.ACME_TOS2 )
        conf.add_admin( "admin@" + domain )
        conf.add_drive_mode( "manual" )
        conf.add_md( [name] )
        conf.install()
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
        # drive it -> fail after account registration
        assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 1

        # adjust config: replace TOS url with correct one
        conf = HttpdConf( TestDrive.TMP_CONF )
        conf.add_admin( "admin@" + domain )
        conf.add_drive_mode( "manual" )
        conf.add_md( [name] )
        conf.install()
        time.sleep(1)
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
        # drive it -> runs OK
        assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0
        assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
Ejemplo n.º 18
0
    def test_600_000(self):
        # test case: generate config with md -> restart -> drive -> generate config
        # with vhost and ssl -> restart -> check HTTPS access
        domain = "r000-" + TestRoundtrip.dns_uniq
        dnsList = [domain, "www." + domain]

        # - generate config with one md
        conf = HttpdConf(TestRoundtrip.TMP_CONF, True)
        conf.add_admin("admin@" + domain)
        conf.add_drive_mode("manual")
        conf.add_md(dnsList)
        conf.install()
        # - restart, check that md is in store
        assert TestEnv.apache_restart() == 0
        self._check_md_names(domain, dnsList)
        # - drive
        assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0
        self._check_md_cert(dnsList)
        # - append vhost to config
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       domain,
                       aliasList=[dnsList[1]],
                       withSSL=True)
        conf.install()
        assert TestEnv.apache_restart() == 0
        # check: SSL is running OK
        cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                         TestEnv.HTTPS_PORT, domain)
        assert domain in cert.get_san_list()

        # check file system permissions:
        TestEnv.check_file_permissions(domain)
Ejemplo n.º 19
0
    def test_310_210(self, confFile, expMode):
        # test case: require HTTPS
        TestEnv.install_test_conf(confFile);
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md(["list"])['jout']['output'][0]['require-https'] == expMode, "Unexpected HTTPS require mode in store. confFile: {}".format( confFile )

        TestEnv.install_test_conf("one_md");
        assert TestEnv.apache_restart() == 0
        assert "require-https" not in TestEnv.a2md(["list"])['jout']['output'][0], "HTTPS require still persisted in store. confFile: {}".format( confFile )
Ejemplo n.º 20
0
 def test_310_101(self):
     # test case: add managed domains as separate steps
     TestEnv.install_test_conf("one_md");
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md("testdomain.org", ["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], 1)
     TestEnv.install_test_conf("two_mds");
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md("testdomain.org", ["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], 1)
     TestEnv.check_md("testdomain2.org", ["testdomain2.org", "www.testdomain2.org", "mail.testdomain2.org"], 1)
Ejemplo n.º 21
0
    def test_310_211(self):
        # test case: require OCSP stapling
        TestEnv.install_test_conf("staple_on");
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md(["list"])['jout']['output'][0]['must-staple'] == True

        TestEnv.install_test_conf("one_md");
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md(["list"])['jout']['output'][0]['must-staple'] == False
Ejemplo n.º 22
0
    def test_310_209(self, confFile):
        # test case: specify RSA key
        TestEnv.install_test_conf(confFile);
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md(["list"])['jout']['output'][0]['privkey']['type'] == "RSA"

        TestEnv.install_test_conf("one_md");
        assert TestEnv.apache_restart() == 0
        assert "privkey" not in TestEnv.a2md(["list"])['jout']['output'][0]
Ejemplo n.º 23
0
    def test_310_208(self):
        # test case: remove challenges from conf -> fallback to default (not set)
        TestEnv.install_test_conf("challenge_http");
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md(["list"])['jout']['output'][0]['ca']['challenges'] == [ 'http-01' ]

        TestEnv.install_test_conf("one_md");
        assert TestEnv.apache_restart() == 0
        assert 'challenges' not in TestEnv.a2md(["list"])['jout']['output'][0]['ca']
Ejemplo n.º 24
0
    def test_310_207(self, confFile, expCode):
        # test case: remove drive mode from conf -> fallback to default (auto)
        TestEnv.install_test_conf(confFile);
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md(["list"])['jout']['output'][0]['drive-mode'] == expCode

        TestEnv.install_test_conf("one_md");
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md(["list"])['jout']['output'][0]['drive-mode'] == 1
Ejemplo n.º 25
0
    def test_500_109(self):
        # test case: redirect on SSL-only domain
        # setup: prepare config
        domain = "test500-109-" + TestDrive.dns_uniq
        name = "www." + domain
        conf = HttpdConf( TestDrive.TMP_CONF )
        conf.add_admin( "admin@" + domain )
        conf.add_drive_mode( "manual" )
        conf.add_md( [name] )
        conf.add_vhost(TestEnv.HTTP_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=False)
        conf.add_vhost(TestEnv.HTTPS_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=True)
        conf.install()
        # setup: create resource files
        self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "test"), "name.txt", name)
        self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR), "name.txt", "not-forbidden.org")
        assert TestEnv.apache_restart() == 0

        # drive it
        assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
        assert TestEnv.apache_restart() == 0
        # test HTTP access - no redirect
        assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org"
        assert TestEnv.get_content(name, "/name.txt", useHTTPS=False) == name
        r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
        assert int(r['http_headers']['Content-Length']) == len(name)
        assert "Location" not in r['http_headers']
        # test HTTPS access
        assert TestEnv.get_content(name, "/name.txt", useHTTPS=True) == name

        # test HTTP access again -> redirect to default HTTPS port
        conf.add_require_ssl("temporary")
        conf.install()
        assert TestEnv.apache_restart() == 0
        r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
        assert r['http_status'] == 302
        expLocation = "https://%s/name.txt" % name
        assert r['http_headers']['Location'] == expLocation
        # should not see this
        assert not 'Strict-Transport-Security' in r['http_headers']
        # test default HTTP vhost -> still no redirect
        assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org"
        r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
        # also not for this
        assert not 'Strict-Transport-Security' in r['http_headers']

        # test HTTP access again -> redirect permanent
        conf.add_require_ssl("permanent")
        conf.install()
        assert TestEnv.apache_restart() == 0
        r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
        assert r['http_status'] == 301
        expLocation = "https://%s/name.txt" % name
        assert r['http_headers']['Location'] == expLocation
        assert not 'Strict-Transport-Security' in r['http_headers']
        # should see this
        r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
        assert r['http_headers']['Strict-Transport-Security'] == 'max-age=15768000'
Ejemplo n.º 26
0
    def test_600_002(self):
        # test case: one md, that covers two vhosts
        domain = "r002-" + TestRoundtrip.dns_uniq
        nameA = "test-a." + domain
        nameB = "test-b." + domain
        dnsList = [domain, nameA, nameB]

        # - generate config with one md
        conf = HttpdConf(TestRoundtrip.TMP_CONF, True)
        conf.add_admin("admin@" + domain)
        conf.add_drive_mode("manual")
        conf.add_md(dnsList)
        conf.install()

        # - restart, check that md is in store
        assert TestEnv.apache_restart() == 0
        self._check_md_names(domain, dnsList)

        # - drive
        assert TestEnv.a2md(["drive", domain])['rv'] == 0
        self._check_md_cert(dnsList)

        # - append vhost to config
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       nameA,
                       aliasList=[],
                       docRoot="htdocs/a",
                       withSSL=True,
                       certPath=TestEnv.path_domain_pubcert(domain),
                       keyPath=TestEnv.path_domain_privkey(domain))
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       nameB,
                       aliasList=[],
                       docRoot="htdocs/b",
                       withSSL=True,
                       certPath=TestEnv.path_domain_pubcert(domain),
                       keyPath=TestEnv.path_domain_privkey(domain))
        conf.install()

        # - create docRoot folder
        self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
                             "name.txt", nameA)
        self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"),
                             "name.txt", nameB)

        # check: SSL is running OK
        assert TestEnv.apache_restart() == 0
        certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                          TestEnv.HTTPS_PORT, nameA)
        assert nameA in certA.get_san_list()
        certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                          TestEnv.HTTPS_PORT, nameB)
        assert nameB in certB.get_san_list()
        assert certA.get_serial() == certB.get_serial()
        assert TestEnv.get_content(nameA, "/name.txt") == nameA
        assert TestEnv.get_content(nameB, "/name.txt") == nameB
Ejemplo n.º 27
0
    def test_702_032(self):
        domain = self.test_domain
        name1 = "server1." + domain
        name2 = "server2.b" + domain  # need a separate TLD to avoid rate limites

        # generate 2 MDs and 2 vhosts
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf._add_line("MDMembers auto")
        conf.add_md([name1])
        conf.add_md([name2])
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       name1,
                       aliasList=[],
                       docRoot="htdocs/a")
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       name2,
                       aliasList=[],
                       docRoot="htdocs/b")
        conf.install()

        # restart (-> drive), check that MD was synched and completes
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(name1, [name1])
        TestEnv.check_md(name2, [name2])
        assert TestEnv.await_completion([name1, name2])
        TestEnv.check_md_complete(name2)

        # check: SSL is running OK
        cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                          TestEnv.HTTPS_PORT, name1)
        assert name1 in cert1.get_san_list()
        cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                          TestEnv.HTTPS_PORT, name2)
        assert name2 in cert2.get_san_list()

        # remove second md and vhost, add name2 to vhost1
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf._add_line("MDMembers auto")
        conf.add_md([name1])
        conf.add_vhost(TestEnv.HTTPS_PORT,
                       name1,
                       aliasList=[name2],
                       docRoot="htdocs/a")
        conf.install()
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md(name1, [name1, name2])
        assert TestEnv.await_completion([name1])

        cert1b = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                           TestEnv.HTTPS_PORT, name1)
        assert name1 in cert1b.get_san_list()
        assert name2 in cert1b.get_san_list()
        assert cert1.get_serial() != cert1b.get_serial()
Ejemplo n.º 28
0
    def test_310_206(self):
        # test case: remove renew window from conf -> fallback to default
        TestEnv.install_test_conf("renew_14d");
        assert TestEnv.apache_restart() == 0
        # ToDo: how to check renew value in store?
        assert TestEnv.a2md(["list"])['jout']['output'][0]['renew-window'] == '14d'

        TestEnv.install_test_conf("one_md");
        assert TestEnv.apache_restart() == 0
        # check: renew window not set
        assert TestEnv.a2md(["list"])['jout']['output'][0]['renew-window'] == '33%'
Ejemplo n.º 29
0
 def test_310_104(self):
     # test case: add to existing md: acme url, acme protocol
     name = "testdomain.org"
     TestEnv.install_test_conf("one_md");
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md(name, [name, "www.testdomain.org", "mail.testdomain.org"], 1,
         ca=TestEnv.ACME_URL_DEFAULT, protocol="ACME")
     TestEnv.install_test_conf("one_md_ca");
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md(name, [name, "www.testdomain.org", "mail.testdomain.org"], 1,
         ca="http://acme.test.org:4000/directory", protocol="ACME", 
         agreement="http://acme.test.org:4000/terms/v1")
Ejemplo n.º 30
0
    def test_700_031(self):
        domain = "test700-031-" + TestAuto.dns_uniq
        nameX = "test-x." + domain
        nameA = "test-a." + domain
        nameB = "test-b." + domain
        nameC = "test-c." + domain
        dns_list = [ nameX, nameA, nameB ]

        # generate 1 MD and 2 vhosts
        conf = HttpdConf( TestAuto.TMP_CONF )
        conf.add_admin( "admin@" + domain )
        conf.add_md( dns_list )
        conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", 
                        withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), 
                        keyPath=TestEnv.path_domain_privkey( domain ) )
        conf.add_vhost( TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b", 
                        withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), 
                        keyPath=TestEnv.path_domain_privkey( domain ) )
        conf.install()

        # restart (-> drive), check that MD was synched and completes
        assert TestEnv.apache_restart() == 0
        self._check_md_names( nameX, dns_list )
        assert TestEnv.await_completion( [ nameX ] )
        self._check_md_cert( dns_list )

        # check: SSL is running OK
        certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA)
        assert nameA in certA.get_san_list()
        certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameB)
        assert nameB in certB.get_san_list()
        assert certA.get_serial() == certB.get_serial()
        
        # change MD by removing 1st name
        new_list = [ nameA, nameB, nameC ]
        conf = HttpdConf( TestAuto.TMP_CONF )
        conf.add_admin( "admin@" + domain )
        conf.add_md( new_list )
        conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", 
                        withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), 
                        keyPath=TestEnv.path_domain_privkey( domain ) )
        conf.add_vhost( TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b", 
                        withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), 
                        keyPath=TestEnv.path_domain_privkey( domain ) )
        conf.install()
        # restart, check that host still works and have same cert
        assert TestEnv.apache_restart() == 0
        self._check_md_names( nameX, new_list )
        assert TestEnv.await_completion( [ nameX ] )

        certA2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA)
        assert nameA in certA2.get_san_list()
        assert certA.get_serial() != certA2.get_serial()