def test_700_005(self):
# generate 1 MD and 1 vhost
domain = self.test_domain
nameA = "a." + domain
domains = [domain, nameA]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(domains)
conf.add_vhost(nameA, docRoot="htdocs/a")
conf.install()
#
# create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
"name.txt", nameA)
#
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
#
# check: that request to domains give 503 Service Unavailable
cert1 = TestEnv.get_cert(nameA)
assert nameA in cert1.get_san_list()
assert TestEnv.getStatus(nameA, "/name.txt") == 503
#
# check temporary cert from server
cert2 = CertUtil(TestEnv.path_fallback_cert(domain))
assert cert1.get_serial() == cert2.get_serial(), \
"Unexpected temporary certificate on vhost %s. Expected cn: %s , but found cn: %s" % ( nameA, cert2.get_cn(), cert1.get_cn() )
def test_800_002(self):
domain = TestMustStaple.domain
TestMustStaple.configure_httpd(domain, "MDMustStaple off")
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert not cert1.get_must_staple()
stat = TestEnv.get_ocsp_status(domain)
assert stat['ocsp'] == "no response sent"
def _check_account_key(self, name):
# read encryption key
md_store = json.loads(open(TestEnv.path_store_json(), 'r').read())
encryptKey = base64.urlsafe_b64decode(str(md_store['key']))
# check: key file is encrypted PEM
md = TestEnv.a2md(["list", name])['jout']['output'][0]
acc = md['ca']['account']
CertUtil.validate_privkey(TestEnv.path_account_key(acc),
lambda *args: encryptKey)
def create_self_signed_cert(cls,
nameList,
validDays,
serial=1000,
path=None):
dir = path
if not path:
dir = os.path.join(cls.store_domains(), nameList[0])
return CertUtil.create_self_signed_cert(dir, nameList, validDays,
serial)
def check_md_credentials(cls, domain):
if isinstance(domain, list):
domains = domain
domain = domains[0]
# check private key, validate certificate, etc
CertUtil.validate_privkey(cls.store_domain_file(domain, 'privkey.pem'))
cert = CertUtil(cls.store_domain_file(domain, 'pubcert.pem'))
cert.validate_cert_matches_priv_key(
cls.store_domain_file(domain, 'privkey.pem'))
# check SANs and CN
assert cert.get_cn() == domain
# compare lists twice in opposite directions: SAN may not respect ordering
sanList = list(cert.get_san_list())
assert len(sanList) == len(domains)
assert set(sanList).issubset(domains)
assert set(domains).issubset(sanList)
# check valid dates interval
notBefore = cert.get_not_before()
notAfter = cert.get_not_after()
assert notBefore < datetime.now(notBefore.tzinfo)
assert notAfter > datetime.now(notAfter.tzinfo)
def test_500_201(self, renewWindow, testDataList):
# test case: trigger cert renew when entering renew window
# setup: prepare COMPLETE md
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_renew_window(renewWindow)
conf.add_md([name])
conf.install()
assert TestEnv.apache_restart() == 0
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_INCOMPLETE
assert md['renew-window'] == renewWindow
# setup: drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
cert1 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_COMPLETE
assert md['renew-window'] == renewWindow
# replace cert by self-signed one -> check md status
print("TRACE: start testing renew window: %s" % renewWindow)
for tc in testDataList:
print("TRACE: create self-signed cert: %s" % tc["valid"])
TestEnv.create_self_signed_cert([name], tc["valid"])
cert2 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert cert2.get_serial() != cert1.get_serial()
r = TestEnv.a2md(["-vvvv", "list", name])
md = r['jout']['output'][0]
assert md["renew"] == tc["renew"], \
"Expected renew == {} indicator in {}, test case {}, stderr {}".format(tc["renew"], md, tc, r['stderr'])
def test_500_202(self, keyType, keyParams, expKeyLength):
# test case: specify RSA key length and verify resulting cert key
# setup: prepare md
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_private_key(keyType, keyParams)
conf.add_md([name])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# setup: drive it
assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0, \
"Expected drive to succeed for MDPrivateKeys {} {}".format(keyType, keyParams)
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
# check cert key length
cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert cert.get_key_length() == expKeyLength
def get_server_cert(cls, domain, proto=None, ciphers=None):
stat = {}
args = [
cls.OPENSSL, "s_client", "-status", "-connect",
"%s:%s" % (TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT), "-CAfile",
"gen/ca.pem", "-servername", domain, "-showcerts"
]
if proto is not None:
args.extend(["-{0}".format(proto)])
if ciphers is not None:
args.extend(["-cipher", ciphers])
r = TestEnv.run(args)
try:
return CertUtil.parse_pem_cert(r['stdout'])
except:
return None
def test_800_003(self):
domain = TestMustStaple.domain
TestMustStaple.configure_httpd(domain, "MDMustStaple on")
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert cert1.get_must_staple()
domain = TestMustStaple.configure_httpd(domain, "MDMustStaple off")
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert not cert1.get_must_staple()
def test_702_009(self):
domain = self.test_domain
domains = [domain]
#
# prepare md
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_renew_window("10d")
conf.add_md(domains)
conf.add_vhost(domain)
conf.install()
#
# restart (-> drive), check that md+cert is in store, TLS is up
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
# compare with what md reports as status
stat = TestEnv.get_certificate_status(domain)
assert stat['serial'] == cert1.get_serial()
#
# create self-signed cert, with critical remaining valid duration -> drive again
TestEnv.create_self_signed_cert([domain], {
"notBefore": -120,
"notAfter": 2
},
serial=7029)
cert3 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert cert3.get_serial() == '1B75'
assert TestEnv.apache_restart() == 0
stat = TestEnv.get_certificate_status(domain)
assert stat['serial'] == cert3.get_serial()
#
# cert should renew and be different afterwards
assert TestEnv.await_completion([domain], must_renew=True)
stat = TestEnv.get_certificate_status(domain)
assert stat['serial'] != cert3.get_serial()
def test_500_301(self):
# test case: change contact info on existing valid md
# setup: create md in store
domain = self.test_domain
name = "www." + domain
self._prepare_md([name])
assert TestEnv.apache_start() == 0
# setup: drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
old_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# setup: add second domain
assert TestEnv.a2md(["update", name, "contacts",
"test@" + domain])['rv'] == 0
# drive
assert TestEnv.a2md(["drive", name])['rv'] == 0
# compare cert serial
new_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert old_cert.get_serial() == new_cert.get_serial()
def test_500_300(self):
# test case: remove one domain name from existing valid md
# setup: create md in store
domain = self.test_domain
name = "www." + domain
self._prepare_md([name, "test." + domain, "xxx." + domain])
assert TestEnv.apache_start() == 0
# setup: drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
old_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# setup: remove one domain
assert TestEnv.a2md(["update", name, "domains"] +
[name, "test." + domain])['rv'] == 0
# drive
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
# compare cert serial
new_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert old_cert.get_serial() == new_cert.get_serial()
def test_500_200(self):
# test case: add dns name on existing valid md
# setup: create md in store
domain = self.test_domain
name = "www." + domain
self._prepare_md([name])
assert TestEnv.apache_start() == 0
# setup: drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
old_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# setup: add second domain
assert TestEnv.a2md(
["update", name, "domains", name, "test." + domain])['rv'] == 0
# drive
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
# check new cert
TestEnv.check_md_credentials([name, "test." + domain])
new_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert old_cert.get_serial() != new_cert.get_serial()
def test_500_107(self):
# test case: drive again on COMPLETE md, then drive --force
# setup: prepare md in store
domain = self.test_domain
name = "www." + domain
self._prepare_md([name])
assert TestEnv.apache_start() == 0
# drive
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
TestEnv.check_md_credentials([name])
orig_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# drive again
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
TestEnv.check_md_credentials([name])
cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# check: cert not changed
assert cert.get_serial() == orig_cert.get_serial()
# drive --force
assert TestEnv.a2md(["-vv", "drive", "--force", name])['rv'] == 0
TestEnv.check_md_credentials([name])
cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# check: cert not changed
assert cert.get_serial() != orig_cert.get_serial()
# check: previous cert was archived
cert = CertUtil(TestEnv.store_archived_file(name, 2, 'pubcert.pem'))
assert cert.get_serial() == orig_cert.get_serial()
def get_cert(cls, domain, tls=None, ciphers=None):
return CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain, tls=tls, ciphers=ciphers)
def test_800_001(self):
domain = TestMustStaple.domain
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert not cert1.get_must_staple()
def get_cert(cls, domain):
return CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)