def test_801_004(self): md_a = TestStapling.mdA md_b = TestStapling.mdB conf = TestStapling.configure_httpd(ssl_stapling=True) conf.add_line(""" <MDomain %s> MDStapling on </MDomain> <MDomain %s> </MDomain> """ % (md_a, md_b)) conf.add_vhost(md_a) conf.add_vhost(md_b) conf.install() assert TestEnv.apache_stop() == 0 assert TestEnv.apache_restart() == 0 # mdA has stapling stat = TestEnv.await_ocsp_status(md_a) assert stat['ocsp'] == "successful (0x0)" assert stat['verify'] == "0 (ok)" stat = TestEnv.get_md_status(md_a) assert stat["stapling"] pkey = 'rsa' assert stat["cert"][pkey]["ocsp"]["status"] == "good" assert stat["cert"][pkey]["ocsp"]["valid"] # mdB has no md stapling, but mod_ssl kicks in stat = TestEnv.get_ocsp_status(md_b) assert stat['ocsp'] == "successful (0x0)" stat = TestEnv.get_md_status(md_b) assert not stat["stapling"]
def test_801_003(self): mdA = TestStapling.mdA mdB = TestStapling.mdB conf = TestStapling.configure_httpd() conf.add_line(""" <MDomain %s> MDStapling on </MDomain> <MDomain %s> </MDomain> """ % (mdA, mdB)) conf.add_vhost(mdA) conf.add_vhost(mdB) conf.install() assert TestEnv.apache_stop() == 0 assert TestEnv.apache_restart() == 0 # mdA has stapling stat = TestEnv.await_ocsp_status(mdA) assert stat['ocsp'] == "successful (0x0)" assert stat['verify'] == "0 (ok)" stat = TestEnv.get_md_status(mdA) assert stat["stapling"] assert stat["cert"]["ocsp"]["status"] == "good" assert stat["cert"]["ocsp"]["valid"] # mdB has no stapling stat = TestEnv.get_ocsp_status(mdB) assert stat['ocsp'] == "no response sent" stat = TestEnv.get_md_status(mdB) assert not stat["stapling"]
def test_801_002(self): md = TestStapling.mdA TestStapling.configure_httpd(md, ssl_stapling=True).install() assert TestEnv.apache_stop() == 0 assert TestEnv.apache_restart() == 0 stat = TestEnv.get_ocsp_status(md) assert stat['ocsp'] == "successful (0x0)" stat = TestEnv.get_md_status(md) assert not stat["stapling"] # # turn stapling on, wait for it to appear in connections TestStapling.configure_httpd(md, "MDStapling on", ssl_stapling=True).install() assert TestEnv.apache_restart() == 0 stat = TestEnv.await_ocsp_status(md) assert stat['ocsp'] == "successful (0x0)" assert stat['verify'] == "0 (ok)" stat = TestEnv.get_md_status(md) assert stat["stapling"] pkey = 'rsa' assert stat["cert"][pkey]["ocsp"]["status"] == "good" assert stat["cert"][pkey]["ocsp"]["valid"] # # turn stapling off (explicitly) again, should disappear TestStapling.configure_httpd(md, "MDStapling off", ssl_stapling=True).install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_ocsp_status(md) assert stat['ocsp'] == "successful (0x0)" stat = TestEnv.get_md_status(md) assert not stat["stapling"]
def test_801_001(self): md = TestStapling.mdA TestStapling.configure_httpd(md).install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_ocsp_status(md) assert stat['ocsp'] == "no response sent" stat = TestEnv.get_md_status(md) assert not stat["stapling"] # # turn stapling on, wait for it to appear in connections TestStapling.configure_httpd( md, """ MDStapling on LogLevel md:trace5 """).install() assert TestEnv.apache_restart() == 0 stat = TestEnv.await_ocsp_status(md) assert stat['ocsp'] == "successful (0x0)" assert stat['verify'] == "0 (ok)" stat = TestEnv.get_md_status(md) assert stat["stapling"] assert stat["cert"]["ocsp"]["status"] == "good" assert stat["cert"]["ocsp"]["valid"] # # turn stapling off (explicitly) again, should disappear TestStapling.configure_httpd(md, "MDStapling off").install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_ocsp_status(md) assert stat['ocsp'] == "no response sent" stat = TestEnv.get_md_status(md) assert not stat["stapling"]
def test_901_004(self): domain = self.test_domain domains = [domain, "www." + domain] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) # force renew conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog)) conf.add_line("MDRenewWindow 120d") conf.add_line("MDActivationDelay -7d") conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain], restart=False) TestEnv.get_md_status(domain) assert TestEnv.await_file(self.mlog) nlines = open(self.mlog).readlines() assert 1 == len(nlines) assert ("['%s', '%s', 'renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip()
def test_700_001(self): # generate config with one MD domain = self.test_domain domains = [domain, "www." + domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("auto") conf.add_md(domains) conf.install() # # restart, check that MD is synched to store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) stat = TestEnv.get_md_status(domain) assert stat["watched"] == 0 # # add vhost for MD, restart should drive it conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) stat = TestEnv.get_md_status(domain) assert stat["watched"] == 1 # cert = TestEnv.get_cert(domain) assert domain in cert.get_san_list() # # challenges should have been removed # file system needs to have correct permissions TestEnv.check_dir_empty(TestEnv.store_challenges()) TestEnv.check_file_permissions(domain)
def test_920_020(self): domain = self.test_domain domains = [domain] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_line("MDStapling on") conf.add_line("MDPrivateKeys secp256r1 RSA") conf.add_md(domains) conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain], restart=False) # In the stats JSON, we excpect 2 certificates under 'renewal' stat = TestEnv.get_md_status(domain) assert 'renewal' in stat assert 'cert' in stat['renewal'] assert 'rsa' in stat['renewal']['cert'] assert 'secp256r1' in stat['renewal']['cert'] # In /.httpd/certificate-status 'renewal' we excpect 2 certificates status = TestEnv.get_certificate_status(domain) assert 'renewal' in status assert 'cert' in status['renewal'] assert 'secp256r1' in status['renewal']['cert'] assert 'rsa' in status['renewal']['cert'] # restart and activate # once activated, certs are listed in status assert TestEnv.apache_restart() == 0 stat = TestEnv.get_md_status(domain) assert 'cert' in stat assert 'valid' in stat['cert'] for ktype in ['rsa', 'secp256r1']: assert ktype in stat['cert'] assert 'ocsp' in stat['cert'][ktype]
def test_901_030(self): domain = self.test_domain domains = [domain, "www." + domain] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) # set the warn window that triggers right away and a failing message command conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_message_cmd("%s %s" % (self.mcmdfail, self.mlog)) conf.add_md(domains) conf.add_line(""" MDWarnWindow 100d """) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.get_md_status(domain) # this command should have failed and logged an error # shut down server to make sure that md has completed assert TestEnv.await_file(TestEnv.store_staged_file(domain, 'job.json')) while True: with open(TestEnv.store_staged_file(domain, 'job.json')) as f: job = json.load(f) if job["errors"] > 0: assert job["errors"] > 0, "unexpected job result: {0}".format(job) assert job["last"]["problem"] == "urn:org:apache:httpd:log:AH10109:" break time.sleep(0.1) # reconfigure to a working notification command and restart conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog)) conf.add_md(domains) conf.add_line(""" MDWarnWindow 100d """) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_file(self.mlog) # we see the notification logged by the command nlines = open(self.mlog).readlines() assert 1 == len(nlines) assert ("['%s', '%s', 'expiring', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip() # the error needs to be gone assert TestEnv.await_file(TestEnv.store_staged_file(domain, 'job.json')) with open(TestEnv.store_staged_file(domain, 'job.json')) as f: job = json.load(f) assert job["errors"] == 0
def test_730_002(self): # MD with static cert files, force driving domain = self.test_domain domains = [ domain, 'www.%s' % domain ] testpath = os.path.join(TestEnv.GEN_DIR, 'test_920_001') # cert that is only 10 more days valid TestEnv.create_self_signed_cert(domains, { "notBefore": -80, "notAfter": 10 }, serial=730001, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf.add_admin("*****@*****.**" ) conf.start_md(domains) conf.add_line("MDCertificateFile %s" % (cert_file)) conf.add_line("MDCertificateKeyFile %s" % (pkey_file)) conf.add_line("MDRenewMode always") conf.end_md() conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 # check if the domain uses it, it appears in our stats and renewal is off cert = TestEnv.get_cert(domain) assert ('%X' % 730001) == cert.get_serial() stat = TestEnv.get_md_status(domain) assert stat assert 'cert' in stat assert stat['renew'] == True assert TestEnv.await_renewal(domains)
def test_702_040(self): domain = self.test_domain domains = [domain, "www." + domain] # # generate 1 MD and 1 vhost conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("LogLevel core:debug") conf.add_line("LogLevel ssl:debug") conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf.add_md(domains) conf.add_vhost(domains) conf.install() # # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) # check that acme-tls/1 is available for all domains stat = TestEnv.get_md_status(domain) assert stat["proto"]["acme-tls/1"] == domains assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) # # check SSL running OK cert = TestEnv.get_cert(domain) assert domain in cert.get_san_list()
def test_901_003(self): domain = self.test_domain domains = [domain, "www." + domain] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog)) conf.add_drive_mode("auto") conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain], restart=False) stat = TestEnv.get_md_status(domain) # this command did not fail and logged itself the correct information assert stat["renewal"]["last"]["status"] == 0 assert stat["renewal"]["log"]["entries"] assert stat["renewal"]["log"]["entries"][0]["type"] == "message-renewed" # shut down server to make sure that md has completed assert TestEnv.apache_stop() == 0 nlines = open(self.mlog).readlines() assert 3 == len(nlines) nlines = [s.strip() for s in nlines] assert "['{cmd}', '{logfile}', 'challenge-setup:http-01:{dns}', '{mdomain}']".format( cmd=self.mcmd, logfile=self.mlog, mdomain=domain, dns=domains[0]) in nlines assert "['{cmd}', '{logfile}', 'challenge-setup:http-01:{dns}', '{mdomain}']".format( cmd=self.mcmd, logfile=self.mlog, mdomain=domain, dns=domains[1]) in nlines assert nlines[2].strip() == "['{cmd}', '{logfile}', 'renewed', '{mdomain}']".format( cmd=self.mcmd, logfile=self.mlog, mdomain=domain)
def test_310_118(self): HttpdConf(text=""" MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 HttpdConf(text=""" MDRenewWindow 14d MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_md_status("testdomain.org") assert stat['renew-window'] == '14d'
def test_920_011(self): # MD with static cert files in base server, see issue #161 domain = self.test_domain domains = [domain, 'www.%s' % domain] testpath = os.path.join(TestEnv.GEN_DIR, 'test_920_011') # cert that is only 10 more days valid TestEnv.create_self_signed_cert(domains, { "notBefore": -70, "notAfter": 20 }, serial=920011, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf = HttpdConf(std_vhosts=False, text=f""" LogLevel md:trace2 LogLevel ssl:debug MDPortMap http:- https:{TestEnv.HTTPS_PORT} Listen {TestEnv.HTTPS_PORT} ServerAdmin [email protected] ServerName {domain} SSLEngine on Protocols h2 http/1.1 acme-tls/1 MDBaseServer on <Location "/server-status"> SetHandler server-status </Location> <Location "/md-status"> SetHandler md-status </Location> """) conf.start_md(domains) conf.add_line(f"MDCertificateFile {cert_file}") conf.add_line(f"MDCertificateKeyFile {pkey_file}") conf.end_md() conf.install() TestEnv.HTTPD_CHECK_URL = TestEnv.HTTPD_URL_SSL assert TestEnv.apache_restart() == 0 status = TestEnv.get_md_status(domain) assert status assert not 'renewal' in status print(status) assert status['state'] == TestEnv.MD_S_COMPLETE assert status['renew-mode'] == 1 # manual
def test_900_002(self): domain = TestNotify.domain command = "%s/notifail.py" % TestEnv.TESTROOT args = "" TestNotify.configure_httpd( domain, """ MDNotifyCmd %s %s """ % (command, args)) assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain], restart=False) stat = TestEnv.get_md_status(domain) assert stat["renewal"]["last"][ "problem"] == "urn:org:apache:httpd:log:AH10108:"
def test_900_012(self): md1 = "a-" + TestNotify.domain domains1 = [md1, "www." + md1] md2 = "b-" + TestNotify.domain domains2 = [md2, "www." + md2] command = TestNotify.notify_cmd args = TestNotify.notify_log conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_notify_cmd("%s %s" % (command, args)) conf.add_md(domains1) conf.add_md(domains2) conf.add_vhost(domains1) conf.add_vhost(domains2) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([md1, md2], restart=False) stat = TestEnv.get_md_status(md1) assert stat["renewal"]["last"]["status"] == 0 stat = TestEnv.get_md_status(md2) assert stat["renewal"]["last"]["status"] == 0 nlines = open(args).readlines() assert 2 == len(nlines)
def test_310_310(self, window): # non-default renewal setting domain = self.test_domain conf = HttpdConf() conf.add_admin("admin@" + domain) conf.start_md([domain]) conf.add_drive_mode("manual") conf.add_renew_window(window) conf.end_md() conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_md_status(domain) assert stat["renew-window"] == window
def test_920_004(self): domain = self.test_domain domains = [domain] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_md(domains) conf.add_line("MDCertificateStatus off") conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) status = TestEnv.get_md_status("") assert "version" in status assert "managed-domains" in status assert 1 == len(status["managed-domains"])
def test_901_001(self): domain = self.test_domain domains = [ domain, "www." + domain ] conf = HttpdConf() conf.add_admin( "*****@*****.**" ) conf.add_message_cmd( "blablabla" ) conf.add_drive_mode( "auto" ) conf.add_md( domains ) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion( [ domain ], restart=False ) stat = TestEnv.get_md_status(domain) # this command should have failed and logged an error assert stat["renewal"]["last"]["problem"] == "urn:org:apache:httpd:log:AH10109:"
def test_900_011(self): domain = TestNotify.domain command = TestNotify.notify_cmd args = TestNotify.notify_log extra_arg = "test_900_011_extra" TestNotify.configure_httpd( domain, """ MDNotifyCmd %s %s %s """ % (command, args, extra_arg)) assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain], restart=False) stat = TestEnv.get_md_status(domain) assert stat["renewal"]["last"]["status"] == 0 nlines = open(TestNotify.notify_log).readlines() assert ("['%s', '%s', '%s', '%s']" % (command, args, extra_arg, domain)) == nlines[0].strip()
def test_920_010(self): domain = self.test_domain domains = [domain] conf = HttpdConf(std_vhosts=False, text=""" LogLevel md:trace2 LogLevel ssl:debug MDBaseServer on MDPortMap http:- https:%s Listen %s ServerAdmin [email protected] ServerName %s SSLEngine on Protocols h2 http/1.1 acme-tls/1 <Location "/server-status"> SetHandler server-status </Location> <Location "/md-status"> SetHandler md-status </Location> """ % (TestEnv.HTTPS_PORT, TestEnv.HTTPS_PORT, domain)) conf.add_md(domains) conf.install() TestEnv.HTTPD_CHECK_URL = TestEnv.HTTPD_URL_SSL assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain], restart=False) status = TestEnv.get_md_status("") assert "version" in status assert "managed-domains" in status assert 1 == len(status["managed-domains"]) # get the html page status = TestEnv.get_server_status() assert re.search(r'<h3>Managed Certificates</h3>', status, re.MULTILINE) # get the ascii summary status = TestEnv.get_server_status(query="?auto") m = re.search( r'Managed Certificates: total=(\d+), ok=(\d+) renew=(\d+) errored=(\d+) ready=(\d+)', status, re.MULTILINE) assert 1 == int(m.group(1)) assert 0 == int(m.group(2)) assert 1 == int(m.group(3)) assert 0 == int(m.group(4)) assert 1 == int(m.group(5))
def test_702_052(self): domain = self.test_domain conf = HttpdConf() conf.add_line(""" MDBaseServer on MDPortMap http:- Protocols h2 http/1.1 acme-tls/1 ServerAdmin admin@%s ServerName %s SSLEngine on """ % (domain, domain)) conf.add_md([domain]) conf.install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_md_status(domain) assert stat["proto"]["acme-tls/1"] == [domain] assert TestEnv.await_completion([domain])
def test_901_003(self): domain = self.test_domain domains = [ domain, "www." + domain ] conf = HttpdConf() conf.add_admin( "*****@*****.**" ) conf.add_message_cmd( "%s %s" % (self.mcmd, self.mlog) ) conf.add_drive_mode( "auto" ) conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion( [ domain ], restart=False ) stat = TestEnv.get_md_status(domain) # this command did not fail and logged itself the correct information assert stat["renewal"]["last"]["status"] == 0 assert stat["renewal"]["log"]["entries"] assert stat["renewal"]["log"]["entries"][0]["type"] == "message-renewed" nlines = open(self.mlog).readlines() assert 1 == len(nlines) assert ("['%s', '%s', 'renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip()
def test_702_041(self): domain = self.test_domain domains = [domain, "www." + domain] # # generate 1 MD and 1 vhost conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("LogLevel core:debug") conf.add_line("LogLevel ssl:debug") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf.add_md(domains) conf.add_vhost(domains) conf.install() # # restart (-> drive), check that MD job shows errors # and that missing proto is detected assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) # check that acme-tls/1 is available for none of the domains stat = TestEnv.get_md_status(domain) assert stat["proto"]["acme-tls/1"] == []
def test_702_002(self): domain = self.test_domain domainA = "a-" + domain domainB = "b-" + domain # # generate config with two MDs domainsA = [domainA, "www." + domainA] domainsB = [domainB, "www." + domainB] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_drive_mode("auto") conf.add_md(domainsA) conf.add_md(domainsB) conf.add_vhost(domainsA) conf.add_vhost(domainsB) conf.install() # # restart, check that md is in store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domainsA) TestEnv.check_md(domainsB) # # await drive completion, do not restart assert TestEnv.await_completion([domainA, domainB], restart=False) # staged certificates are now visible on the status resources status = TestEnv.get_md_status(domainA) assert 'renewal' in status assert 'cert' in status['renewal'] assert 'rsa' in status['renewal']['cert'] assert 'sha256-fingerprint' in status['renewal']['cert']['rsa'] # restart and activate assert TestEnv.apache_restart() == 0 # check: SSL is running OK certA = TestEnv.get_cert(domainA) assert domainsA == certA.get_san_list() certB = TestEnv.get_cert(domainB) assert domainsB == certB.get_san_list()
def test_901_003(self): domain = self.test_domain domains = [ domain, "www." + domain ] conf = HttpdConf() conf.add_admin( "*****@*****.**" ) conf.add_message_cmd( "%s %s" % (self.mcmd, self.mlog) ) conf.add_drive_mode( "auto" ) conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion( [ domain ], restart=False ) stat = TestEnv.get_md_status(domain) # this command did not fail and logged itself the correct information assert stat["renewal"]["last"]["status"] == 0 assert stat["renewal"]["log"]["entries"] assert stat["renewal"]["log"]["entries"][0]["type"] == "message-renewed" # shut down server to make sure that md has completed assert TestEnv.apache_stop() == 0 nlines = open(self.mlog).readlines() assert 1+self.menv_lines == len(nlines) assert ("['%s', '%s', 'renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip() assert (re.match(r'MD_VERSION=(\d+\.\d+\.\d+)(-.+)?', nlines[1].strip())) assert ("MD_STORE=%s" % (TestEnv.STORE_DIR)) == nlines[2].strip()