def test_http_challenge_https_redirect(): client = chisel.make_client() # Create an authz for a random domain and get its HTTP-01 challenge token d, chall = rand_http_chall(client) token = chall.encode("token") # Create a HTTP redirect from the challenge's validation path to an HTTPS # address with the same path. challengePath = "/.well-known/acme-challenge/{0}".format(token) add_http_redirect(challengePath, "https://{0}{1}".format(d, challengePath)) auth_and_issue([d], client=client, chall_type="http-01") remove_http_redirect(challengePath)
def test_http_challenge_loop_redirect(): client = chisel.make_client() # Create an authz for a random domain and get its HTTP-01 challenge token d, chall = rand_http_chall(client) token = chall.encode("token") # Create a HTTP redirect from the challenge's validation path to itself challengePath = "/.well-known/acme-challenge/{0}".format(token) add_http_redirect(challengePath, "http://{0}{1}".format(d, challengePath)) # Issuing for the the name should fail because of the challenge domains's # redirect loop. chisel.expect_problem( "urn:acme:error:connection", lambda: auth_and_issue([d], client=client, chall_type="http-01")) remove_http_redirect(challengePath)
def test_http_challenge_badproto_redirect(): client = chisel.make_client() # Create an authz for a random domain and get its HTTP-01 challenge token d, chall = rand_http_chall(client) token = chall.encode("token") # Create a HTTP redirect from the challenge's validation path to whacky # non-http/https protocol URL. challengePath = "/.well-known/acme-challenge/{0}".format(token) add_http_redirect(challengePath, "gopher://{0}{1}".format(d, challengePath)) # Issuing for the name should cause a connection error because the redirect # URL an invalid protocol scheme. chisel.expect_problem( "urn:acme:error:connection", lambda: auth_and_issue([d], client=client, chall_type="http-01")) remove_http_redirect(challengePath)
def test_http_challenge_badhost_redirect(): client = chisel.make_client() # Create an authz for a random domain and get its HTTP-01 challenge token d, chall = rand_http_chall(client) token = chall.encode("token") # Create a HTTP redirect from the challenge's validation path to a bare IP # hostname. challengePath = "/.well-known/acme-challenge/{0}".format(token) add_http_redirect(challengePath, "https://127.0.0.1{0}".format(challengePath)) # Issuing for the name should cause a connection error because the redirect # domain name is an IP address. chisel.expect_problem( "urn:acme:error:connection", lambda: auth_and_issue([d], client=client, chall_type="http-01")) remove_http_redirect(challengePath)
def test_http_challenge_http_redirect(): client = chisel.make_client() # Create an authz for a random domain and get its HTTP-01 challenge token d, chall = rand_http_chall(client) token = chall.encode("token") # Calculate its keyauth so we can add it in a special non-standard location # for the redirect result resp = chall.response(client.key) keyauth = resp.key_authorization add_http01_response("http-redirect", keyauth) # Create a HTTP redirect from the challenge's validation path to some other # token path where we have registered the key authorization. challengePath = "/.well-known/acme-challenge/{0}".format(token) add_http_redirect( challengePath, "http://{0}/.well-known/acme-challenge/http-redirect".format(d)) auth_and_issue([d], client=client, chall_type="http-01") remove_http_redirect(challengePath) remove_http01_response("http-redirect")
def test_http_challenge_https_redirect(): client = chisel.make_client() # Create an authz for a random domain and get its HTTP-01 challenge token d, chall = rand_http_chall(client) token = chall.encode("token") # Create a HTTP redirect from the challenge's validation path to an HTTPS # address with the same path. challengePath = "/.well-known/acme-challenge/{0}".format(token) add_http_redirect(challengePath, "https://{0}{1}".format(d, challengePath)) # Also add an A record for the domain pointing to the interface that the # HTTPS HTTP-01 challtestsrv is bound. urllib2.urlopen("{0}/add-a".format(challsrv_url_base), data=json.dumps({ "host": d, "addresses": ["10.77.77.77"], })).read() auth_and_issue([d], client=client, chall_type="http-01") remove_http_redirect(challengePath)