def test_502_107(self):
# test case: drive again on COMPLETE md, then drive --force
# setup: prepare md in store
domain = self.test_domain
name = "www." + domain
self._prepare_md([name])
assert TestEnv.apache_start() == 0
# drive
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
TestEnv.check_md_credentials([name])
orig_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# drive again
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
TestEnv.check_md_credentials([name])
cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# check: cert not changed
assert cert.get_serial() == orig_cert.get_serial()
# drive --force
assert TestEnv.a2md(["-vv", "drive", "--force", name])['rv'] == 0
TestEnv.check_md_credentials([name])
cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
# check: cert not changed
assert cert.get_serial() != orig_cert.get_serial()
# check: previous cert was archived
cert = CertUtil(TestEnv.store_archived_file(name, 2, 'pubcert.pem'))
assert cert.get_serial() == orig_cert.get_serial()
def test_702_032(self):
domain = "test702-032-" + TestAuto.dns_uniq
name1 = "server1." + domain
name2 = "server2." + TestAuto.dns_uniq # need a separate TLD to avoid rate limites
# generate 2 MDs and 2 vhosts
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf._add_line("MDMembers auto")
conf.add_md([name1])
conf.add_md([name2])
conf.add_vhost(TestEnv.HTTPS_PORT,
name1,
aliasList=[],
docRoot="htdocs/a",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.add_vhost(TestEnv.HTTPS_PORT,
name2,
aliasList=[],
docRoot="htdocs/b",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.install()
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
self._check_md_names(name1, [name1])
self._check_md_names(name2, [name2])
assert TestEnv.await_completion([name1])
self._check_md_cert([name2])
# check: SSL is running OK
cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, name1)
assert name1 in cert1.get_san_list()
cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, name2)
assert name2 in cert2.get_san_list()
# remove second md and vhost, add name2 to vhost1
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf._add_line("MDMembers auto")
conf.add_md([name1])
conf.add_vhost(TestEnv.HTTPS_PORT,
name1,
aliasList=[name2],
docRoot="htdocs/a",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.install()
# restart, check that host still works and have same cert
assert TestEnv.apache_restart() == 0
self._check_md_names(name1, [name1, name2])
assert TestEnv.await_completion([name1])
cert1b = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, name1)
assert name1 in cert1b.get_san_list()
assert name2 in cert1b.get_san_list()
assert cert1.get_serial() != cert1b.get_serial()
def test_702_031(self):
domain = "test702-031-" + TestAuto.dns_uniq
nameX = "test-x." + domain
nameA = "test-a." + domain
nameB = "test-b." + domain
nameC = "test-c." + domain
dns_list = [nameX, nameA, nameB]
# generate 1 MD and 2 vhosts
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT,
nameA,
aliasList=[],
docRoot="htdocs/a",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.add_vhost(TestEnv.HTTPS_PORT,
nameB,
aliasList=[],
docRoot="htdocs/b",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.install()
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
self._check_md_names(nameX, dns_list)
assert TestEnv.await_completion([nameX])
self._check_md_cert(dns_list)
# check: SSL is running OK
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameA)
assert nameA in certA.get_san_list()
certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameB)
assert nameB in certB.get_san_list()
assert certA.get_serial() == certB.get_serial()
# change MD by removing 1st name
new_list = [nameA, nameB, nameC]
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_md(new_list)
conf.add_vhost(TestEnv.HTTPS_PORT,
nameA,
aliasList=[],
docRoot="htdocs/a",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.add_vhost(TestEnv.HTTPS_PORT,
nameB,
aliasList=[],
docRoot="htdocs/b",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.install()
# restart, check that host still works and have same cert
assert TestEnv.apache_restart() == 0
self._check_md_names(nameX, new_list)
assert TestEnv.await_completion([nameX])
certA2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameA)
assert nameA in certA2.get_san_list()
assert certA.get_serial() != certA2.get_serial()
def test_702_009(self):
domain = "test702-009-" + TestAuto.dns_uniq
dns_list = [domain]
# prepare md
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_renew_window("10d")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True)
conf.install()
# restart (-> drive), check that md+cert is in store, TLS is up
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
self._check_md_cert(dns_list)
cert1 = CertUtil(TestEnv.path_domain_pubcert(domain))
# fetch cert from server
cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert cert1.get_serial() == cert2.get_serial()
# create self-signed cert, with critical remaining valid duration -> drive again
CertUtil.create_self_signed_cert([domain], {
"notBefore": -120,
"notAfter": 2
},
serial=7029)
cert3 = CertUtil(TestEnv.path_domain_pubcert(domain))
assert cert3.get_serial() == 7029
time.sleep(1)
assert TestEnv.a2md(["list",
domain])['jout']['output'][0]['renew'] == True
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
time.sleep(5)
# restart -> new ACME cert becomes active
assert TestEnv.apache_restart() == 0
cert5 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert domain in cert5.get_san_list()
assert cert5.get_serial() != cert3.get_serial()
def test_502_107(self):
# test case: drive again on COMPLETE md, then drive --force
# setup: prepare md in store
domain = "test502-107-" + TestDrive.dns_uniq
name = "www." + domain
self._prepare_md([name])
assert TestEnv.apache_start() == 0
# drive
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
self._check_md_cert([name])
orig_cert = CertUtil(TestEnv.path_domain_pubcert(name))
# drive again
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
self._check_md_cert([name])
cert = CertUtil(TestEnv.path_domain_pubcert(name))
# check: cert not changed
assert cert.get_serial() == orig_cert.get_serial()
# drive --force
assert TestEnv.a2md(["-vv", "drive", "--force", name])['rv'] == 0
self._check_md_cert([name])
cert = CertUtil(TestEnv.path_domain_pubcert(name))
# check: cert not changed
assert cert.get_serial() != orig_cert.get_serial()
# check: previous cert was archived
cert = CertUtil(TestEnv.path_domain_pubcert(name, archiveVersion=2))
assert cert.get_serial() == orig_cert.get_serial()
def _check_md_cert(self, dnsList):
name = dnsList[0]
md = TestEnv.a2md(["list", name])['jout']['output'][0]
# check tos agreement, cert url
assert md['state'] == TestEnv.MD_S_COMPLETE
assert md['ca']['agreement'] == TestEnv.ACME_TOS
assert "url" in md['cert']
# check private key, validate certificate
# TODO: find storage-independent way to read local certificate
# md_store = json.loads( open( TestEnv.path_store_json(), 'r' ).read() )
# encryptKey = md_store['key']
# print "key (%s): %s" % ( type(encryptKey), encryptKey )
CertUtil.validate_privkey(TestEnv.path_domain_privkey(name))
cert = CertUtil(TestEnv.path_domain_pubcert(name))
cert.validate_cert_matches_priv_key(TestEnv.path_domain_privkey(name))
# check SANs and CN
assert cert.get_cn() == name
# compare sets twice in opposite directions: SAN may not respect ordering
sanList = cert.get_san_list()
assert len(sanList) == len(dnsList)
assert set(sanList).issubset(dnsList)
assert set(dnsList).issubset(sanList)
# check valid dates interval
notBefore = cert.get_not_before()
notAfter = cert.get_not_after()
assert notBefore < datetime.now(notBefore.tzinfo)
assert notAfter > datetime.now(notAfter.tzinfo)
# compare cert with resource on server
server_cert = CertUtil(md['cert']['url'])
assert cert.get_serial() == server_cert.get_serial()
