def test_702_040(self):
domain = self.test_domain
domains = [domain, "www." + domain]
#
# generate 1 MD and 1 vhost
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("LogLevel core:debug")
conf.add_line("LogLevel ssl:debug")
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
#
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
# check that acme-tls/1 is available for all domains
stat = TestEnv.get_md_status(domain)
assert stat["proto"]["acme-tls/1"] == domains
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
#
# check SSL running OK
cert = TestEnv.get_cert(domain)
assert domain in cert.get_san_list()
def test_700_011(self):
domain = self.test_domain
domains = [domain, "www." + domain]
# generate 1 MD and 1 vhost, map port 443 onto itself where the server does not listen
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf._add_line("MDPortMap 443:99")
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert not TestEnv.is_renewing(domain)
#
# now the same with a 443 mapped to a supported port
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf._add_line("MDPortMap 443:%s" % TestEnv.HTTPS_PORT)
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert TestEnv.await_completion([domain])
def test_700_001(self):
# generate config with one MD
domain = self.test_domain
domains = [domain, "www." + domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_md(domains)
conf.install()
#
# restart, check that MD is synched to store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
stat = TestEnv.get_md_status(domain)
assert stat["watched"] == 0
#
# add vhost for MD, restart should drive it
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
stat = TestEnv.get_md_status(domain)
assert stat["watched"] == 1
#
cert = TestEnv.get_cert(domain)
assert domain in cert.get_san_list()
#
# challenges should have been removed
# file system needs to have correct permissions
TestEnv.check_dir_empty(TestEnv.store_challenges())
TestEnv.check_file_permissions(domain)
def test_702_010(self):
domain = self.test_domain
domains = [domain, "www." + domain]
#
# generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_ca_challenges(["http-01"])
conf._add_line("MDPortMap 80:99")
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert not TestEnv.is_renewing(domain)
#
# now the same with a 80 mapped to a supported port
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_ca_challenges(["http-01"])
conf._add_line("MDPortMap 80:%s" % TestEnv.HTTP_PORT)
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert TestEnv.await_completion([domain])
def test_602_000(self):
# test case: generate config with md -> restart -> drive -> generate config
# with vhost and ssl -> restart -> check HTTPS access
domain = self.test_domain
domains = [domain, "www." + domain]
# - generate config with one md
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(domains)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
# - drive
assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
# - append vhost to config
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
# check: SSL is running OK
cert = TestEnv.get_cert(domain)
assert domain in cert.get_san_list()
# check file system permissions:
TestEnv.check_file_permissions(domain)
def test_700_002(self):
# generate config with two MDs
domain = self.test_domain
domainA = "a-" + domain
domainB = "b-" + domain
domainsA = [domainA, "www." + domainA]
domainsB = [domainB, "www." + domainB]
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_drive_mode("auto")
conf.add_md(domainsA)
conf.add_md(domainsB)
conf.add_vhost(domainsA)
conf.add_vhost(domainsB)
conf.install()
#
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domainsA)
TestEnv.check_md(domainsB)
# await drive completion
assert TestEnv.await_completion([domainA, domainB])
TestEnv.check_md_complete(domainA)
TestEnv.check_md_complete(domainB)
#
# check: SSL is running OK
certA = TestEnv.get_cert(domainA)
assert domainsA == certA.get_san_list()
certB = TestEnv.get_cert(domainB)
assert domainsB == certB.get_san_list()
#
# should have a single account now
assert 1 == len(TestEnv.list_accounts())
def test_500_201(self, renewWindow, testDataList):
# test case: trigger cert renew when entering renew window
# setup: prepare COMPLETE md
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_renew_window(renewWindow)
conf.add_md([name])
conf.install()
assert TestEnv.apache_restart() == 0
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_INCOMPLETE
assert md['renew-window'] == renewWindow
# setup: drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
cert1 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_COMPLETE
assert md['renew-window'] == renewWindow
# replace cert by self-signed one -> check md status
print("TRACE: start testing renew window: %s" % renewWindow)
for tc in testDataList:
print("TRACE: create self-signed cert: %s" % tc["valid"])
TestEnv.create_self_signed_cert([name], tc["valid"])
cert2 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert cert2.get_serial() != cert1.get_serial()
r = TestEnv.a2md(["-vvvv", "list", name])
md = r['jout']['output'][0]
assert md["renew"] == tc["renew"], \
"Expected renew == {} indicator in {}, test case {}, stderr {}".format(tc["renew"], md, tc, r['stderr'])
def test_901_003(self):
domain = self.test_domain
domains = [domain, "www." + domain]
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog))
conf.add_drive_mode("auto")
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain], restart=False)
stat = TestEnv.get_md_status(domain)
# this command did not fail and logged itself the correct information
assert stat["renewal"]["last"]["status"] == 0
assert stat["renewal"]["log"]["entries"]
assert stat["renewal"]["log"]["entries"][0]["type"] == "message-renewed"
# shut down server to make sure that md has completed
assert TestEnv.apache_stop() == 0
nlines = open(self.mlog).readlines()
assert 3 == len(nlines)
nlines = [s.strip() for s in nlines]
assert "['{cmd}', '{logfile}', 'challenge-setup:http-01:{dns}', '{mdomain}']".format(
cmd=self.mcmd, logfile=self.mlog, mdomain=domain, dns=domains[0]) in nlines
assert "['{cmd}', '{logfile}', 'challenge-setup:http-01:{dns}', '{mdomain}']".format(
cmd=self.mcmd, logfile=self.mlog, mdomain=domain, dns=domains[1]) in nlines
assert nlines[2].strip() == "['{cmd}', '{logfile}', 'renewed', '{mdomain}']".format(
cmd=self.mcmd, logfile=self.mlog, mdomain=domain)
def test_500_203(self):
# test case: reproduce issue with initially wrong agreement URL
domain = self.test_domain
name = "www." + domain
# setup: prepare md with invalid TOS url
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("MDCertificateAgreement %s" % (TestEnv.ACME_TOS2))
conf.add_drive_mode("manual")
conf.add_md([name])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# drive it -> fail after account registration
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 1
# adjust config: replace TOS url with correct one
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md([name])
conf.install()
time.sleep(1)
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# drive it -> runs OK
assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
def test_700_005(self):
# generate 1 MD and 1 vhost
domain = self.test_domain
nameA = "a." + domain
domains = [domain, nameA]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(domains)
conf.add_vhost(nameA, docRoot="htdocs/a")
conf.install()
#
# create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
"name.txt", nameA)
#
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
#
# check: that request to domains give 503 Service Unavailable
cert1 = TestEnv.get_cert(nameA)
assert nameA in cert1.get_san_list()
assert TestEnv.getStatus(nameA, "/name.txt") == 503
#
# check temporary cert from server
cert2 = CertUtil(TestEnv.path_fallback_cert(domain))
assert cert1.get_serial() == cert2.get_serial(), \
"Unexpected temporary certificate on vhost %s. Expected cn: %s , but found cn: %s" % ( nameA, cert2.get_cn(), cert1.get_cn() )
def test_702_042(self):
domain = self.test_domain
dns_list = [domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("LogLevel core:debug")
conf.add_line("LogLevel ssl:debug")
conf.add_line("SSLCertificateChainFile %s" %
(self._path_conf_ssl("valid_cert.pem")))
conf.add_drive_mode("auto")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, dns_list)
conf.install()
assert TestEnv.apache_restart() == 0
def test_310_310(self, window):
# non-default renewal setting
domain = self.test_domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.start_md([domain])
conf.add_drive_mode("manual")
conf.add_renew_window(window)
conf.end_md()
conf.add_vhost(domain)
conf.install()
assert TestEnv.apache_restart() == 0
stat = TestEnv.get_md_status(domain)
assert stat["renew-window"] == window
def test_901_001(self):
domain = self.test_domain
domains = [ domain, "www." + domain ]
conf = HttpdConf()
conf.add_admin( "*****@*****.**" )
conf.add_message_cmd( "blablabla" )
conf.add_drive_mode( "auto" )
conf.add_md( domains )
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ], restart=False )
stat = TestEnv.get_md_status(domain)
# this command should have failed and logged an error
assert stat["renewal"]["last"]["problem"] == "urn:org:apache:httpd:log:AH10109:"
def test_700_008a(self):
domain = self.test_domain
domains = [domain]
conf = HttpdConf(proxy=True)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("always")
conf.add_http_proxy("http://localhost:%s" % TestEnv.HTTP_PROXY_PORT)
conf.add_md(domains)
conf.install()
#
# - restart (-> drive), check that md is in store
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
def test_500_110(self):
# test case: SSL-only domain, override headers generated by mod_md
# setup: prepare config
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_require_ssl("permanent")
conf.add_md([name])
conf.add_vhost(name, port=TestEnv.HTTP_PORT)
conf.add_vhost(name)
conf.install()
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
assert TestEnv.apache_restart() == 0
# test override HSTS header
conf._add_line(
' Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"'
)
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
assert r['http_headers'][
'Strict-Transport-Security'] == 'max-age=10886400; includeSubDomains; preload'
# test override Location header
conf._add_line(' Redirect /a /name.txt')
conf._add_line(' Redirect seeother /b /name.txt')
conf.install()
assert TestEnv.apache_restart() == 0
# check: default redirect by mod_md still works
expLocation = "https://%s/name.txt" % name
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 301
assert r['http_headers']['Location'] == expLocation
# check: redirect as given by mod_alias
expLocation = "https://%s/a" % name
r = TestEnv.get_meta(name, "/a", useHTTPS=False)
assert r[
'http_status'] == 301 # FAIL: mod_alias generates Location header instead of mod_md
assert r['http_headers']['Location'] == expLocation
def test_700_008(self):
domain = self.test_domain
domains = [domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("always")
conf.add_http_proxy("http://localhost:1")
conf.add_md(domains)
conf.install()
#
# - restart (-> drive)
assert TestEnv.apache_restart() == 0
# await drive completion
md = TestEnv.await_error(domain)
assert md
assert md['renewal']['errors'] > 0
assert md['renewal']['last'][
'status-description'] == 'Connection refused'
assert 'account' not in md['ca']
def test_901_020(self):
domain = self.test_domain
domains = [ domain ]
conf = HttpdConf()
conf.add_admin( "*****@*****.**" )
conf.add_message_cmd( "%s %s" % (self.mcmd, self.mlog) )
conf.add_drive_mode( "auto" )
conf.add_md(domains)
conf.add_line("MDStapling on")
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ] )
stat = TestEnv.await_ocsp_status(domain)
assert os.path.isfile(self.mlog)
nlines = open(self.mlog).readlines()
assert 2 == len(nlines)
assert ("['%s', '%s', 'renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip()
assert ("['%s', '%s', 'ocsp-renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[1].strip()
def test_602_002(self):
# test case: one md, that covers two vhosts
domain = self.test_domain
name_a = "a." + domain
name_b = "b." + domain
domains = [domain, name_a, name_b]
# - generate config with one md
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(domains)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
# - drive
assert TestEnv.a2md(["drive", domain])['rv'] == 0
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
# - append vhost to config
conf.add_vhost(name_a, doc_root="htdocs/a")
conf.add_vhost(name_b, doc_root="htdocs/b")
conf.install()
# - create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
"name.txt", name_a)
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"),
"name.txt", name_b)
# check: SSL is running OK
assert TestEnv.apache_restart() == 0
cert_a = TestEnv.get_cert(name_a)
assert name_a in cert_a.get_san_list()
cert_b = TestEnv.get_cert(name_b)
assert name_b in cert_b.get_san_list()
assert cert_a.same_serial_as(cert_b)
assert TestEnv.get_content(name_a, "/name.txt") == name_a
assert TestEnv.get_content(name_b, "/name.txt") == name_b
def test_500_120(self):
# test case: NP dereference reported by Daniel Caminada <*****@*****.**>
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md([name])
conf.add_vhost(name)
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.run([
"openssl", "s_client", "-connect",
"%s:%s" % (TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT), "-servername",
"example.com", "-crlf"
], "GET https:// HTTP/1.1\nHost: example.com\n\n")
assert TestEnv.apache_restart() == 0
# assert that no crash is reported in the log
assert not TestEnv.httpd_error_log_scan(
re.compile("^.* child pid \S+ exit .*$"))
def test_901_003(self):
domain = self.test_domain
domains = [ domain, "www." + domain ]
conf = HttpdConf()
conf.add_admin( "*****@*****.**" )
conf.add_message_cmd( "%s %s" % (self.mcmd, self.mlog) )
conf.add_drive_mode( "auto" )
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ], restart=False )
stat = TestEnv.get_md_status(domain)
# this command did not fail and logged itself the correct information
assert stat["renewal"]["last"]["status"] == 0
assert stat["renewal"]["log"]["entries"]
assert stat["renewal"]["log"]["entries"][0]["type"] == "message-renewed"
nlines = open(self.mlog).readlines()
assert 1 == len(nlines)
assert ("['%s', '%s', 'renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip()
def test_600_002(self):
# test case: one md, that covers two vhosts
domain = self.test_domain
nameA = "a-" + domain
nameB = "b-" + domain
domains = [domain, nameA, nameB]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(domains)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
# - drive
assert TestEnv.a2md(["drive", domain])['rv'] == 0
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
# - append vhost to config
conf.add_vhost(nameA, docRoot="htdocs/a")
conf.add_vhost(nameB, docRoot="htdocs/b")
conf.install()
# - create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
"name.txt", nameA)
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"),
"name.txt", nameB)
# check: SSL is running OK
assert TestEnv.apache_restart() == 0
certA = TestEnv.get_cert(nameA)
assert nameA in certA.get_san_list()
certB = TestEnv.get_cert(nameB)
assert nameB in certB.get_san_list()
assert certA.get_serial() == certB.get_serial()
assert TestEnv.get_content(nameA, "/name.txt") == nameA
assert TestEnv.get_content(nameB, "/name.txt") == nameB
def test_500_111(self):
# test case: vhost with parallel HTTP/HTTPS, check mod_alias redirects
# setup: prepare config
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md([name])
conf._add_line(" LogLevel alias:debug")
conf.add_vhost(name, port=TestEnv.HTTP_PORT)
conf.add_vhost(name)
conf.install()
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
assert TestEnv.apache_restart() == 0
# setup: place redirect rules
conf._add_line(' Redirect /a /name.txt')
conf._add_line(' Redirect seeother /b /name.txt')
conf.install()
assert TestEnv.apache_restart() == 0
# check: redirects on HTTP
expLocation = "http://%s:%s/name.txt" % (name, TestEnv.HTTP_PORT)
r = TestEnv.get_meta(name, "/a", useHTTPS=False)
assert r['http_status'] == 302
assert r['http_headers']['Location'] == expLocation
r = TestEnv.get_meta(name, "/b", useHTTPS=False)
assert r['http_status'] == 303
assert r['http_headers']['Location'] == expLocation
# check: redirects on HTTPS
expLocation = "https://%s:%s/name.txt" % (name, TestEnv.HTTPS_PORT)
r = TestEnv.get_meta(name, "/a", useHTTPS=True)
assert r['http_status'] == 302
assert r['http_headers'][
'Location'] == expLocation # FAIL: expected 'https://...' but found 'http://...'
r = TestEnv.get_meta(name, "/b", useHTTPS=True)
assert r['http_status'] == 303
assert r['http_headers']['Location'] == expLocation
def test_901_020(self):
domain = self.test_domain
domains = [ domain ]
conf = HttpdConf()
conf.add_admin( "*****@*****.**" )
conf.add_message_cmd( "%s %s" % (self.mcmd, self.mlog) )
conf.add_drive_mode( "auto" )
conf.add_md(domains)
conf.add_line("MDStapling on")
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ] )
stat = TestEnv.await_ocsp_status(domain)
assert TestEnv.await_file(self.mlog)
nlines = open(self.mlog).readlines()
# since v2.1.10, the 'installed' message is second in log
lc = 1+self.menv_lines
assert 3*lc == len(nlines)
assert ("['%s', '%s', 'renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0*lc].strip()
assert ("['%s', '%s', 'installed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[1*lc].strip()
assert ("['%s', '%s', 'ocsp-renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[2*lc].strip()
def test_702_041(self):
domain = self.test_domain
domains = [domain, "www." + domain]
#
# generate 1 MD and 1 vhost
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("LogLevel core:debug")
conf.add_line("LogLevel ssl:debug")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
#
# restart (-> drive), check that MD job shows errors
# and that missing proto is detected
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
# check that acme-tls/1 is available for none of the domains
stat = TestEnv.get_md_status(domain)
assert stat["proto"]["acme-tls/1"] == []
def test_700_004(self, challengeType):
# generate 1 MD and 1 vhost
domain = self.test_domain
domains = [domain, "www." + domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges([challengeType])
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
#
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
#
# check SSL running OK
cert = TestEnv.get_cert(domain)
assert domain in cert.get_san_list()
def test_602_001(self):
# test case: same as test_600_000, but with two parallel managed domains
domain_a = "a-" + self.test_domain
domain_b = "b-" + self.test_domain
# - generate config with one md
domains_a = [domain_a, "www." + domain_a]
domains_b = [domain_b, "www." + domain_b]
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_drive_mode("manual")
conf.add_md(domains_a)
conf.add_md(domains_b)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains_a)
TestEnv.check_md(domains_b)
# - drive
assert TestEnv.a2md(["drive", domain_a])['rv'] == 0
assert TestEnv.a2md(["drive", domain_b])['rv'] == 0
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain_a)
TestEnv.check_md_complete(domain_b)
# - append vhost to config
conf.add_vhost(domains_a)
conf.add_vhost(domains_b)
conf.install()
# check: SSL is running OK
assert TestEnv.apache_restart() == 0
cert_a = TestEnv.get_cert(domain_a)
assert domains_a == cert_a.get_san_list()
cert_b = TestEnv.get_cert(domain_b)
assert domains_b == cert_b.get_san_list()
def test_702_009(self):
domain = self.test_domain
domains = [domain]
#
# prepare md
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_renew_window("10d")
conf.add_md(domains)
conf.add_vhost(domain)
conf.install()
#
# restart (-> drive), check that md+cert is in store, TLS is up
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
# compare with what md reports as status
stat = TestEnv.get_certificate_status(domain)
assert stat['serial'] == cert1.get_serial()
#
# create self-signed cert, with critical remaining valid duration -> drive again
TestEnv.create_self_signed_cert([domain], {
"notBefore": -120,
"notAfter": 2
},
serial=7029)
cert3 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert cert3.get_serial() == '1B75'
assert TestEnv.apache_restart() == 0
stat = TestEnv.get_certificate_status(domain)
assert stat['serial'] == cert3.get_serial()
#
# cert should renew and be different afterwards
assert TestEnv.await_completion([domain], must_renew=True)
stat = TestEnv.get_certificate_status(domain)
assert stat['serial'] != cert3.get_serial()
def test_901_020(self):
domain = self.test_domain
domains = [domain]
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog))
conf.add_drive_mode("auto")
conf.add_md(domains)
conf.add_line("MDStapling on")
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
TestEnv.await_ocsp_status(domain)
assert TestEnv.await_file(self.mlog)
time.sleep(1)
nlines = open(self.mlog).readlines()
assert 4 == len(nlines)
assert nlines[0].strip() == ("['%s', '%s', 'challenge-setup:http-01:%s', '%s']"
% (self.mcmd, self.mlog, domain, domain))
assert nlines[1].strip() == ("['%s', '%s', 'renewed', '%s']" % (self.mcmd, self.mlog, domain))
assert nlines[2].strip() == ("['%s', '%s', 'installed', '%s']" % (self.mcmd, self.mlog, domain))
assert nlines[3].strip() == ("['%s', '%s', 'ocsp-renewed', '%s']" % (self.mcmd, self.mlog, domain))
def test_702_002(self):
domain = self.test_domain
domainA = "a-" + domain
domainB = "b-" + domain
#
# generate config with two MDs
domainsA = [domainA, "www." + domainA]
domainsB = [domainB, "www." + domainB]
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_drive_mode("auto")
conf.add_md(domainsA)
conf.add_md(domainsB)
conf.add_vhost(domainsA)
conf.add_vhost(domainsB)
conf.install()
#
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domainsA)
TestEnv.check_md(domainsB)
#
# await drive completion, do not restart
assert TestEnv.await_completion([domainA, domainB], restart=False)
# staged certificates are now visible on the status resources
status = TestEnv.get_md_status(domainA)
assert 'renewal' in status
assert 'cert' in status['renewal']
assert 'rsa' in status['renewal']['cert']
assert 'sha256-fingerprint' in status['renewal']['cert']['rsa']
# restart and activate
assert TestEnv.apache_restart() == 0
# check: SSL is running OK
certA = TestEnv.get_cert(domainA)
assert domainsA == certA.get_san_list()
certB = TestEnv.get_cert(domainB)
assert domainsB == certB.get_san_list()
def test_500_202(self, keyType, keyParams, expKeyLength):
# test case: specify RSA key length and verify resulting cert key
# setup: prepare md
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_private_key(keyType, keyParams)
conf.add_md([name])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# setup: drive it
assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0, \
"Expected drive to succeed for MDPrivateKeys {} {}".format(keyType, keyParams)
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
# check cert key length
cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert cert.get_key_length() == expKeyLength
