def testDNSUptoolsUpdateSPF(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
spf= \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
spf+=+mx,~all,?aaaa,-ip4:0.1.2.3/24 \
' 2>&1".format(testdomain))
with self.subTest("check first spf a - all"):
self.assertRegex(stdout, ".*add.*new.*SPF.*~all.*")
with self.subTest("check first spf a - ip4"):
self.assertRegex(stdout, ".*add.*new.*SPF.*-ip4:0.1.2.3/24.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
spf=+ip6:00fe::1234:0000/64,-aaaa\
' 2>&1".format(testdomain))
with self.subTest("check first spf b - ip6"):
self.assertRegex(stdout, ".*update.*ip6.*")
with self.subTest("check first spf b - aaaaa"):
self.assertRegex(stdout, ".*update.*aaaa.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
spf= \
' 2>&1".format(testdomain))
with self.subTest("check first spf c - ip6"):
self.assertRegex(stdout, ".*delete.*ip6.*")
def testDNSUptoolsUpdateMX(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
mx=none \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
mx=mx01.mailbox.example:50,mx02.mailbox.example:10\
' 2>&1".format(testdomain))
with self.subTest("check first mx a"):
self.assertRegex(stdout, ".*add.*new.*mx01.mailbox.example.*")
with self.subTest("check second mx a"):
self.assertRegex(stdout, ".*add.*new.*mx02.mailbox.example.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
mx.50=mx03.mailbox.example\
mx.10=mx04.mailbox.example\
' 2>&1".format(testdomain))
with self.subTest("check first mx b"):
self.assertRegex(stdout, ".*add.*new.*mx03.mailbox.example.*")
with self.subTest("check second mx b"):
self.assertRegex(stdout, ".*add.*new.*mx04.mailbox.example.*")
with self.subTest("check previous first mx"):
self.assertRegex(stdout, ".*delete.*mx01.mailbox.example.*")
with self.subTest("check previous second mx"):
self.assertRegex(stdout, ".*delete.*mx02.mailbox.example.*")
def testDNSUptoolsUpdateIP6(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
ip6=none \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
ip6=86::1,23f0::23:42\
' 2>&1".format(testdomain))
with self.subTest("check first ip6 a"):
self.assertRegex(stdout, ".*add.*new.*86::1.*")
with self.subTest("check second ip6 a"):
self.assertRegex(stdout, ".*add.*new.*23f0::23:42.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
ip6=0f::00,fe00:2345::0\
' 2>&1".format(testdomain))
with self.subTest("check first ip6 b"):
self.assertRegex(stdout, ".*add.*new.*0f::00.*")
with self.subTest("check second ip6 b"):
self.assertRegex(stdout, ".*add.*new.*fe00:2345::0.*")
with self.subTest("check previous first ip6"):
self.assertRegex(stdout, ".*delete.*86::1.*")
with self.subTest("check previous second ip6"):
self.assertRegex(stdout, ".*delete.*23f0::23:42.*")
def testDNSUptoolsUpdateIP4(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
ip4=none \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
ip4=0.0.0.2,0.0.0.1\
' 2>&1".format(testdomain))
with self.subTest("check first ip4"):
self.assertRegex(stdout, ".*add.*new.*0.0.0.2.*")
with self.subTest("check second ip4"):
self.assertRegex(stdout, ".*add.*new.*0.0.0.1.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
ip4=0.0.0.4,0.0.0.3\
' 2>&1".format(testdomain))
with self.subTest("check first ip4"):
self.assertRegex(stdout, ".*add.*new.*0.0.0.4.*")
with self.subTest("check second ip4"):
self.assertRegex(stdout, ".*add.*new.*0.0.0.3.*")
with self.subTest("check previous first ip4"):
self.assertRegex(stdout, ".*delete.*0.0.0.2.*")
with self.subTest("check previous second ip4"):
self.assertRegex(stdout, ".*delete.*0.0.0.1.*")
def testDNSUptoolsUpdateSRV(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
srv=none \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
srv=testsrv.entroserv.de:50:10:25:tcp:smtp\
srv.smtp=mx01.mailbox.example, mx02.mailbox.example\
' 2>&1".format(testdomain))
with self.subTest("check first srv a"):
self.assertRegex(stdout, ".*add.*_smtp._tcp.{} : 10 25 testsrv.entroserv.de.*".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
srv.smtp=mx03.mailbox.example:0:0:143:tcp\
srv.imap=mx04.mailbox.example\
' 2>&1".format(testdomain))
with self.subTest("check first srv b"):
self.assertRegex(stdout, ".*add.*new.*mx03.mailbox.example.*")
with self.subTest("check second srv b"):
self.assertRegex(stdout, ".*add.*new.*mx04.mailbox.example.*")
with self.subTest("check previous first srv"):
self.assertRegex(stdout, ".*delete.*mx01.mailbox.example.*")
with self.subTest("check previous second srv"):
self.assertRegex(stdout, ".*delete.*mx02.mailbox.example.*")
def testDNSUptoolsUpdateDMARC(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
dmarc= \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
dmarc.p=quarantine \
dmarc.pct=100 \
dmarc.rua=mailto:[email protected] \
dmarc.ruf=mailto:[email protected] \
dmarc.adkim=s \
dmarc.aspf=r \
' 2>&1".format(testdomain))
with self.subTest("check first dmarc a"):
self.assertRegex(stdout, ".*add.*new.*DMARC.*_dmarc.*p=quarantine.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
dmarc.sp=quarantine \
' 2>&1".format(testdomain))
with self.subTest("check first dmarc b"):
self.assertRegex(stdout, ".*update.*DMARC.*sp=quarantine.*")
def testDNSUptoolsUpdateCAA(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
caa= \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
caa=0 issue test.example \
' 2>&1".format(testdomain))
with self.subTest("check first caa a"):
self.assertRegex(stdout, ".*add.*new.*CAA.*issue.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
caa=128 issuewild test2.example \
' 2>&1".format(testdomain))
with self.subTest("check first caa b"):
self.assertRegex(stdout, ".*add.*CAA.*128.*issuewild.*test2.example")
with self.subTest("check second caa b"):
self.assertRegex(stdout, ".*delete.*CAA.*0.*issue.*test.example")
def testHandlerOpensslDH512(self):
try:
os.remove(dhfile)
except:
pass
stdout = runCmd("python3 -m cryptdomainmgr --prepare \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[dhparam] \
handler=openssl \
[dhparam:{}] \
keysize=512 \
filename={} \
' 2>&1".format(testdh, dhfile))
with self.subTest("check dhparam log output"):
self.assertRegex(stdout, ".*Create dhparams.*{}.*".format(testdh))
with self.subTest("check dhparam file exists"):
self.assertFalse(os.path.isfile(dhfile))
stdout = runCmd("python3 -m cryptdomainmgr --rollover \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[dhparam] \
handler=openssl \
[dhparam:{}] \
keysize=512 \
filename={} \
' 2>&1".format(testdh, dhfile))
with self.subTest("check dhparam log output"):
self.assertRegex(stdout, ".*Apply dhparams.*{}.*".format(testdh))
with self.subTest("check dhparam file exists"):
self.assertTrue(os.path.isfile(dhfile))
def testDNSUptoolsUpdateACME(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
acme= \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
acme=test \
' 2>&1".format(testdomain))
with self.subTest("check first adsp a"):
self.assertRegex(stdout, ".*add.*new.*ACME.*test.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
acme= \
' 2>&1".format(testdomain))
with self.subTest("check first acme b"):
self.assertRegex(stdout, ".*delete.*ACME.*test.*")
def testDNSUptoolsUpdateADSP(self):
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
adsp= \
' 2>&1".format(testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
adsp=all \
' 2>&1".format(testdomain))
with self.subTest("check first adsp a"):
self.assertRegex(stdout, ".*add.*new.*ADSP.*dkim=all.*")
stdout = runCmd("python3 -m cryptdomainmgr --update \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir=/tmp/test_cryptdomainmgr \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
adsp=unknown \
' 2>&1".format(testdomain))
with self.subTest("check first adsp b"):
self.assertRegex(stdout, ".*update.*ADSP.*dkim=unknown.*")
def testHandlerDehydratedCreateCert(self):
log.relog("test")
stdout = runCmd("python3 -m cryptdomainmgr --prepare \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath))
with self.subTest("check cert file is created in tmp"):
self.assertTrue(
os.path.isfile(
os.path.join(tmpdir, "modules/cert", "mycert", "certs",
testdomain, certname)))
stdout = runCmd("python3 -m cryptdomainmgr --rollover \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath))
with self.subTest("check cert file is copied to destination"):
self.assertTrue(
os.path.isfile(os.path.join(testcertpath, testdomain,
certname)))
stdout = runCmd("python3 -m cryptdomainmgr --cleanup \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath))
with self.subTest("check current cert is not deleted"):
self.assertTrue(
os.path.isfile(
os.path.join(tmpdir, "modules/cert", "mycert", "certs",
testdomain, certname)))
def testHandlerDehydratedCreateMultiCert(self):
stdout = runCmd("python3 -m cryptdomainmgr --prepare \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
with self.subTest("check cert file is created in tmp 1"):
self.assertTrue(
os.path.isfile(
os.path.join(tmpdir, "modules/cert", "mycert", "certs",
testdomain, certname)))
with self.subTest("check cert file is created in tmp 2"):
self.assertTrue(
os.path.isfile(
os.path.join(tmpdir, "modules/cert", "mycert2", "certs",
testdomain, certname)))
stdout = runCmd("python3 -m cryptdomainmgr --rollover \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
with self.subTest("check cert file is copied to destination 1"):
self.assertTrue(
os.path.isfile(os.path.join(testcertpath, testdomain,
certname)))
with self.subTest("check cert file is copied to destination 2"):
self.assertTrue(
os.path.isfile(
os.path.join(testcertpath + "2", testdomain, certname)))
with self.subTest(
"check if correct number of files in destination dir 1 before cleanup"
):
self.assertEqual(
4, numberOfFiles(os.path.join(testcertpath, testdomain)))
with self.subTest(
"check if correct number of files in destination dir 2 before cleanup"
):
self.assertEqual(
4, numberOfFiles(os.path.join(testcertpath + "2", testdomain)))
stdout = runCmd("python3 -m cryptdomainmgr --cleanup \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
with self.subTest("check current cert is not deleted 1 in source dir"):
self.assertTrue(
os.path.isfile(
os.path.join(tmpdir, "modules/cert", "mycert", "certs",
testdomain, certname)))
with self.subTest(
"check if correct number of files in source dir 1 after cleanup"
):
self.assertEqual(
8,
numberOfFiles(
os.path.join(tmpdir, "modules/cert", "mycert", "certs",
testdomain)))
with self.subTest("check current cert is not deleted 2 in source dir"):
self.assertTrue(
os.path.isfile(
os.path.join(tmpdir, "modules/cert", "mycert2", "certs",
testdomain, certname)))
with self.subTest(
"check if correct number of files in source dir 2 after cleanup"
):
self.assertEqual(
8,
numberOfFiles(
os.path.join(tmpdir, "modules/cert", "mycert2", "certs",
testdomain)))
with self.subTest(
"check current cert is not deleted 1 in destination dir"):
self.assertTrue(
os.path.isfile(os.path.join(testcertpath, testdomain,
certname)))
with self.subTest(
"check if correct number of files in destination dir 1 after cleanup"
):
self.assertEqual(
4, numberOfFiles(os.path.join(testcertpath, testdomain)))
with self.subTest(
"check current cert is not deleted 2 in destination dir"):
self.assertTrue(
os.path.isfile(
os.path.join(testcertpath + "2", testdomain, certname)))
with self.subTest(
"check if correct number of files in destination dir 2 after cleanup"
):
self.assertEqual(
4, numberOfFiles(os.path.join(testcertpath + "2", testdomain)))
def prepare(certConfig, certState, statedir, domainList, domainAccessTable):
if 'dehydrated' != certConfig['handler'].split('/')[0]:
return
if 0 == len(domainList):
return
email = certConfig['email']
keysize = 4096
if 'keysize' in certConfig:
keysize = certConfig['keysize']
if 'extraflags' in certConfig:
extraFlags = certConfig['extraflags']
extraFlags = [e if '-' == e[0] else '--' + e for e in extraFlags]
if '--staging' in extraFlags:
ca = "https://acme-staging-v02.api.letsencrypt.org/directory"
extraFlags.remove('--staging')
if 'staging' in extraFlags:
extraFlags.remove('staging')
elif 'ca' in certConfig:
ca = certConfig['ca']
else:
ca = "https://acme-v02.api.letsencrypt.org/directory"
makeDir(os.path.realpath(statedir))
confFilename = os.path.normpath(os.path.join(statedir, 'dehydrated.conf'))
confFile = open(confFilename, 'w')
confFile.write('CA={}\n'.format(str(ca)))
confFile.write('CONTACT_EMAIL={}\n'.format(str(email)))
confFile.write('KEYSIZE={}\n'.format(int(keysize)))
confFile.write('CERTDIR={}\n'.format(os.path.join(statedir, 'certs')))
confFile.write('\n')
confFile.close()
here = os.path.dirname(os.path.realpath(__file__))
args = [
os.path.join(here, 'dehydrated/dehydrated'), '-f', confFilename,
'--accept-terms', '-c', '-t', 'dns-01', '-k',
os.path.join(here, 'hook.sh')
]
log.debug(extraFlags)
args.extend(extraFlags)
for d in domainList:
args.extend(['-d', str(d)])
log.debug(args)
certState.setOpStateRunning()
i = 2
while True:
try:
log.info('Starting DNS-01 authentication')
rv = runCmd(' '.join(args),
stderr=STDOUT,
env=dict(os.environ,
DOMAINACCESSTABLE=domainAccessTable,
STATEDIR=statedir,
WAITSEC="{}".format(3**i)))
break
except CalledProcessError as e:
if 'ERROR: Lock file' in e.output:
lockFilename = e.output.split('ERROR: Lock file \'')[-1].split(
'\' present, aborting')[0]
log.warn('Lock file from imcomplete run found: {}'.format(
lockFilename))
log.warn(' -> Removing')
os.remove(lockFilename)
elif 'Incorrect TXT record' in e.output:
log.info(
' -> Invalid DNS-01 challenge, maybe due to DNS caching interval. Trying to wait longer!'
)
i += 1
log.info(
' -> Will wait {} s to give challenge time to propagate DNS cache.'
.format(3**i))
elif 'NXDOMAIN' in e.output:
log.info(
' -> Missing DNS-01 challenge, maybe due to DNS caching interval. Trying to wait longer!'
)
i += 1
log.info(
' -> Will wait {} s to give challenge time to propagate DNS cache.'
.format(3**i))
else:
raise (e)
if 9 == i:
raise (e)
res = []
rv = rv.splitlines()
for s, e in enumerate(rv):
if '---- DEPLOYMENTRESULT ----' == e[:len('---- DEPLOYMENTRESULT ----'
)]:
break
for i, e in enumerate(rv[s + 1:]):
if '---- END DEPLOYMENTRESULT ----' == e[:len(
'---- END DEPLOYMENTRESULT ----')]:
break
res.append(e)
resDict = {e.split('=')[0].lower(): e.split('=')[1] for e in res}
resDict['san'] = list(domainList)
if 'running' == certState.opstate:
certState.registerResult(resDict)
certState.setOpStateDone()
return rv
def testDKIMemailSigningSimple(self):
stdout = runCmd("python3 -m cryptdomainmgr --prepare \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
dkim.mydkim=auto \
[dkim] \
handler=rspamd \
[dkim:mydkim] \
signingconfdestinationfile={} \
keybasename={} \
keysize={} \
keyname={} \
keylocation={} \
[service:rspamd] \
dkim=mydkim \
' 2>&1".format(tmpdir, testdomain, signingConfDestFile, keybasename,
keysize, keyname, keylocation))
stdout = runCmd("python3 -m cryptdomainmgr --rollover \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
dkim.mydkim=auto \
[dkim] \
handler=rspamd \
[dkim:mydkim] \
signingconfdestinationfile={} \
keybasename={} \
keysize={} \
keyname={} \
keylocation={} \
[service:rspamd] \
dkim=mydkim \
' 2>&1".format(tmpdir, testdomain, signingConfDestFile, keybasename,
keysize, keyname, keylocation))
time.sleep(10) # wait until rspamd reloads
username = getpass.getuser()
stdout = runCmd(
"sendmail {}@localhost <<EOF\nsubject: test\ncdmtestrspamd\n\n.\n\nEOF\n 2>&1"
.format(username))
time.sleep(10) # wait until email is received by the mailbox
with open("/var/mail/{}".format(username), "r") as f:
mail = f.read()
with open(
os.path.join(tmpdir, "modules/dkim", "mydkim", "conf",
"dkim.conf"), 'r') as f:
confStr = f.read()
dkimSelector = confStr.split("selector")[1].split("=")[1].split(
"\"")[1]
with self.subTest("check if dkim selector in mails"):
self.assertIn(dkimSelector, mail)
def testHandlerRspamdCreateDKIMkey(self):
stdout = runCmd("python3 -m cryptdomainmgr --prepare \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
dkim.mydkim=auto \
[dkim] \
handler=rspamd \
[dkim:mydkim] \
signingconfdestinationfile={} \
keybasename={} \
keysize={} \
keyname={} \
keylocation={} \
' 2>&1".format(tmpdir,testdomain,signingConfDestFile,keybasename,keysize,keyname,keylocation))
with self.subTest("check dkim key file is created in tmp"):
self.assertTrue(os.path.isfile(os.path.join(tmpdir,"modules/dkim","mydkim","key","dkim.key")))
with self.subTest("check dkim conf file is created in tmp"):
self.assertTrue(os.path.isfile(os.path.join(tmpdir,"modules/dkim","mydkim","conf","dkim.conf")))
with open(os.path.join(tmpdir,"modules/dkim","mydkim","conf","dkim.conf"), 'r') as f:
confStr = f.read()
dkimSelector = confStr.split("selector")[1].split("=")[1].split("\"")[1]
with open(os.path.join(tmpdir,"modules/dkim","mydkim","key","dkim.key"),'r') as f:
privKeyStr = f.read()
privKey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, privKeyStr)
privKeyCrypto = privKey.to_cryptography_key()
pubKey = privKeyCrypto.public_key()
pubKeyStr = pubKey.public_bytes(serialization.Encoding.PEM,serialization.PublicFormat.SubjectPublicKeyInfo)
pubKeyStrContent = pubKeyStr.decode('utf8').replace('\n','').split('-----BEGIN PUBLIC KEY-----')[1].split('-----END PUBLIC KEY-----')[0]
dkimpubkey = re.escape(pubKeyStrContent)
with self.subTest("check dkim keyname"):
self.assertTrue(dkimSelector[:len(keybasename)] == keybasename)
self.assertRegex(stdout, ".*add.*new.*DKIM.*{}._domainkey.{}.*{}.*".format(dkimSelector,testdomain,dkimpubkey))
with self.subTest("check add dkim mydkim"):
self.assertRegex(stdout, ".*add.*new.*DKIM.*{}._domainkey.{}.*{}.*".format(dkimSelector,testdomain,dkimpubkey))
#self.assertRegex(stdout, ".*add.*new.*DKIM.*{}.*._domainkey.{}.*".format(keybasename,testdomain))
stdout = runCmd("python3 -m cryptdomainmgr --rollover \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
dkim.mydkim=auto \
[dkim] \
handler=rspamd \
[dkim:mydkim] \
signingconfdestinationfile={} \
keybasename={} \
keysize={} \
keyname={} \
keylocation={} \
' 2>&1".format(tmpdir,testdomain,signingConfDestFile,keybasename,keysize,keyname,keylocation))
with self.subTest("check dkim key file is copied to destination"):
self.assertTrue(os.path.isfile(os.path.join(keylocation,keyname)))
with self.subTest("check dkim conf file is copied to destination"):
self.assertTrue(os.path.isfile(signingConfDestFile))
def testMultiCertTLSACreate(self):
stdout = runCmd("python3 -m cryptdomainmgr --prepare \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
tlsa.tcp.443=auto:3:1:1,auto:2:0:1 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
tlsa311mycert = tlsaFromCertFile(
os.path.join(tmpdir, "modules/cert/mycert/certs", testdomain,
"fullchain.pem"), 3, 1, 1)
tlsa311mycert2 = tlsaFromCertFile(
os.path.join(tmpdir, "modules/cert/mycert2/certs", testdomain,
"fullchain.pem"), 3, 1, 1)
tlsa201mycert = tlsaFromCertFile(
os.path.join(tmpdir, "modules/cert/mycert/certs", testdomain,
"fullchain.pem"), 2, 0, 1)
tlsa201mycert2 = tlsaFromCertFile(
os.path.join(tmpdir, "modules/cert/mycert2/certs", testdomain,
"fullchain.pem"), 2, 0, 1)
with self.subTest("check add tlsa 3 1 1 mycert"):
self.assertRegex(
stdout, ".*add.*new.*_443._tcp.{}.*3 1 1 {}.*".format(
testdomain, tlsa311mycert))
with self.subTest("check add tlsa 3 1 1 mycert2"):
self.assertRegex(
stdout, ".*add.*new.*_443._tcp.{}.*3 1 1 {}.*".format(
testdomain, tlsa311mycert2))
with self.subTest("check add tlsa 2 0 1 mycert"):
self.assertRegex(
stdout, ".*add.*_443._tcp.{}.*2 0 1 {}.*".format(
testdomain, tlsa201mycert))
with self.subTest("check add tlsa 2 0 1 mycert2"):
self.assertRegex(
stdout, ".*add.*_443._tcp.{}.*2 0 1 {}.*".format(
testdomain, tlsa201mycert2))
stdout = runCmd("python3 -m cryptdomainmgr --rollover \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
tlsa.tcp.443=auto:3:1:1,auto:2:0:1 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
#print(stdout)
with self.subTest("check cert file exists - mycert"):
self.assertTrue(
os.path.isfile(
os.path.join(testcertpath, testdomain, "fullchain.pem")))
with self.subTest("check cert file exists - mycert2"):
self.assertTrue(
os.path.isfile(
os.path.join(testcertpath + "2", testdomain,
"fullchain.pem")))
stdout = runCmd("python3 -m cryptdomainmgr --cleanup \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
tlsa.tcp.443=auto:3:1:1,auto:2:0:1 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
stdout = runCmd("python3 -m cryptdomainmgr --prepare \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
tlsa.tcp.443=auto:3:1:1,auto:2:0:1 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
stdout = runCmd("python3 -m cryptdomainmgr --rollover \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
tlsa.tcp.443=auto:3:1:1,auto:2:0:1 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
stdout = runCmd("python3 -m cryptdomainmgr --cleanup \
test_inwxcreds.conf --config-content \
'\
[cdm] \
statedir={} \
[domain] \
handler=dnsuptools/inwx \
[domain:{}] \
cert=mycert,mycert2 \
tlsa.tcp.443=auto:3:1:1,auto:2:0:1 \
[cert] \
handler=dehydrated/letsencrypt \
email={} \
keysize=4096 \
[cert:mycert] \
destination={} \
extraflags=--staging,-x \
[cert:mycert2] \
destination={} \
extraflags=--staging,-x \
' 2>&1".format(tmpdir, testdomain, testcertemail, testcertpath,
testcertpath + "2"))
with self.subTest("check delete tlsa 3 1 1 mycert"):
self.assertRegex(
stdout, ".*delete.*_443._tcp.{}.*3 1 1 {}.*".format(
testdomain, tlsa311mycert))
with self.subTest("check delete tlsa 3 1 1 mycert2"):
self.assertRegex(
stdout, ".*delet.*_443._tcp.{}.*3 1 1 {}.*".format(
testdomain, tlsa311mycert2))
