def test_502_107(self): # test case: drive again on COMPLETE md, then drive --force # setup: prepare md in store domain = self.test_domain name = "www." + domain self._prepare_md([name]) assert TestEnv.apache_start() == 0 # drive assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0 TestEnv.check_md_credentials([name]) orig_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem')) # drive again assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0 TestEnv.check_md_credentials([name]) cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem')) # check: cert not changed assert cert.get_serial() == orig_cert.get_serial() # drive --force assert TestEnv.a2md(["-vv", "drive", "--force", name])['rv'] == 0 TestEnv.check_md_credentials([name]) cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem')) # check: cert not changed assert cert.get_serial() != orig_cert.get_serial() # check: previous cert was archived cert = CertUtil(TestEnv.store_archived_file(name, 2, 'pubcert.pem')) assert cert.get_serial() == orig_cert.get_serial()
def test_702_032(self): domain = "test702-032-" + TestAuto.dns_uniq name1 = "server1." + domain name2 = "server2." + TestAuto.dns_uniq # need a separate TLD to avoid rate limites # generate 2 MDs and 2 vhosts conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf._add_line("MDMembers auto") conf.add_md([name1]) conf.add_md([name2]) conf.add_vhost(TestEnv.HTTPS_PORT, name1, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.add_vhost(TestEnv.HTTPS_PORT, name2, aliasList=[], docRoot="htdocs/b", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 self._check_md_names(name1, [name1]) self._check_md_names(name2, [name2]) assert TestEnv.await_completion([name1]) self._check_md_cert([name2]) # check: SSL is running OK cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1) assert name1 in cert1.get_san_list() cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name2) assert name2 in cert2.get_san_list() # remove second md and vhost, add name2 to vhost1 conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf._add_line("MDMembers auto") conf.add_md([name1]) conf.add_vhost(TestEnv.HTTPS_PORT, name1, aliasList=[name2], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.install() # restart, check that host still works and have same cert assert TestEnv.apache_restart() == 0 self._check_md_names(name1, [name1, name2]) assert TestEnv.await_completion([name1]) cert1b = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1) assert name1 in cert1b.get_san_list() assert name2 in cert1b.get_san_list() assert cert1.get_serial() != cert1b.get_serial()
def test_702_031(self): domain = "test702-031-" + TestAuto.dns_uniq nameX = "test-x." + domain nameA = "test-a." + domain nameB = "test-b." + domain nameC = "test-c." + domain dns_list = [nameX, nameA, nameB] # generate 1 MD and 2 vhosts conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.add_vhost(TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 self._check_md_names(nameX, dns_list) assert TestEnv.await_completion([nameX]) self._check_md_cert(dns_list) # check: SSL is running OK certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA.get_san_list() certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameB) assert nameB in certB.get_san_list() assert certA.get_serial() == certB.get_serial() # change MD by removing 1st name new_list = [nameA, nameB, nameC] conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_md(new_list) conf.add_vhost(TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.add_vhost(TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.install() # restart, check that host still works and have same cert assert TestEnv.apache_restart() == 0 self._check_md_names(nameX, new_list) assert TestEnv.await_completion([nameX]) certA2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA2.get_san_list() assert certA.get_serial() != certA2.get_serial()
def test_702_009(self): domain = "test702-009-" + TestAuto.dns_uniq dns_list = [domain] # prepare md conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_drive_mode("auto") conf.add_renew_window("10d") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True) conf.install() # restart (-> drive), check that md+cert is in store, TLS is up assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) self._check_md_cert(dns_list) cert1 = CertUtil(TestEnv.path_domain_pubcert(domain)) # fetch cert from server cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) assert cert1.get_serial() == cert2.get_serial() # create self-signed cert, with critical remaining valid duration -> drive again CertUtil.create_self_signed_cert([domain], { "notBefore": -120, "notAfter": 2 }, serial=7029) cert3 = CertUtil(TestEnv.path_domain_pubcert(domain)) assert cert3.get_serial() == 7029 time.sleep(1) assert TestEnv.a2md(["list", domain])['jout']['output'][0]['renew'] == True assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) time.sleep(5) # restart -> new ACME cert becomes active assert TestEnv.apache_restart() == 0 cert5 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) assert domain in cert5.get_san_list() assert cert5.get_serial() != cert3.get_serial()
def test_502_107(self): # test case: drive again on COMPLETE md, then drive --force # setup: prepare md in store domain = "test502-107-" + TestDrive.dns_uniq name = "www." + domain self._prepare_md([name]) assert TestEnv.apache_start() == 0 # drive assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0 self._check_md_cert([name]) orig_cert = CertUtil(TestEnv.path_domain_pubcert(name)) # drive again assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0 self._check_md_cert([name]) cert = CertUtil(TestEnv.path_domain_pubcert(name)) # check: cert not changed assert cert.get_serial() == orig_cert.get_serial() # drive --force assert TestEnv.a2md(["-vv", "drive", "--force", name])['rv'] == 0 self._check_md_cert([name]) cert = CertUtil(TestEnv.path_domain_pubcert(name)) # check: cert not changed assert cert.get_serial() != orig_cert.get_serial() # check: previous cert was archived cert = CertUtil(TestEnv.path_domain_pubcert(name, archiveVersion=2)) assert cert.get_serial() == orig_cert.get_serial()
def _check_md_cert(self, dnsList): name = dnsList[0] md = TestEnv.a2md(["list", name])['jout']['output'][0] # check tos agreement, cert url assert md['state'] == TestEnv.MD_S_COMPLETE assert md['ca']['agreement'] == TestEnv.ACME_TOS assert "url" in md['cert'] # check private key, validate certificate # TODO: find storage-independent way to read local certificate # md_store = json.loads( open( TestEnv.path_store_json(), 'r' ).read() ) # encryptKey = md_store['key'] # print "key (%s): %s" % ( type(encryptKey), encryptKey ) CertUtil.validate_privkey(TestEnv.path_domain_privkey(name)) cert = CertUtil(TestEnv.path_domain_pubcert(name)) cert.validate_cert_matches_priv_key(TestEnv.path_domain_privkey(name)) # check SANs and CN assert cert.get_cn() == name # compare sets twice in opposite directions: SAN may not respect ordering sanList = cert.get_san_list() assert len(sanList) == len(dnsList) assert set(sanList).issubset(dnsList) assert set(dnsList).issubset(sanList) # check valid dates interval notBefore = cert.get_not_before() notAfter = cert.get_not_after() assert notBefore < datetime.now(notBefore.tzinfo) assert notAfter > datetime.now(notAfter.tzinfo) # compare cert with resource on server server_cert = CertUtil(md['cert']['url']) assert cert.get_serial() == server_cert.get_serial()