def test_702_011(self):
domain = self.test_domain
domains = [domain, "www." + domain]
#
# generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf._add_line("MDPortMap https:99")
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert not TestEnv.is_renewing(domain)
#
# now the same with a 80 mapped to a supported port
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf._add_line("MDPortMap https:%s" % TestEnv.HTTPS_PORT)
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert TestEnv.await_completion([domain])
def test_700_011(self):
domain = "test700-011-" + TestAuto.dns_uniq
dns_list = [ domain, "www." + domain ]
# generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "auto" )
conf.add_ca_challenges( [ "tls-sni-01" ] )
conf._add_line("MDPortMap 443:99")
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True )
conf.install()
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
assert TestEnv.await_error( [ domain ] )
# now the same with a 80 mapped to a supported port
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "auto" )
conf.add_ca_challenges( [ "tls-sni-01" ] )
conf._add_line("MDPortMap 443:%s" % TestEnv.HTTPS_PORT)
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True )
conf.install()
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
assert TestEnv.await_completion( [ domain ] )
def test_702_010(self):
domain = self.test_domain
dns_list = [domain, "www." + domain]
# generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_ca_challenges(["http-01"])
conf._add_line("MDPortMap 80:99")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]])
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dns_list)
assert not TestEnv.is_renewing(domain)
# now the same with a 80 mapped to a supported port
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_ca_challenges(["http-01"])
conf._add_line("MDPortMap 80:%s" % TestEnv.HTTP_PORT)
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]])
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dns_list)
assert TestEnv.await_completion([domain])
def test_7021(self):
domain = ("%s-" % self.test_n) + TestAuto.dns_uniq
# generate config with two MDs
dnsList = [domain, "www." + domain]
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("*****@*****.**")
conf._add_line("MDNotifyCmd %s/notify.py" % TestEnv.TESTROOT)
conf.add_drive_mode("auto")
conf.add_md(dnsList)
conf.add_vhost(TestEnv.HTTPS_PORT,
domain,
aliasList=[dnsList[1]],
withSSL=True)
conf.install()
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dnsList)
# await drive completion
assert TestEnv.await_completion([domain], 30)
self._check_md_cert(dnsList)
# this command should have failed and logged an error
TestEnv.apachectl_stderr = None
assert (0, 0) == TestEnv.apache_err_total()
def test_702_032(self):
domain = self.test_domain
name1 = "server1." + domain
name2 = "server2.b" + domain # need a separate TLD to avoid rate limites
# generate 2 MDs and 2 vhosts
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf._add_line("MDMembers auto")
conf.add_md([name1])
conf.add_md([name2])
conf.add_vhost(TestEnv.HTTPS_PORT,
name1,
aliasList=[],
docRoot="htdocs/a")
conf.add_vhost(TestEnv.HTTPS_PORT,
name2,
aliasList=[],
docRoot="htdocs/b")
conf.install()
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
TestEnv.check_md(name1, [name1])
TestEnv.check_md(name2, [name2])
assert TestEnv.await_completion([name1, name2])
TestEnv.check_md_complete(name2)
# check: SSL is running OK
cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, name1)
assert name1 in cert1.get_san_list()
cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, name2)
assert name2 in cert2.get_san_list()
# remove second md and vhost, add name2 to vhost1
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf._add_line("MDMembers auto")
conf.add_md([name1])
conf.add_vhost(TestEnv.HTTPS_PORT,
name1,
aliasList=[name2],
docRoot="htdocs/a")
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(name1, [name1, name2])
assert TestEnv.await_completion([name1])
cert1b = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, name1)
assert name1 in cert1b.get_san_list()
assert name2 in cert1b.get_san_list()
assert cert1.get_serial() != cert1b.get_serial()
def test_700_032(self):
domain = "test700-032-" + TestAuto.dns_uniq
name1 = "server1." + domain
name2 = "server2." + TestAuto.dns_uniq # need a separate TLD to avoid rate limites
# generate 2 MDs and 2 vhosts
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf._add_line( "MDMembers auto" )
conf.add_md( [ name1 ] )
conf.add_md( [ name2 ] )
conf.add_vhost( TestEnv.HTTPS_PORT, name1, aliasList=[], docRoot="htdocs/a",
withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ),
keyPath=TestEnv.path_domain_privkey( domain ) )
conf.add_vhost( TestEnv.HTTPS_PORT, name2, aliasList=[], docRoot="htdocs/b",
withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ),
keyPath=TestEnv.path_domain_privkey( domain ) )
conf.install()
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
self._check_md_names( name1, [ name1 ] )
self._check_md_names( name2, [ name2 ] )
assert TestEnv.await_completion( [ name1 ] )
self._check_md_cert( [ name2 ] )
# check: SSL is running OK
cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1)
assert name1 in cert1.get_san_list()
cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name2)
assert name2 in cert2.get_san_list()
# remove second md and vhost, add name2 to vhost1
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf._add_line( "MDMembers auto" )
conf.add_md( [ name1 ] )
conf.add_vhost( TestEnv.HTTPS_PORT, name1, aliasList=[ name2 ], docRoot="htdocs/a",
withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ),
keyPath=TestEnv.path_domain_privkey( domain ) )
conf.install()
# restart, check that host still works and have same cert
assert TestEnv.apache_restart() == 0
self._check_md_names( name1, [ name1, name2 ] )
assert TestEnv.await_completion( [ name1 ] )
cert1b = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1)
assert name1 in cert1b.get_san_list()
assert name2 in cert1b.get_san_list()
assert cert1.get_serial() != cert1b.get_serial()
def test_702_032(self):
domain = self.test_domain
name1 = "server1." + domain
name2 = "server2.b" + domain # need a separate TLD to avoid rate limites
#
# generate 2 MDs and 2 vhosts
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf._add_line("MDMembers auto")
conf.add_md([name1])
conf.add_md([name2])
conf.add_vhost(name1)
conf.add_vhost(name2)
conf.install()
#
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
TestEnv.check_md([name1])
TestEnv.check_md([name2])
assert TestEnv.await_completion([name1, name2])
TestEnv.check_md_complete(name2)
#
# check: SSL is running OK
cert1 = TestEnv.get_cert(name1)
assert name1 in cert1.get_san_list()
cert2 = TestEnv.get_cert(name2)
assert name2 in cert2.get_san_list()
#
# remove second md and vhost, add name2 to vhost1
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf._add_line("MDMembers auto")
conf.add_md([name1])
conf.add_vhost([name1, name2])
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md([name1, name2])
assert TestEnv.await_completion([name1])
#
cert1b = TestEnv.get_cert(name1)
assert name1 in cert1b.get_san_list()
assert name2 in cert1b.get_san_list()
assert cert1.get_serial() != cert1b.get_serial()
def test_500_110(self):
# test case: SSL-only domain, override headers generated by mod_md
# setup: prepare config
if not TestEnv.httpd_is_at_least("2.5.0"):
return
domain = "test500-110-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf(TestDrive.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_require_ssl("permanent")
conf.add_md([name])
conf._add_line(" SSLEngine *:" + TestEnv.HTTPS_PORT)
conf.add_vhost(TestEnv.HTTPS_PORT + " *:" + TestEnv.HTTP_PORT,
name,
aliasList=[],
withSSL=False)
conf.install()
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
assert TestEnv.apache_restart() == 0
# test override HSTS header
conf._add_line(
' Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"'
)
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
assert r['http_headers'][
'Strict-Transport-Security'] == 'max-age=10886400; includeSubDomains; preload'
# test override Location header
conf._add_line(' Redirect /a /name.txt')
conf._add_line(' Redirect seeother /b /name.txt')
conf.install()
assert TestEnv.apache_restart() == 0
# check: default redirect by mod_md still works
expLocation = "https://%s/name.txt" % name
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 301
assert r['http_headers']['Location'] == expLocation
# check: redirect as given by mod_alias
expLocation = "https://%s/a" % name
r = TestEnv.get_meta(name, "/a", useHTTPS=False)
assert r[
'http_status'] == 301 # FAIL: mod_alias generates Location header instead of mod_md
assert r['http_headers']['Location'] == expLocation
def test_500_111(self):
# test case: vhost with parallel HTTP/HTTPS, check mod_alias redirects
# setup: prepare config
if not TestEnv.httpd_is_at_least("2.5.0"):
return
domain = "test500-111-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf(TestDrive.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md([name])
conf._add_line(" LogLevel alias:debug")
conf._add_line(" SSLEngine *:" + TestEnv.HTTPS_PORT)
conf.start_vhost(TestEnv.HTTPS_PORT + " *:" + TestEnv.HTTP_PORT,
name,
aliasList=[],
withSSL=False)
conf.end_vhost()
conf.install()
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
assert TestEnv.apache_restart() == 0
# setup: place redirect rules
conf._add_line(' Redirect /a /name.txt')
conf._add_line(' Redirect seeother /b /name.txt')
conf.install()
assert TestEnv.apache_restart() == 0
# check: redirects on HTTP
expLocation = "http://%s:%s/name.txt" % (name, TestEnv.HTTP_PORT)
r = TestEnv.get_meta(name, "/a", useHTTPS=False)
assert r['http_status'] == 302
assert r['http_headers']['Location'] == expLocation
r = TestEnv.get_meta(name, "/b", useHTTPS=False)
assert r['http_status'] == 303
assert r['http_headers']['Location'] == expLocation
# check: redirects on HTTPS
expLocation = "https://%s:%s/name.txt" % (name, TestEnv.HTTPS_PORT)
r = TestEnv.get_meta(name, "/a", useHTTPS=True)
assert r['http_status'] == 302
assert r['http_headers'][
'Location'] == expLocation # FAIL: expected 'https://...' but found 'http://...'
r = TestEnv.get_meta(name, "/b", useHTTPS=True)
assert r['http_status'] == 303
assert r['http_headers']['Location'] == expLocation
def test_500_111(self):
# test case: vhost with parallel HTTP/HTTPS, check mod_alias redirects
# setup: prepare config
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md([name])
conf._add_line(" LogLevel alias:debug")
conf.add_vhost(name, port=TestEnv.HTTP_PORT)
conf.add_vhost(name)
conf.install()
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
assert TestEnv.apache_restart() == 0
# setup: place redirect rules
conf._add_line(' Redirect /a /name.txt')
conf._add_line(' Redirect seeother /b /name.txt')
conf.install()
assert TestEnv.apache_restart() == 0
# check: redirects on HTTP
expLocation = "http://%s:%s/name.txt" % (name, TestEnv.HTTP_PORT)
r = TestEnv.get_meta(name, "/a", useHTTPS=False)
assert r['http_status'] == 302
assert r['http_headers']['Location'] == expLocation
r = TestEnv.get_meta(name, "/b", useHTTPS=False)
assert r['http_status'] == 303
assert r['http_headers']['Location'] == expLocation
# check: redirects on HTTPS
expLocation = "https://%s:%s/name.txt" % (name, TestEnv.HTTPS_PORT)
r = TestEnv.get_meta(name, "/a", useHTTPS=True)
assert r['http_status'] == 302
assert r['http_headers'][
'Location'] == expLocation # FAIL: expected 'https://...' but found 'http://...'
r = TestEnv.get_meta(name, "/b", useHTTPS=True)
assert r['http_status'] == 303
assert r['http_headers']['Location'] == expLocation
def test_500_109(self):
# test case: redirect on SSL-only domain
# setup: prepare config
if not TestEnv.httpd_is_at_least("2.5.0"):
return
domain = "test500-109-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf(TestDrive.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md([name])
conf._add_line(" SSLEngine *:" + TestEnv.HTTPS_PORT)
conf.add_vhost(TestEnv.HTTPS_PORT + " *:" + TestEnv.HTTP_PORT,
name,
aliasList=[],
docRoot="htdocs/test",
withSSL=False)
conf.install()
# setup: create resource files
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "test"),
"name.txt", name)
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR),
"name.txt", "example.org")
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
assert TestEnv.apache_restart() == 0
# test HTTP access - no redirect
assert TestEnv.get_content("example.org", "/name.txt",
useHTTPS=False) == "example.org"
assert TestEnv.get_content(name, "/name.txt", useHTTPS=False) == name
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert int(r['http_headers']['Content-Length']) == len(name)
assert "Location" not in r['http_headers']
# test HTTPS access
assert TestEnv.get_content(name, "/name.txt", useHTTPS=True) == name
# test HTTP access again -> redirect to default HTTPS port
conf.add_require_ssl("temporary")
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 302
expLocation = "https://%s/name.txt" % name
assert r['http_headers']['Location'] == expLocation
# should not see this
assert not 'Strict-Transport-Security' in r['http_headers']
# test default HTTP vhost -> still no redirect
assert TestEnv.get_content("example.org", "/name.txt",
useHTTPS=False) == "example.org"
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
# also not for this
assert not 'Strict-Transport-Security' in r['http_headers']
# test HTTP access again -> redirect permanent
conf.add_require_ssl("permanent")
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 301
expLocation = "https://%s/name.txt" % name
assert r['http_headers']['Location'] == expLocation
assert not 'Strict-Transport-Security' in r['http_headers']
# should see this
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
assert r['http_headers'][
'Strict-Transport-Security'] == 'max-age=15768000'
