def test_730_003(self): # just configuring one file will not work domain = self.test_domain domains = [domain, 'www.%s' % domain] testpath = os.path.join(TestEnv.GEN_DIR, 'test_920_001') # cert that is only 10 more days valid CertUtil.create_self_signed_cert(domains, { "notBefore": -80, "notAfter": 10 }, serial=730001, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf.add_admin("*****@*****.**") conf.start_md(domains) conf.add_line("MDCertificateFile %s" % (cert_file)) conf.end_md() conf.add_vhost(domain) conf.install() assert TestEnv.apache_fail() == 0 conf = HttpdConf() conf.add_admin("*****@*****.**") conf.start_md(domains) conf.add_line("MDCertificateKeyFile %s" % (pkey_file)) conf.end_md() conf.add_vhost(domain) conf.install() assert TestEnv.apache_fail() == 0
def test_730_001(self): # MD with static cert files, will not be driven domain = self.test_domain domains = [domain, 'www.%s' % domain] testpath = os.path.join(TestEnv.GEN_DIR, 'test_920_001') # cert that is only 10 more days valid CertUtil.create_self_signed_cert(domains, { "notBefore": -80, "notAfter": 10 }, serial=730001, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf.add_admin("*****@*****.**") conf.start_md(domains) conf.add_line("MDCertificateFile %s" % (cert_file)) conf.add_line("MDCertificateKeyFile %s" % (pkey_file)) conf.end_md() conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 # check if the domain uses it, it appears in our stats and renewal is off cert = TestEnv.get_cert(domain) assert ('%X' % 730001) == cert.get_serial() stat = TestEnv.get_md_status(domain) assert stat assert 'cert' in stat assert stat['renew'] == True assert not 'renewal' in stat
def test_702_011(self): domain = self.test_domain domains = [domain, "www." + domain] # # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf._add_line("MDPortMap https:99") conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) assert not TestEnv.is_renewing(domain) # # now the same with a 80 mapped to a supported port conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf._add_line("MDPortMap https:%s" % TestEnv.HTTPS_PORT) conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) assert TestEnv.await_completion([domain])
def test_702_041(self): domain = "test702-041-" + TestAuto.dns_uniq dns_list = [domain, "www." + domain] # generate 1 MD and 1 vhost conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_line("LogLevel core:debug") conf.add_line("LogLevel ssl:debug") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]], withSSL=True) conf.install() # restart (-> drive), check that MD job shows errors # and that missing proto is detected assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dns_list) assert TestEnv.await_error([domain]) == True md = self._get_md(domain) assert False == md["proto"]["acme-tls/1"]
def test_901_010(self): # MD with static cert files, lifetime in renewal window, no message about renewal domain = self.test_domain domains = [domain, 'www.%s' % domain] testpath = os.path.join(TestEnv.GEN_DIR, 'test_901_010') # cert that is only 10 more days valid CertUtil.create_self_signed_cert(domains, { "notBefore": -70, "notAfter": 20 }, serial=901010, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog)) conf.start_md(domains) conf.add_line("MDCertificateFile %s" % (cert_file)) conf.add_line("MDCertificateKeyFile %s" % (pkey_file)) conf.end_md() conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 assert not os.path.isfile(self.mlog)
def test_500_203(self): # test case: reproduce issue with initially wrong agreement URL domain = self.test_domain name = "www." + domain # setup: prepare md with invalid TOS url conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("MDCertificateAgreement %s" % (TestEnv.ACME_TOS2)) conf.add_drive_mode("manual") conf.add_md([name]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md( ["list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE # drive it -> fail after account registration assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 1 # adjust config: replace TOS url with correct one conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md([name]) conf.install() time.sleep(1) assert TestEnv.apache_restart() == 0 assert TestEnv.a2md( ["list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE # drive it -> runs OK assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0 assert TestEnv.a2md( ["list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
def configure_httpd(cls, domain, add_lines=""): cls.domain = domain conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line(add_lines) conf.add_md([domain]) conf.add_vhost(domain) conf.install() return domain
def test_702_050(self): domain = self.test_domain conf = HttpdConf() conf.add_line(""" MDBaseServer on ServerAdmin admin@%s ServerName %s """ % (domain, domain)) conf.add_md([domain]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain])
def test_702_051(self): domain = self.test_domain conf = HttpdConf() conf.add_line(""" MDBaseServer on MDPortMap http:- ServerAdmin admin@%s ServerName %s """ % (domain, domain)) conf.add_md([domain]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_error(domain)
def test_920_003(self): # test if switching it off works domain = self.test_domain domains = [domain] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_md(domains) conf.add_line("MDCertificateStatus off") conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain], restart=False) status = TestEnv.get_certificate_status(domain) assert not status
def test_801_010(self): assert TestEnv.apache_stop() == 0 TestEnv.clear_ocsp_store() md = TestStapling.mdA domains = [md] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.start_md(domains) conf.add_line("MDStapling on") conf.end_md() conf.install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_server_status() assert stat
def test_702_052(self): domain = self.test_domain conf = HttpdConf() conf.add_line(""" MDBaseServer on MDPortMap http:- Protocols h2 http/1.1 acme-tls/1 ServerAdmin admin@%s ServerName %s """ % (domain, domain)) conf.add_md([domain]) conf.install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_md_status(domain) assert stat["proto"]["acme-tls/1"] == [domain] assert TestEnv.await_completion([domain])
def configure_httpd(cls, domains=[], add_lines="", ssl_stapling=False): if not isinstance(domains, list): domains = [domains] if domains else [] conf = HttpdConf() conf.add_admin("admin@" + cls.domain) if ssl_stapling: conf.add_line(""" LogLevel ssl:trace2 SSLUseStapling On SSLStaplingCache \"shmcb:logs/ssl_stapling(32768)\" """) conf.add_line(add_lines) for domain in domains: conf.add_md([domain]) conf.add_vhost(domain) return conf
def test_901_020(self): domain = self.test_domain domains = [domain] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog)) conf.add_drive_mode("auto") conf.add_md(domains) conf.add_line("MDStapling on") conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) stat = TestEnv.await_ocsp_status(domain) assert os.path.isfile(self.mlog) nlines = open(self.mlog).readlines() assert 2 == len(nlines) assert ("['%s', '%s', 'renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip() assert ("['%s', '%s', 'ocsp-renewed', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[1].strip()
def test_801_009(self): assert TestEnv.apache_stop() == 0 md = TestStapling.mdA domains = [md] testpath = os.path.join(TestEnv.GEN_DIR, 'test_801_009') # cert that is 30 more days valid CertUtil.create_self_signed_cert(domains, { "notBefore": -60, "notAfter": 30 }, serial=801009, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf.add_admin("*****@*****.**") conf.start_md(domains) conf.add_line("MDCertificateFile %s" % (cert_file)) conf.add_line("MDCertificateKeyFile %s" % (pkey_file)) conf.add_line("MDStapling on") conf.end_md() conf.add_vhost(md) conf.install() assert TestEnv.apache_restart() == 0 time.sleep(1) stat = TestEnv.get_ocsp_status(md) assert stat['ocsp'] == "no response sent"
def test_702_040(self): domain = self.test_domain domains = [domain, "www." + domain] # # generate 1 MD and 1 vhost conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("LogLevel core:debug") conf.add_line("LogLevel ssl:debug") conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf.add_md(domains) conf.add_vhost(domains) conf.install() # # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) # check that acme-tls/1 is available for all domains stat = TestEnv.get_md_status(domain) assert stat["proto"]["acme-tls/1"] == domains assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) # # check SSL running OK cert = TestEnv.get_cert(domain) assert domain in cert.get_san_list()
def test_702_040(self): domain = "test702-040-" + TestAuto.dns_uniq dns_list = [domain, "www." + domain] # generate 1 MD and 1 vhost conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_line("LogLevel core:debug") conf.add_line("LogLevel ssl:debug") conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]], withSSL=True) conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dns_list) assert TestEnv.await_completion([domain]) self._check_md_cert(dns_list) # check SSL running OK cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) assert domain in cert.get_san_list()
def test_702_041(self): domain = self.test_domain domains = [domain, "www." + domain] # # generate 1 MD and 1 vhost conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("LogLevel core:debug") conf.add_line("LogLevel ssl:debug") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf.add_md(domains) conf.add_vhost(domains) conf.install() # # restart (-> drive), check that MD job shows errors # and that missing proto is detected assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) # check that acme-tls/1 is available for none of the domains stat = TestEnv.get_md_status(domain) assert stat["proto"]["acme-tls/1"] == []
def test_700_004(self, challengeType): # generate 1 MD and 1 vhost domain = self.test_domain dns_list = [ domain, "www." + domain ] conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_line( "Protocols http/1.1 acme-tls/1" ) conf.add_drive_mode( "auto" ) conf.add_ca_challenges( [ challengeType ] ) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ]) conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dns_list) assert TestEnv.await_completion( [ domain ] ) TestEnv.check_md_complete(domain) # check SSL running OK cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) assert domain in cert.get_san_list()
def test_700_004(self, challengeType): # generate 1 MD and 1 vhost domain = self.test_domain domains = [domain, "www." + domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges([challengeType]) conf.add_md(domains) conf.add_vhost(domains) conf.install() # # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) # # check SSL running OK cert = TestEnv.get_cert(domain) assert domain in cert.get_san_list()
def test_702_041(self): domain = self.test_domain dns_list = [domain, "www." + domain] # generate 1 MD and 1 vhost conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("LogLevel core:debug") conf.add_line("LogLevel ssl:debug") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]]) conf.install() # restart (-> drive), check that MD job shows errors # and that missing proto is detected assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dns_list) md = self._get_md(domain) assert False == md["proto"]["acme-tls/1"] assert not TestEnv.is_renewing(domain)
def test_901_011(self): # MD with static cert files, lifetime in warn window, check message domain = self.test_domain domains = [domain, 'www.%s' % domain] testpath = os.path.join(TestEnv.GEN_DIR, 'test_901_011') # cert that is only 10 more days valid CertUtil.create_self_signed_cert(domains, { "notBefore": -85, "notAfter": 5 }, serial=901011, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog)) conf.start_md(domains) conf.add_line("MDCertificateFile %s" % (cert_file)) conf.add_line("MDCertificateKeyFile %s" % (pkey_file)) conf.end_md() conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 time.sleep(1) nlines = open(self.mlog).readlines() assert 1 == len(nlines) assert ("['%s', '%s', 'expiring', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip() # check that we do not get it resend right away again assert TestEnv.apache_restart() == 0 time.sleep(1) nlines = open(self.mlog).readlines() assert 1 == len(nlines) assert ("['%s', '%s', 'expiring', '%s']" % (self.mcmd, self.mlog, domain)) == nlines[0].strip()
def test_702_042(self): domain = self.test_domain dns_list = [domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("LogLevel core:debug") conf.add_line("LogLevel ssl:debug") conf.add_line("SSLCertificateChainFile %s" % (self._path_conf_ssl("valid_cert.pem"))) conf.add_drive_mode("auto") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, dns_list) conf.install() assert TestEnv.apache_restart() == 0
def test_710_002(self): domain = "test710-002-" + TestAuto.dns_uniq # use ACMEv1 initially TestEnv.set_acme('acmev1') domainA = "a-" + domain domainB = "b-" + domain # generate config with two MDs dnsListA = [ domainA, "www." + domainA ] dnsListB = [ domainB, "www." + domainB ] conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "*****@*****.**" ) conf.add_line( "MDMembers auto" ) conf.add_md( [ domainA ] ) conf.add_md( [ domainB ] ) conf.add_vhost( TestEnv.HTTPS_PORT, domainA, aliasList=dnsListA[1:], withSSL=True ) conf.add_vhost( TestEnv.HTTPS_PORT, domainB, aliasList=dnsListB[1:], withSSL=True ) conf.install() # restart, check that md is in store assert TestEnv.apache_restart() == 0 self._check_md_names( domainA, dnsListA ) self._check_md_names( domainB, dnsListB ) # await drive completion assert TestEnv.await_completion( [ domainA, domainB ] ) self._check_md_cert(dnsListA) self._check_md_cert(dnsListB) self._check_md_cert( dnsListA ) cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainA) # should have a single account now assert 1 == len(TestEnv.list_accounts()) # use ACMEv2 now for everything TestEnv.set_acme('acmev2') # change the MDs so that we need a new cert dnsListA = [ domainA, "www." + domainA, "another." + domainA ] dnsListB = [ domainB, "www." + domainB, "another." + domainB ] conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "*****@*****.**" ) conf.add_line( "MDMembers auto" ) conf.add_md( [ domainA ] ) conf.add_md( [ domainB ] ) conf.add_vhost( TestEnv.HTTPS_PORT, domainA, aliasList=dnsListA[1:], withSSL=True ) conf.add_vhost( TestEnv.HTTPS_PORT, domainB, aliasList=dnsListB[1:], withSSL=True ) conf.install() # restart, gets cert assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([ domainA, domainB ] ) self._check_md_names( domainA, dnsListA ) self._check_md_names( domainB, dnsListB ) self._check_md_cert( dnsListA ) cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainA) # should no longer the same cert assert cert1.get_serial() != cert2.get_serial() # should have a 2 accounts now assert 2 == len(TestEnv.list_accounts())
def test_710_003(self): domain = "a-" + self.test_domain domainb = "b-" + self.test_domain # use ACMEv1 initially TestEnv.set_acme('acmev1') ca_url = TestEnv.ACME_URL dnsList = [domain, "www." + domain] conf = HttpdConf() conf.clear() conf.add_admin("*****@*****.**") conf.add_line("MDCertificateAgreement accepted") conf.add_line("MDMembers auto") conf.start_md([domain]) conf.add_line("MDCertificateAuthority %s" % (ca_url)) conf.end_md() conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=dnsList[1:]) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dnsList) assert TestEnv.await_completion([domain]) assert (0, 0) == TestEnv.apache_err_count() TestEnv.check_md(domain, dnsList, ca=ca_url) # use ACMEv2 now, same MD, no CA url TestEnv.set_acme('acmev2') # this changes the default CA url assert TestEnv.ACME_URL_DEFAULT != ca_url conf = HttpdConf() conf.clear() conf.add_admin("*****@*****.**") conf.add_line("MDCertificateAgreement accepted") conf.add_line("MDMembers auto") conf.start_md([domain]) conf.end_md() conf.start_md([domainb]) # this willg get the reald Let's Encrypt URL assigned, turn off # auto renewal, so we will not talk to them conf.add_line("MDDriveMode manual") conf.end_md() conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=dnsList[1:]) conf.add_vhost(TestEnv.HTTPS_PORT, domainb, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert (0, 0) == TestEnv.apache_err_count() # the existing MD was migrated to new CA url TestEnv.check_md(domain, dnsList, ca=TestEnv.ACME_URL_DEFAULT) # the new MD got the new default anyway TestEnv.check_md(domainb, [domainb], ca=TestEnv.ACME_URL_DEFAULT)
def test_710_002(self): domain = self.test_domain # use ACMEv1 initially TestEnv.set_acme('acmev1') domainA = "a-" + domain domainB = "b-" + domain # generate config with two MDs domainsA = [ domainA, "www." + domainA ] domainsB = [ domainB, "www." + domainB ] conf = HttpdConf() conf.add_admin( "*****@*****.**" ) conf.add_line( "MDMembers auto" ) conf.add_md( [ domainA ] ) conf.add_md( [ domainB ] ) conf.add_vhost(domainsA) conf.add_vhost(domainsB) conf.install() # restart, check that md is in store assert TestEnv.apache_restart() == 0 TestEnv.check_md( domainsA ) TestEnv.check_md( domainsB ) # await drive completion assert TestEnv.await_completion( [ domainA, domainB ] ) TestEnv.check_md_complete(domainsA[0]) TestEnv.check_md_complete(domainsB[0]) cert1 = TestEnv.get_cert(domainA) # should have a single account now assert 1 == len(TestEnv.list_accounts()) # use ACMEv2 now for everything TestEnv.set_acme('acmev2') # change the MDs so that we need a new cert domainsA = [ domainA, "www." + domainA, "another." + domainA ] domainsB = [ domainB, "www." + domainB, "another." + domainB ] conf = HttpdConf() conf.add_admin( "*****@*****.**" ) conf.add_line( "MDMembers auto" ) conf.add_md( [ domainA ] ) conf.add_md( [ domainB ] ) conf.add_vhost(domainsA) conf.add_vhost(domainsB) conf.install() # restart, gets cert assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([ domainA, domainB ] ) TestEnv.check_md( domainsA ) TestEnv.check_md( domainsB ) TestEnv.check_md_complete(domainsA[0]) cert2 = TestEnv.get_cert(domainA) # should no longer the same cert assert cert1.get_serial() != cert2.get_serial() # should have a 2 accounts now assert 2 == len(TestEnv.list_accounts())