def test_310_308(self): # setup: nothing set HttpdConf(text=""" MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert "require-https" not in TestEnv.a2md(["list" ])['jout']['output'][0] # test case: temporary redirect HttpdConf(text=""" MDomain testdomain.org www.testdomain.org mail.testdomain.org MDRequireHttps temporary """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md( ["list"])['jout']['output'][0]['require-https'] == "temporary" # test case: permanent redirect HttpdConf(text=""" <MDomainSet testdomain.org> MDMember www.testdomain.org mail.testdomain.org MDRequireHttps permanent </MDomainSet> """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md( ["list"])['jout']['output'][0]['require-https'] == "permanent"
def test_310_307(self): HttpdConf(text=""" MDPrivateKeys RSA 4096 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['privkey'] == { "type": "RSA", "bits": 4096 } HttpdConf(text=""" MDPrivateKeys RSA 2048 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['privkey'] == { "type": "RSA", "bits": 2048 } HttpdConf(text=""" MDPrivateKeys RSA 4096 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['privkey'] == { "type": "RSA", "bits": 4096 }
def test_700_009(self): domain = self.test_domain dns_list = [ domain ] # prepare md conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "auto" ) conf.add_renew_window( "10d" ) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() # restart (-> drive), check that md+cert is in store, TLS is up assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion( [ domain ] ) TestEnv.check_md_complete(domain) cert1 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') ) # compare with what md reports as status stat = TestEnv.get_certificate_status(domain); assert stat['serial'] == cert1.get_serial() # create self-signed cert, with critical remaining valid duration -> drive again CertUtil.create_self_signed_cert( [domain], { "notBefore": -120, "notAfter": 2 }, serial=7009) cert3 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') ) assert cert3.get_serial() == '1B61' assert TestEnv.apache_restart() == 0 stat = TestEnv.get_certificate_status(domain); assert stat['serial'] == cert3.get_serial() # cert should renew and be different afterwards assert TestEnv.await_completion( [ domain ], must_renew=True ) stat = TestEnv.get_certificate_status(domain); assert stat['serial'] != cert3.get_serial()
def test_310_306(self): HttpdConf(text=""" MDCAChallenges http-01 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md( ["list"])['jout']['output'][0]['ca']['challenges'] == ['http-01'] # test case: drive mode auto HttpdConf(text=""" MDCAChallenges tls-alpn-01 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md([ "list" ])['jout']['output'][0]['ca']['challenges'] == ['tls-alpn-01'] # test case: drive mode always HttpdConf(text=""" MDCAChallenges http-01 tls-alpn-01 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list" ])['jout']['output'][0]['ca']['challenges'] == [ 'http-01', 'tls-alpn-01' ]
def test_920_001(self): # simple MD, drive it, check status before activation domain = self.test_domain domains = [domain] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_md(domains) conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain], restart=False) # we started without a valid certificate, so we expect /.httpd/certificate-status # to not give information about one and - since we waited for the ACME signup # to complete - to give information in 'renewal' about the new cert. status = TestEnv.get_certificate_status(domain) assert not 'sha256-fingerprint' in status assert not 'valid' in status assert 'renewal' in status assert 'valid' in status['renewal'] assert 'sha256-fingerprint' in status['renewal'] # restart and activate # once activated, the staging must be gone and attributes exist for the active cert assert TestEnv.apache_restart() == 0 status = TestEnv.get_certificate_status(domain) assert not 'renewal' in status assert 'sha256-fingerprint' in status assert 'valid' in status assert 'from' in status['valid']
def test_801_002(self): md = TestStapling.mdA TestStapling.configure_httpd(md, ssl_stapling=True).install() assert TestEnv.apache_stop() == 0 assert TestEnv.apache_restart() == 0 stat = TestEnv.get_ocsp_status(md) assert stat['ocsp'] == "successful (0x0)" stat = TestEnv.get_md_status(md) assert not stat["stapling"] # # turn stapling on, wait for it to appear in connections TestStapling.configure_httpd(md, "MDStapling on", ssl_stapling=True).install() assert TestEnv.apache_restart() == 0 stat = TestEnv.await_ocsp_status(md) assert stat['ocsp'] == "successful (0x0)" assert stat['verify'] == "0 (ok)" stat = TestEnv.get_md_status(md) assert stat["stapling"] assert stat["cert"]["ocsp"]["status"] == "good" assert stat["cert"]["ocsp"]["valid"] # # turn stapling off (explicitly) again, should disappear TestStapling.configure_httpd(md, "MDStapling off", ssl_stapling=True).install() assert TestEnv.apache_restart() == 0 stat = TestEnv.get_ocsp_status(md) assert stat['ocsp'] == "successful (0x0)" stat = TestEnv.get_md_status(md) assert not stat["stapling"]
def test_310_118(self): # add renew window to existing md TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 TestEnv.install_test_conf("renew_14d"); assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['renew-window'] == '14d'
def test_700_011(self): domain = "test700-011-" + TestAuto.dns_uniq dns_list = [ domain, "www." + domain ] # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "auto" ) conf.add_ca_challenges( [ "tls-sni-01" ] ) conf._add_line("MDPortMap 443:99") conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True ) conf.install() assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dns_list) assert TestEnv.await_error( [ domain ] ) # now the same with a 80 mapped to a supported port conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "auto" ) conf.add_ca_challenges( [ "tls-sni-01" ] ) conf._add_line("MDPortMap 443:%s" % TestEnv.HTTPS_PORT) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True ) conf.install() assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dns_list) assert TestEnv.await_completion( [ domain ] )
def test_702_001(self): domain = self.test_domain # generate config with one MD domains = [domain, "www." + domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("auto") conf.add_md(domains) conf.install() # # restart, check that MD is synched to store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) stat = TestEnv.get_md_status(domain) assert stat["watched"] == 0 # # add vhost for MD, restart should drive it conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) stat = TestEnv.get_md_status(domain) assert stat["watched"] == 1 cert = TestEnv.get_cert(domain) assert domain in cert.get_san_list() # # challenges should have been removed # file system needs to have correct permissions TestEnv.check_dir_empty(TestEnv.store_challenges()) TestEnv.check_file_permissions(domain)
def test_602_000(self): # test case: generate config with md -> restart -> drive -> generate config # with vhost and ssl -> restart -> check HTTPS access domain = self.test_domain domains = [domain, "www." + domain] # - generate config with one md conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md(domains) conf.install() # - restart, check that md is in store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) # - drive assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0 assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) # - append vhost to config conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 # check: SSL is running OK cert = TestEnv.get_cert(domain) assert domain in cert.get_san_list() # check file system permissions: TestEnv.check_file_permissions(domain)
def test_702_031(self): domain = self.test_domain nameX = "test-x." + domain nameA = "test-a." + domain nameB = "test-b." + domain nameC = "test-c." + domain dns_list = [nameX, nameA, nameB] # generate 1 MD and 2 vhosts conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a") conf.add_vhost(TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b") conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md(nameX, dns_list) assert TestEnv.await_completion([nameX]) TestEnv.check_md_complete(nameX) # check: SSL is running OK certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA.get_san_list() certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameB) assert nameB in certB.get_san_list() assert certA.get_serial() == certB.get_serial() # change MD by removing 1st name and adding another new_list = [nameA, nameB, nameC] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_md(new_list) conf.add_vhost(TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a") conf.add_vhost(TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b") conf.install() # restart, check that host still works and have new cert assert TestEnv.apache_restart() == 0 TestEnv.check_md(nameX, new_list) assert TestEnv.await_completion([nameA]) certA2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA2.get_san_list() assert certA.get_serial() != certA2.get_serial()
def test_702_001(self): domain = self.test_domain # generate config with one MD dns_list = [domain, "www." + domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("auto") conf.add_md(dns_list) conf.install() # restart, check that MD is synched to store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dns_list) time.sleep(2) # assert drive did not start TestEnv.check_md(domain, dns_list, TestEnv.MD_S_INCOMPLETE) assert TestEnv.apache_err_scan( re.compile('.*\[md:debug\].*no mds to drive')) # add vhost for MD, restart should drive it conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) assert domain in cert.get_san_list() # challenges should have been removed TestEnv.check_dir_empty(TestEnv.store_challenges()) # file system needs to have correct permissions TestEnv.check_file_permissions(domain)
def test_702_010(self): domain = self.test_domain dns_list = [domain, "www." + domain] # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("auto") conf.add_ca_challenges(["http-01"]) conf._add_line("MDPortMap 80:99") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]]) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dns_list) assert not TestEnv.is_renewing(domain) # now the same with a 80 mapped to a supported port conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("auto") conf.add_ca_challenges(["http-01"]) conf._add_line("MDPortMap 80:%s" % TestEnv.HTTP_PORT) conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]]) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dns_list) assert TestEnv.await_completion([domain])
def test_310_302(self): name = "testdomain.org" HttpdConf(text=""" MDCertificateAuthority http://acme.test.org:4000/directory MDCertificateProtocol ACME MDCertificateAgreement http://acme.test.org:4000/terms/v1 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 # setup: sync with changed ca info HttpdConf(text=""" ServerAdmin mailto:[email protected] MDCertificateAuthority http://somewhere.com:6666/directory MDCertificateProtocol ACME MDCertificateAgreement http://somewhere.com:6666/terms/v1 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 # check: md stays the same with previous ca info TestEnv.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1, ca="http://somewhere.com:6666/directory", protocol="ACME", agreement="http://somewhere.com:6666/terms/v1")
def test_702_011(self): domain = self.test_domain domains = [domain, "www." + domain] # # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf._add_line("MDPortMap https:99") conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) assert not TestEnv.is_renewing(domain) # # now the same with a 80 mapped to a supported port conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf._add_line("MDPortMap https:%s" % TestEnv.HTTPS_PORT) conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) assert TestEnv.await_completion([domain])
def test_600_000(self): # test case: generate config with md -> restart -> drive -> generate config # with vhost and ssl -> restart -> check HTTPS access domain = self.test_domain dnsList = [domain, "www." + domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md(dnsList) conf.install() # - restart, check that md is in store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dnsList) # - drive assert TestEnv.a2md(["-vvvv", "drive", domain])['rv'] == 0 assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) # - append vhost to config conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dnsList[1]]) conf.install() assert TestEnv.apache_restart() == 0 # check: SSL is running OK cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) assert domain in cert.get_san_list() # check file system permissions: TestEnv.check_file_permissions(domain)
def test_500_203(self): # test case: reproduce issue with initially wrong agreement URL domain = "test500-203-" + TestDrive.dns_uniq name = "www." + domain # setup: prepare md with invalid TOS url conf = HttpdConf( TestDrive.TMP_CONF, acmeTos=TestEnv.ACME_TOS2 ) conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "manual" ) conf.add_md( [name] ) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE # drive it -> fail after account registration assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 1 # adjust config: replace TOS url with correct one conf = HttpdConf( TestDrive.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "manual" ) conf.add_md( [name] ) conf.install() time.sleep(1) assert TestEnv.apache_restart() == 0 assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE # drive it -> runs OK assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0 assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
def test_600_000(self): # test case: generate config with md -> restart -> drive -> generate config # with vhost and ssl -> restart -> check HTTPS access domain = "r000-" + TestRoundtrip.dns_uniq dnsList = [domain, "www." + domain] # - generate config with one md conf = HttpdConf(TestRoundtrip.TMP_CONF, True) conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md(dnsList) conf.install() # - restart, check that md is in store assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dnsList) # - drive assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0 self._check_md_cert(dnsList) # - append vhost to config conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dnsList[1]], withSSL=True) conf.install() assert TestEnv.apache_restart() == 0 # check: SSL is running OK cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) assert domain in cert.get_san_list() # check file system permissions: TestEnv.check_file_permissions(domain)
def test_310_210(self, confFile, expMode): # test case: require HTTPS TestEnv.install_test_conf(confFile); assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['require-https'] == expMode, "Unexpected HTTPS require mode in store. confFile: {}".format( confFile ) TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 assert "require-https" not in TestEnv.a2md(["list"])['jout']['output'][0], "HTTPS require still persisted in store. confFile: {}".format( confFile )
def test_310_101(self): # test case: add managed domains as separate steps TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 TestEnv.check_md("testdomain.org", ["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], 1) TestEnv.install_test_conf("two_mds"); assert TestEnv.apache_restart() == 0 TestEnv.check_md("testdomain.org", ["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], 1) TestEnv.check_md("testdomain2.org", ["testdomain2.org", "www.testdomain2.org", "mail.testdomain2.org"], 1)
def test_310_211(self): # test case: require OCSP stapling TestEnv.install_test_conf("staple_on"); assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['must-staple'] == True TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['must-staple'] == False
def test_310_209(self, confFile): # test case: specify RSA key TestEnv.install_test_conf(confFile); assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['privkey']['type'] == "RSA" TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 assert "privkey" not in TestEnv.a2md(["list"])['jout']['output'][0]
def test_310_208(self): # test case: remove challenges from conf -> fallback to default (not set) TestEnv.install_test_conf("challenge_http"); assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['ca']['challenges'] == [ 'http-01' ] TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 assert 'challenges' not in TestEnv.a2md(["list"])['jout']['output'][0]['ca']
def test_310_207(self, confFile, expCode): # test case: remove drive mode from conf -> fallback to default (auto) TestEnv.install_test_conf(confFile); assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['drive-mode'] == expCode TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['drive-mode'] == 1
def test_500_109(self): # test case: redirect on SSL-only domain # setup: prepare config domain = "test500-109-" + TestDrive.dns_uniq name = "www." + domain conf = HttpdConf( TestDrive.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "manual" ) conf.add_md( [name] ) conf.add_vhost(TestEnv.HTTP_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=False) conf.add_vhost(TestEnv.HTTPS_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=True) conf.install() # setup: create resource files self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "test"), "name.txt", name) self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR), "name.txt", "not-forbidden.org") assert TestEnv.apache_restart() == 0 # drive it assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0 assert TestEnv.apache_restart() == 0 # test HTTP access - no redirect assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org" assert TestEnv.get_content(name, "/name.txt", useHTTPS=False) == name r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert int(r['http_headers']['Content-Length']) == len(name) assert "Location" not in r['http_headers'] # test HTTPS access assert TestEnv.get_content(name, "/name.txt", useHTTPS=True) == name # test HTTP access again -> redirect to default HTTPS port conf.add_require_ssl("temporary") conf.install() assert TestEnv.apache_restart() == 0 r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert r['http_status'] == 302 expLocation = "https://%s/name.txt" % name assert r['http_headers']['Location'] == expLocation # should not see this assert not 'Strict-Transport-Security' in r['http_headers'] # test default HTTP vhost -> still no redirect assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org" r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True) # also not for this assert not 'Strict-Transport-Security' in r['http_headers'] # test HTTP access again -> redirect permanent conf.add_require_ssl("permanent") conf.install() assert TestEnv.apache_restart() == 0 r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert r['http_status'] == 301 expLocation = "https://%s/name.txt" % name assert r['http_headers']['Location'] == expLocation assert not 'Strict-Transport-Security' in r['http_headers'] # should see this r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True) assert r['http_headers']['Strict-Transport-Security'] == 'max-age=15768000'
def test_600_002(self): # test case: one md, that covers two vhosts domain = "r002-" + TestRoundtrip.dns_uniq nameA = "test-a." + domain nameB = "test-b." + domain dnsList = [domain, nameA, nameB] # - generate config with one md conf = HttpdConf(TestRoundtrip.TMP_CONF, True) conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md(dnsList) conf.install() # - restart, check that md is in store assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dnsList) # - drive assert TestEnv.a2md(["drive", domain])['rv'] == 0 self._check_md_cert(dnsList) # - append vhost to config conf.add_vhost(TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.add_vhost(TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.install() # - create docRoot folder self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA) self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"), "name.txt", nameB) # check: SSL is running OK assert TestEnv.apache_restart() == 0 certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA.get_san_list() certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameB) assert nameB in certB.get_san_list() assert certA.get_serial() == certB.get_serial() assert TestEnv.get_content(nameA, "/name.txt") == nameA assert TestEnv.get_content(nameB, "/name.txt") == nameB
def test_702_032(self): domain = self.test_domain name1 = "server1." + domain name2 = "server2.b" + domain # need a separate TLD to avoid rate limites # generate 2 MDs and 2 vhosts conf = HttpdConf() conf.add_admin("admin@" + domain) conf._add_line("MDMembers auto") conf.add_md([name1]) conf.add_md([name2]) conf.add_vhost(TestEnv.HTTPS_PORT, name1, aliasList=[], docRoot="htdocs/a") conf.add_vhost(TestEnv.HTTPS_PORT, name2, aliasList=[], docRoot="htdocs/b") conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md(name1, [name1]) TestEnv.check_md(name2, [name2]) assert TestEnv.await_completion([name1, name2]) TestEnv.check_md_complete(name2) # check: SSL is running OK cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1) assert name1 in cert1.get_san_list() cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name2) assert name2 in cert2.get_san_list() # remove second md and vhost, add name2 to vhost1 conf = HttpdConf() conf.add_admin("admin@" + domain) conf._add_line("MDMembers auto") conf.add_md([name1]) conf.add_vhost(TestEnv.HTTPS_PORT, name1, aliasList=[name2], docRoot="htdocs/a") conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(name1, [name1, name2]) assert TestEnv.await_completion([name1]) cert1b = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1) assert name1 in cert1b.get_san_list() assert name2 in cert1b.get_san_list() assert cert1.get_serial() != cert1b.get_serial()
def test_310_206(self): # test case: remove renew window from conf -> fallback to default TestEnv.install_test_conf("renew_14d"); assert TestEnv.apache_restart() == 0 # ToDo: how to check renew value in store? assert TestEnv.a2md(["list"])['jout']['output'][0]['renew-window'] == '14d' TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 # check: renew window not set assert TestEnv.a2md(["list"])['jout']['output'][0]['renew-window'] == '33%'
def test_310_104(self): # test case: add to existing md: acme url, acme protocol name = "testdomain.org" TestEnv.install_test_conf("one_md"); assert TestEnv.apache_restart() == 0 TestEnv.check_md(name, [name, "www.testdomain.org", "mail.testdomain.org"], 1, ca=TestEnv.ACME_URL_DEFAULT, protocol="ACME") TestEnv.install_test_conf("one_md_ca"); assert TestEnv.apache_restart() == 0 TestEnv.check_md(name, [name, "www.testdomain.org", "mail.testdomain.org"], 1, ca="http://acme.test.org:4000/directory", protocol="ACME", agreement="http://acme.test.org:4000/terms/v1")
def test_700_031(self): domain = "test700-031-" + TestAuto.dns_uniq nameX = "test-x." + domain nameA = "test-a." + domain nameB = "test-b." + domain nameC = "test-c." + domain dns_list = [ nameX, nameA, nameB ] # generate 1 MD and 2 vhosts conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), keyPath=TestEnv.path_domain_privkey( domain ) ) conf.add_vhost( TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b", withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), keyPath=TestEnv.path_domain_privkey( domain ) ) conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 self._check_md_names( nameX, dns_list ) assert TestEnv.await_completion( [ nameX ] ) self._check_md_cert( dns_list ) # check: SSL is running OK certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA.get_san_list() certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameB) assert nameB in certB.get_san_list() assert certA.get_serial() == certB.get_serial() # change MD by removing 1st name new_list = [ nameA, nameB, nameC ] conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_md( new_list ) conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), keyPath=TestEnv.path_domain_privkey( domain ) ) conf.add_vhost( TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b", withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), keyPath=TestEnv.path_domain_privkey( domain ) ) conf.install() # restart, check that host still works and have same cert assert TestEnv.apache_restart() == 0 self._check_md_names( nameX, new_list ) assert TestEnv.await_completion( [ nameX ] ) certA2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA2.get_san_list() assert certA.get_serial() != certA2.get_serial()