def test_502_201(self, renewWindow, testDataList): # test case: trigger cert renew when entering renew window # setup: prepare COMPLETE md domain = self.test_domain name = "www." + domain conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "manual" ) conf.add_renew_window( renewWindow ) conf.add_md( [name] ) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE # setup: drive it assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0 cert1 = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) assert TestEnv.a2md([ "list", name ])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE # replace cert by self-signed one -> check md status print "TRACE: start testing renew window: %s" % renewWindow for tc in testDataList: print "TRACE: create self-signed cert: %s" % tc["valid"] CertUtil.create_self_signed_cert( [name], tc["valid"]) cert2 = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) assert cert2.get_serial() != cert1.get_serial() md = TestEnv.a2md([ "list", name ])['jout']['output'][0] assert md["renew"] == tc["renew"], \ "Expected renew == {} indicator in {}, test case {}".format(tc["renew"], md, tc)
def test_502_107(self): # test case: drive again on COMPLETE md, then drive --force # setup: prepare md in store domain = self.test_domain name = "www." + domain self._prepare_md([ name ]) assert TestEnv.apache_start() == 0 # drive assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0 TestEnv.check_md_credentials(name, [ name ]) orig_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) # drive again assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0 TestEnv.check_md_credentials(name, [ name ]) cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) # check: cert not changed assert cert.get_serial() == orig_cert.get_serial() # drive --force assert TestEnv.a2md( [ "-vv", "drive", "--force", name ] )['rv'] == 0 TestEnv.check_md_credentials(name, [ name ]) cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) # check: cert not changed assert cert.get_serial() != orig_cert.get_serial() # check: previous cert was archived cert = CertUtil(TestEnv.store_archived_file( name, 2, 'pubcert.pem')) assert cert.get_serial() == orig_cert.get_serial()
def test_120_002(self): # check: md without pkey/cert -> INCOMPLETE domain = "not-forbidden.org" assert TestEnv.a2md(["add", domain])['rv'] == 0 assert TestEnv.a2md(["update", domain, "contacts", "admin@" + domain])['rv'] == 0 assert TestEnv.a2md(["update", domain, "agreement", TestEnv.ACME_TOS])['rv'] == 0 assert TestEnv.a2md( ["list", domain])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE # check: valid pkey/cert -> COMPLETE copyfile(self._path_conf_ssl("valid_pkey.pem"), TestEnv.store_domain_file(domain, 'privkey.pem')) copyfile(self._path_conf_ssl("valid_cert.pem"), TestEnv.store_domain_file(domain, 'pubcert.pem')) assert TestEnv.a2md( ["list", domain])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE # check: expired cert -> EXPIRED copyfile(self._path_conf_ssl("expired_pkey.pem"), TestEnv.store_domain_file(domain, 'privkey.pem')) copyfile(self._path_conf_ssl("expired_cert.pem"), TestEnv.store_domain_file(domain, 'pubcert.pem')) out = TestEnv.a2md(["list", domain])['jout']['output'][0] assert out['state'] == TestEnv.MD_S_INCOMPLETE assert out['renew'] == True
def test_700_009(self): domain = self.test_domain dns_list = [ domain ] # prepare md conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "auto" ) conf.add_renew_window( "10d" ) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() # restart (-> drive), check that md+cert is in store, TLS is up assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion( [ domain ] ) TestEnv.check_md_complete(domain) cert1 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') ) # compare with what md reports as status stat = TestEnv.get_certificate_status(domain); assert stat['serial'] == cert1.get_serial() # create self-signed cert, with critical remaining valid duration -> drive again CertUtil.create_self_signed_cert( [domain], { "notBefore": -120, "notAfter": 2 }, serial=7009) cert3 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') ) assert cert3.get_serial() == '1B61' assert TestEnv.apache_restart() == 0 stat = TestEnv.get_certificate_status(domain); assert stat['serial'] == cert3.get_serial() # cert should renew and be different afterwards assert TestEnv.await_completion( [ domain ], must_renew=True ) stat = TestEnv.get_certificate_status(domain); assert stat['serial'] != cert3.get_serial()
def test_801_008(self): assert TestEnv.apache_stop() == 0 # turn stapling on, wait for it to appear in connections md = TestStapling.mdA conf = TestStapling.configure_httpd() conf.add_line("MDStapling on") conf.start_vhost(md) conf.add_line(""" SSLCertificateKeyFile %s SSLCertificateFile %s """ % (TestEnv.store_domain_file( md, 'privkey.pem'), TestEnv.store_domain_file(md, 'pubcert.pem'))) conf.end_vhost() conf.install() assert TestEnv.apache_restart() == 0 stat = TestEnv.await_ocsp_status(md) assert stat['ocsp'] == "successful (0x0)" assert stat['verify'] == "0 (ok)" # fine the file where the ocsp response is stored dir = os.path.join(TestEnv.STORE_DIR, 'ocsp', 'other') files = os.listdir(dir) ocsp_file = None for name in files: if name.startswith("ocsp-"): ocsp_file = os.path.join(dir, name) assert ocsp_file
def test_800_003(self): domain = TestMustStaple.domain TestMustStaple.configure_httpd(domain, "MDMustStaple on") assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert cert1.get_must_staple() domain = TestMustStaple.configure_httpd(domain, "MDMustStaple off") assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert not cert1.get_must_staple()
def test_8003(self): domain = self.test_domain dns_list = [domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_must_staple("on") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert cert1.get_must_staple() # toggle MDMustStaple off, expect a cert that has it disabled conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_must_staple("off") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert not cert1.get_must_staple() # toggle MDMustStaple on again, expect a cert that has it enabled conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_must_staple("on") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert cert1.get_must_staple()
def test_502_301(self): # test case: change contact info on existing valid md # setup: create md in store domain = self.test_domain name = "www." + domain self._prepare_md([ name ]) assert TestEnv.apache_start() == 0 # setup: drive it assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0 old_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) # setup: add second domain assert TestEnv.a2md([ "update", name, "contacts", "test@" + domain ])['rv'] == 0 # drive assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0 # compare cert serial new_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) assert old_cert.get_serial() == new_cert.get_serial()
def test_502_300(self): # test case: remove one domain name from existing valid md # setup: create md in store domain = self.test_domain name = "www." + domain self._prepare_md([ name, "test." + domain, "xxx." + domain ]) assert TestEnv.apache_start() == 0 # setup: drive it assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0 old_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) # setup: remove one domain assert TestEnv.a2md([ "update", name, "domains"] + [ name, "test." + domain ])['rv'] == 0 # drive assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0 # compare cert serial new_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) assert old_cert.get_serial() == new_cert.get_serial()
def test_502_200(self): # test case: add dns name on existing valid md # setup: create md in store domain = self.test_domain name = "www." + domain self._prepare_md([ name ]) assert TestEnv.apache_start() == 0 # setup: drive it assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0 old_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) # setup: add second domain assert TestEnv.a2md([ "update", name, "domains", name, "test." + domain ])['rv'] == 0 # drive assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0 # check new cert TestEnv.check_md_credentials(name, [ name, "test." + domain ]) new_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) assert old_cert.get_serial() != new_cert.get_serial()
def test_800_002(self): domain = TestMustStaple.domain TestMustStaple.configure_httpd(domain, "MDMustStaple off") assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert not cert1.get_must_staple() stat = TestEnv.get_ocsp_status(domain) assert stat['ocsp'] == "no response sent"
def test_120_003(self): domain = "not-forbidden.org" assert TestEnv.a2md(["add", domain])['rv'] == 0 assert TestEnv.a2md(["update", domain, "contacts", "admin@" + domain])['rv'] == 0 assert TestEnv.a2md(["update", domain, "agreement", TestEnv.ACME_TOS])['rv'] == 0 # check: valid pkey/cert -> COMPLETE copyfile(self._path_conf_ssl("valid_pkey.pem"), TestEnv.store_domain_file(domain, 'privkey.pem')) copyfile(self._path_conf_ssl("valid_cert.pem"), TestEnv.store_domain_file(domain, 'pubcert.pem')) assert TestEnv.a2md( ["list", domain])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE # check: replace cert by broken file -> ERROR copyfile(self._path_conf_ssl("valid_cert.req"), TestEnv.store_domain_file(domain, 'pubcert.pem')) assert TestEnv.a2md( ["list", domain])['jout']['output'][0]['state'] == TestEnv.MD_S_ERROR
def test_8001(self): domain = self.test_domain dns_list = [domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() # - restart (-> drive), check that md is in store assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert not cert1.get_must_staple()
def test_502_202(self, keyType, keyParams, expKeyLength): # test case: specify RSA key length and verify resulting cert key # setup: prepare md domain = self.test_domain name = "www." + domain conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "manual" ) conf.add_private_key(keyType, keyParams) conf.add_md( [name] ) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE # setup: drive it assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0, \ "Expected drive to succeed for MDPrivateKeys {} {}".format(keyType, keyParams) assert TestEnv.a2md([ "list", name ])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE # check cert key length cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem')) assert cert.get_key_length() == expKeyLength
def test_800_001(self): domain = TestMustStaple.domain TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert not cert1.get_must_staple()