def test_caa():
"""Request issuance for two CAA domains, one where we are permitted and one where we are not.
Two further sub-domains have restricted validationmethods.
"""
if len(caa_authzs) == 0:
raise Exception("CAA authzs not prepared for test_caa")
for a in caa_authzs:
response = requests.get(a.uri)
if response.status_code != 200:
raise Exception("Unexpected response for CAA authz: ",
response.status_code)
goodCAA = "happy-hacker-ca.invalid"
badCAA = "sad-hacker-ca.invalid"
caa_account_uri = caa_client.account.uri if caa_client is not None else None
caa_records = [
{"domain": "bad-caa-reserved.com", "value": badCAA},
{"domain": "good-caa-reserved.com", "value": goodCAA},
{"domain": "accounturi.good-caa-reserved.com", "value":"{0}; accounturi={1}".format(goodCAA, caa_account_uri)},
{"domain": "recheck.good-caa-reserved.com", "value":badCAA},
{"domain": "dns-01-only.good-caa-reserved.com", "value": "{0}; validationmethods=dns-01".format(goodCAA)},
{"domain": "http-01-only.good-caa-reserved.com", "value": "{0}; validationmethods=http-01".format(goodCAA)},
{"domain": "dns-01-or-http01.good-caa-reserved.com", "value": "{0}; validationmethods=dns-01,http-01".format(goodCAA)},
]
for policy in caa_records:
challSrv.add_caa_issue(policy["domain"], policy["value"])
# We include a random domain so we don't hit the "exact match" rate limit
# when testing locally with a persistent database.
auth_and_issue(["good-caa-reserved.com"])
# Request issuance for recheck.good-caa-reserved.com, which should
# now be denied due to CAA.
chisel.expect_problem("urn:acme:error:caa", lambda: chisel.issue(caa_client, caa_authzs))
challSrv.add_caa_issue("bad-caa-reserved.com", badCAA)
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["bad-caa-reserved.com"]))
# TODO(@4a6f656c): Once the `CAAValidationMethods` feature flag is enabled by
# default, remove this early return.
if not CONFIG_NEXT:
return
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["dns-01-only.good-caa-reserved.com"], chall_type="http-01"))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["http-01-only.good-caa-reserved.com"], chall_type="dns-01"))
# Note: the additional names are to avoid rate limiting...
auth_and_issue(["dns-01-only.good-caa-reserved.com", "www.dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["http-01-only.good-caa-reserved.com", "www.http-01-only.good-caa-reserved.com"], chall_type="http-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "http-01-only.good-caa-reserved.com"], chall_type="http-01")
# CAA should fail with an arbitrary account, but succeed with the caa_client.
chisel.expect_problem("urn:acme:error:caa", lambda: auth_and_issue(["accounturi.good-caa-reserved.com"]))
auth_and_issue(["accounturi.good-caa-reserved.com"], client=caa_client)
def test_recheck_caa():
"""Request issuance for a domain where we have a old cached authz from when CAA
was good. We'll set a new CAA record forbidding issuance; the CAA should
recheck CAA and reject the request.
"""
if 'authzs' not in caa_recheck_setup_data:
raise (Exception("CAA authzs not prepared for test_caa"))
domains = []
for a in caa_recheck_setup_data['authzs']:
response = requests.get(a.uri)
if response.status_code != 200:
raise (Exception("Unexpected response for CAA authz: ",
response.status_code))
domain = a.body.identifier.value
domains.append(domain)
# Set a forbidding CAA record on just one domain
challSrv.add_caa_issue(domains[3], ";")
# Request issuance for the previously-issued domain name, which should
# now be denied due to CAA.
chisel.expect_problem(
"urn:acme:error:caa",
lambda: chisel.auth_and_issue(domains,
client=caa_recheck_setup_data['client']))
def test_renewal_exemption():
"""
Under a single domain, issue one certificate, then two renewals of that
certificate, then one more different certificate (with a different
subdomain). Since the certificatesPerName rate limit in testing is 2 per 90
days, and the renewals should be discounted under the renewal exemption,
each of these issuances should succeed. Then do one last issuance that we
expect to be rate limited, just to check that the rate limit is actually 2,
and we are testing what we think we are testing. See
https://letsencrypt.org/docs/rate-limits/ for more details.
"""
# TODO(@cpu): Once the `AllowRenewalFirstRL` feature flag is enabled by
# default, delete this early return.
if not default_config_dir.startswith("test/config-next"):
return
base_domain = random_domain()
# First issuance
auth_and_issue(["www." + base_domain])
# First Renewal
auth_and_issue(["www." + base_domain])
# Second Renewal
auth_and_issue(["www." + base_domain])
# Issuance of a different cert
auth_and_issue(["blog." + base_domain])
# Final, failed issuance, for another different cert
chisel.expect_problem("urn:acme:error:rateLimited",
lambda: auth_and_issue(["mail." + base_domain]))
def test_recheck_caa():
"""Request issuance for a domain where we have a old cached authz from when CAA
was good. We'll set a new CAA record forbidding issuance; the CAA should
recheck CAA and reject the request.
"""
# TODO(jsha): We can't do this test in non-CONFIG_NEXT mode
# because of authzv2. We do the twenty_days setup in CONFIG_NEXT
# mode (creating an authzv2), then restart Boulder with the authzv2
# flag disabled, which causes the authz to 404. Remove this check once
# authzv2 is live.
if not CONFIG_NEXT:
return
if len(caa_recheck_authzs) == 0:
raise Exception("CAA authzs not prepared for test_caa")
domains = []
for a in caa_recheck_authzs:
response = requests.get(a.uri)
if response.status_code != 200:
raise Exception("Unexpected response for CAA authz: ",
response.status_code)
domain = a.body.identifier.value
domains.append(domain)
challSrv.add_caa_issue(domain, ";")
# Request issuance for the previously-issued domain name, which should
# now be denied due to CAA.
chisel.expect_problem(
"urn:acme:error:caa",
lambda: chisel.auth_and_issue(domains, client=caa_recheck_client))
def test_oversized_csr():
# Number of names is chosen to be one greater than the configured RA/CA maxNames
numNames = 101
# Generate numNames subdomains of a random domain
base_domain = random_domain()
domains = [ "{0}.{1}".format(str(n),base_domain) for n in range(numNames) ]
# We expect issuing for these domains to produce a malformed error because
# there are too many names in the request.
chisel.expect_problem("urn:acme:error:malformed",
lambda: auth_and_issue(domains))
def test_oversized_csr():
# Number of names is chosen to be one greater than the configured RA/CA maxNames
numNames = 101
# Generate numNames subdomains of a random domain
base_domain = random_domain()
domains = ["{0}.{1}".format(str(n), base_domain) for n in range(numNames)]
# We expect issuing for these domains to produce a malformed error because
# there are too many names in the request.
chisel.expect_problem("urn:acme:error:malformed",
lambda: auth_and_issue(domains))
def test_gsb_lookups():
"""Attempt issuances for a GSB-blocked domain, and expect it to fail. Also
check the gsb-test-srv's count of received queries to ensure it got a
request."""
hostname = "honest.achmeds.discount.hosting.com"
chisel.expect_problem("urn:acme:error:unauthorized",
lambda: auth_and_issue([hostname]))
hits_map = json.loads(urllib2.urlopen("http://localhost:6000/hits").read())
# The GSB test server tracks hits with a trailing / on the URL
hits = hits_map.get(hostname + "/", 0)
if hits != 1:
raise Exception("Expected %d Google Safe Browsing lookups for %s, found %d" % (1, url, actual))
def test_gsb_lookups():
"""Attempt issuances for a GSB-blocked domain, and expect it to fail. Also
check the gsb-test-srv's count of received queries to ensure it got a
request."""
hostname = "honest.achmeds.discount.hosting.com"
chisel.expect_problem("urn:acme:error:unauthorized",
lambda: auth_and_issue([hostname]))
hits_map = json.loads(urllib2.urlopen("http://localhost:6000/hits").read())
# The GSB test server tracks hits with a trailing / on the URL
hits = hits_map.get(hostname + "/", 0)
if hits != 1:
raise Exception("Expected %d Google Safe Browsing lookups for %s, found %d" % (1, url, actual))
def test_caa():
"""Request issuance for two CAA domains, one where we are permitted and one where we are not.
Two further sub-domains have restricted validation-methods.
"""
if len(caa_authzs) == 0:
raise Exception("CAA authzs not prepared for test_caa")
for a in caa_authzs:
response = requests.get(a.uri)
if response.status_code != 200:
raise Exception("Unexpected response for CAA authz: ",
response.status_code)
auth_and_issue(["good-caa-reserved.com"])
# Request issuance for recheck.good-caa-reserved.com, which should
# now be denied due to CAA.
global caa_client
chisel.expect_problem("urn:acme:error:caa",
lambda: chisel.issue(caa_client, caa_authzs))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["bad-caa-reserved.com"]))
# TODO(@4a6f656c): Once the `CAAValidationMethods` feature flag is enabled by
# default, remove this early return.
if not default_config_dir.startswith("test/config-next"):
return
chisel.expect_problem(
"urn:acme:error:caa",
lambda: auth_and_issue(["dns-01-only.good-caa-reserved.com"],
chall_type="http-01"))
chisel.expect_problem(
"urn:acme:error:caa",
lambda: auth_and_issue(["http-01-only.good-caa-reserved.com"],
chall_type="dns-01"))
# Note: the additional names are to avoid rate limiting...
auth_and_issue([
"dns-01-only.good-caa-reserved.com",
"www.dns-01-only.good-caa-reserved.com"
],
chall_type="dns-01")
auth_and_issue([
"http-01-only.good-caa-reserved.com",
"www.http-01-only.good-caa-reserved.com"
],
chall_type="http-01")
auth_and_issue([
"dns-01-or-http-01.good-caa-reserved.com",
"dns-01-only.good-caa-reserved.com"
],
chall_type="dns-01")
auth_and_issue([
"dns-01-or-http-01.good-caa-reserved.com",
"http-01-only.good-caa-reserved.com"
],
chall_type="http-01")
def test_http_challenge_loop_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to itself
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(challengePath, "http://{0}{1}".format(d, challengePath))
# Issuing for the the name should fail because of the challenge domains's
# redirect loop.
chisel.expect_problem(
"urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
remove_http_redirect(challengePath)
def test_http_challenge_timeout():
"""
test_http_challenge_timeout tests that the VA times out challenge requests
to a slow HTTP server appropriately.
"""
# Start a simple python HTTP server on port 5002 in its own thread.
# NOTE(@cpu): The pebble-challtestsrv binds 10.77.77.77:5002 for HTTP-01
# challenges so we must use the 10.88.88.88 address for the throw away
# server for this test and add a mock DNS entry that directs the VA to it.
httpd = SlowHTTPServer(('10.88.88.88', 5002), SlowHTTPRequestHandler)
thread = threading.Thread(target=httpd.serve_forever)
thread.daemon = False
thread.start()
# Pick a random domain
hostname = random_domain()
# Add A record for the domains to ensure the VA's requests are directed
# to the interface that we bound the HTTPServer to.
challSrv.add_a_record(hostname, ["10.88.88.88"])
start = datetime.datetime.utcnow()
end = 0
try:
# We expect a connection timeout error to occur
chisel.expect_problem(
"urn:acme:error:connection",
lambda: auth_and_issue([hostname], chall_type="http-01"))
end = datetime.datetime.utcnow()
finally:
# Shut down the HTTP server gracefully and join on its thread.
httpd.shutdown()
httpd.server_close()
thread.join()
delta = end - start
# Expected duration should be the RA->VA timeout plus some padding (At
# present the timeout is 20s so adding 2s of padding = 22s)
expectedDuration = 22
if delta.total_seconds() == 0 or delta.total_seconds() > expectedDuration:
raise (Exception(
"expected timeout to occur in under {0} seconds. Took {1}".format(
expectedDuration, delta.total_seconds())))
def test_gsb_lookups():
"""Attempt issuances for a GSB-blocked domain, and expect it to fail. Also
check the gsb-test-srv's count of received queries to ensure it got a
request."""
# TODO(jsha): Once gsbv4 is enabled in both config and config-next, remove
# this early return.
if not default_config_dir.startswith("test/config-next"):
return
hostname = "honest.achmeds.discount.hosting.com"
chisel.expect_problem("urn:acme:error:unauthorized",
lambda: auth_and_issue([hostname]))
hits_map = json.loads(urllib2.urlopen("http://localhost:6000/hits").read())
# The GSB test server tracks hits with a trailing / on the URL
hits = hits_map.get(hostname + "/", 0)
if hits != 1:
raise("Expected %d Google Safe Browsing lookups for %s, found %d" % (1, url, actual))
def test_caa():
"""Request issuance for two CAA domains, one where we are permitted and one where we are not.
Two further sub-domains have restricted validationmethods.
"""
if len(caa_authzs) == 0:
raise Exception("CAA authzs not prepared for test_caa")
for a in caa_authzs:
response = requests.get(a.uri)
if response.status_code != 200:
raise Exception("Unexpected response for CAA authz: ",
response.status_code)
# We include a random domain so we don't hit the "exact match" rate limit
# when testing locally with a persistent database.
auth_and_issue(["good-caa-reserved.com"])
# Request issuance for recheck.good-caa-reserved.com, which should
# now be denied due to CAA.
chisel.expect_problem("urn:acme:error:caa", lambda: chisel.issue(caa_client, caa_authzs))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["bad-caa-reserved.com"]))
# TODO(@4a6f656c): Once the `CAAValidationMethods` feature flag is enabled by
# default, remove this early return.
if not CONFIG_NEXT:
return
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["dns-01-only.good-caa-reserved.com"], chall_type="http-01"))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["http-01-only.good-caa-reserved.com"], chall_type="dns-01"))
# Note: the additional names are to avoid rate limiting...
auth_and_issue(["dns-01-only.good-caa-reserved.com", "www.dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["http-01-only.good-caa-reserved.com", "www.http-01-only.good-caa-reserved.com"], chall_type="http-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "http-01-only.good-caa-reserved.com"], chall_type="http-01")
# CAA should fail with an arbitrary account, but succeed with the caa_client.
chisel.expect_problem("urn:acme:error:caa", lambda: auth_and_issue(["accounturi.good-caa-reserved.com"]))
auth_and_issue(["accounturi.good-caa-reserved.com"], client=caa_client)
def test_http_challenge_loop_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to itself
challengePath = "/.well-known/acme-challenge/{0}".format(token)
challSrv.add_http_redirect(
challengePath,
"http://{0}{1}".format(d, challengePath))
# Issuing for the the name should fail because of the challenge domains's
# redirect loop.
chisel.expect_problem("urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
challSrv.remove_http_redirect(challengePath)
def test_http_challenge_badhost_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to a bare IP
# hostname.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(challengePath,
"https://127.0.0.1{0}".format(challengePath))
# Issuing for the name should cause a connection error because the redirect
# domain name is an IP address.
chisel.expect_problem(
"urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
remove_http_redirect(challengePath)
def test_http_challenge_badhost_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to a
# non public hostname.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
challSrv.add_http_redirect(challengePath,
"https://example.lan{0}".format(challengePath))
# Issuing for the name should cause a connection error because the redirect
# domain name is an not end in IANA registered TLD.
chisel.expect_problem(
"urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
challSrv.remove_http_redirect(challengePath)
def test_http_challenge_badhost_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to a bare IP
# hostname.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
challSrv.add_http_redirect(
challengePath,
"https://127.0.0.1{0}".format(challengePath))
# Issuing for the name should cause a connection error because the redirect
# domain name is an IP address.
chisel.expect_problem("urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
challSrv.remove_http_redirect(challengePath)
def test_http_challenge_badproto_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to whacky
# non-http/https protocol URL.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
challSrv.add_http_redirect(
challengePath,
"gopher://{0}{1}".format(d, challengePath))
# Issuing for the name should cause a connection error because the redirect
# URL an invalid protocol scheme.
chisel.expect_problem("urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
challSrv.remove_http_redirect(challengePath)
def test_http_challenge_badproto_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to whacky
# non-http/https protocol URL.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(challengePath,
"gopher://{0}{1}".format(d, challengePath))
# Issuing for the name should cause a connection error because the redirect
# URL an invalid protocol scheme.
chisel.expect_problem(
"urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
remove_http_redirect(challengePath)
def test_http_challenge_timeout():
"""
test_http_challenge_timeout tests that the VA times out challenge requests
to a slow HTTP server appropriately.
"""
# Start a simple python HTTP server on port 5002 in its own thread.
# NOTE(@cpu): The pebble-challtestsrv binds 10.77.77.77:5002 for HTTP-01
# challenges so we must use the 10.88.88.88 address for the throw away
# server for this test and add a mock DNS entry that directs the VA to it.
httpd = HTTPServer(('10.88.88.88', 5002), SlowHTTPRequestHandler)
thread = threading.Thread(target = httpd.serve_forever)
thread.daemon = False
thread.start()
# Pick a random domain
hostname = random_domain()
# Add A record for the domains to ensure the VA's requests are directed
# to the interface that we bound the HTTPServer to.
challSrv.add_a_record(hostname, ["10.88.88.88"])
start = datetime.datetime.utcnow()
end = 0
try:
# We expect a connection timeout error to occur
chisel.expect_problem("urn:acme:error:connection",
lambda: auth_and_issue([hostname], chall_type="http-01"))
end = datetime.datetime.utcnow()
finally:
# Shut down the HTTP server gracefully and join on its thread.
httpd.shutdown()
httpd.server_close()
thread.join()
delta = end - start
# Expected duration should be the RA->VA timeout plus some padding (At
# present the timeout is 20s so adding 2s of padding = 22s)
expectedDuration = 22
if delta.total_seconds() == 0 or delta.total_seconds() > expectedDuration:
raise Exception("expected timeout to occur in under {0} seconds. Took {1}".format(expectedDuration, delta.total_seconds()))
def test_caa_extensions():
goodCAA = "happy-hacker-ca.invalid"
client = chisel.make_client()
caa_account_uri = client.account.uri
caa_records = [
{"domain": "accounturi.good-caa-reserved.com", "value":"{0}; accounturi={1}".format(goodCAA, caa_account_uri)},
{"domain": "dns-01-only.good-caa-reserved.com", "value": "{0}; validationmethods=dns-01".format(goodCAA)},
{"domain": "http-01-only.good-caa-reserved.com", "value": "{0}; validationmethods=http-01".format(goodCAA)},
{"domain": "dns-01-or-http01.good-caa-reserved.com", "value": "{0}; validationmethods=dns-01,http-01".format(goodCAA)},
]
for policy in caa_records:
challSrv.add_caa_issue(policy["domain"], policy["value"])
# TODO(@4a6f656c): Once the `CAAValidationMethods` feature flag is enabled by
# default, remove this early return.
if not CONFIG_NEXT:
return
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["dns-01-only.good-caa-reserved.com"], chall_type="http-01"))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["http-01-only.good-caa-reserved.com"], chall_type="dns-01"))
# Note: the additional names are to avoid rate limiting...
auth_and_issue(["dns-01-only.good-caa-reserved.com", "www.dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["http-01-only.good-caa-reserved.com", "www.http-01-only.good-caa-reserved.com"], chall_type="http-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "http-01-only.good-caa-reserved.com"], chall_type="http-01")
# CAA should fail with an arbitrary account, but succeed with the CAA client.
chisel.expect_problem("urn:acme:error:caa", lambda: auth_and_issue(["accounturi.good-caa-reserved.com"]))
auth_and_issue(["accounturi.good-caa-reserved.com"], client=client)
def test_certificates_per_name():
chisel.expect_problem("urn:acme:error:rateLimited",
lambda: auth_and_issue(["lim.it"]))
def test_caa():
"""Request issuance for two CAA domains, one where we are permitted and one where we are not."""
auth_and_issue(["good-caa-reserved.com"])
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["bad-caa-reserved.com"]))
def test_caa_reject():
domain = random_domain()
challSrv.add_caa_issue(domain, "sad-hacker-ca.invalid")
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue([domain]))
