def test_801_009(self): assert TestEnv.apache_stop() == 0 md = TestStapling.mdA domains = [md] testpath = os.path.join(TestEnv.GEN_DIR, 'test_801_009') # cert that is 30 more days valid CertUtil.create_self_signed_cert(domains, { "notBefore": -60, "notAfter": 30 }, serial=801009, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf.add_admin("*****@*****.**") conf.start_md(domains) conf.add_line("MDCertificateFile %s" % (cert_file)) conf.add_line("MDCertificateKeyFile %s" % (pkey_file)) conf.add_line("MDStapling on") conf.end_md() conf.add_vhost(md) conf.install() assert TestEnv.apache_restart() == 0 time.sleep(1) stat = TestEnv.get_ocsp_status(md) assert stat['ocsp'] == "no response sent"
def test_920_002(self): # simple MD, drive it, manipulate staged credentials and check status domain = self.test_domain dnsList = [ domain ] conf = HttpdConf() conf.add_admin( "*****@*****.**" ) conf.add_md( dnsList ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion( [ domain ], restart=False ) # copy a real certificate from LE over to staging staged_cert = os.path.join(TestEnv.STORE_DIR, 'staging', domain, 'pubcert.pem') real_cert = os.path.join('data', 'test_920', '002.pubcert') assert copyfile(real_cert, staged_cert) == None status = TestEnv.get_certificate_status( domain ) # status shows the copied cert's properties as staged assert 'renewal' in status assert 'Thu, 29 Aug 2019 16:06:35 GMT' == status['renewal']['valid-until'] assert 'Fri, 31 May 2019 16:06:35 GMT' == status['renewal']['valid-from'] assert '03039C464D454EDE79FCD2CAE859F668F269' == status['renewal']['serial'] assert 'sha256-fingerprint' in status['renewal'] assert len(status['renewal']['scts']) == 2 assert status['renewal']['scts'][0]['logid'] == '747eda8331ad331091219cce254f4270c2bffd5e422008c6373579e6107bcc56' assert status['renewal']['scts'][0]['signed'] == 'Fri, 31 May 2019 17:06:35 GMT' assert status['renewal']['scts'][1]['logid'] == '293c519654c83965baaa50fc5807d4b76fbf587a2972dca4c30cf4e54547f478' assert status['renewal']['scts'][1]['signed'] == 'Fri, 31 May 2019 17:06:35 GMT'
def test_310_112(self): HttpdConf(text=""" MDRenewMode always MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list"])['jout']['output'][0]['renew-mode'] == 2
def test_720_005(self): dns01cmd = ("%s/dns01.py" % TestEnv.TESTROOT) domain = self.test_domain domain2 = "www.x" + domain dnsList = [domain, "*." + domain, domain2] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_ca_challenges(["dns-01"]) conf.add_dns01_cmd(dns01cmd) conf.add_md(dnsList) conf.add_vhost(TestEnv.HTTPS_PORT, domain2, aliasList=[]) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dnsList[1]]) conf.install() # restart, check that md is in store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dnsList) # await drive completion assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) # check: SSL is running OK certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) altnames = certA.get_san_list() for domain in dnsList: assert domain in altnames
def test_500_201(self, renewWindow, testDataList): # test case: trigger cert renew when entering renew window # setup: prepare COMPLETE md domain = "test500-201-" + TestDrive.dns_uniq name = "www." + domain conf = HttpdConf(TestDrive.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_renew_window(renewWindow) conf.add_md([name]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md( ["list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE # setup: drive it assert TestEnv.a2md(["drive", name])['rv'] == 0 cert1 = CertUtil(TestEnv.path_domain_pubcert(name)) assert TestEnv.a2md( ["list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE # replace cert by self-signed one -> check md status print "TRACE: start testing renew window: %s" % renewWindow for tc in testDataList: print "TRACE: create self-signed cert: %s" % tc["valid"] CertUtil.create_self_signed_cert([name], tc["valid"]) cert2 = CertUtil(TestEnv.path_domain_pubcert(name)) assert cert2.get_serial() != cert1.get_serial() md = TestEnv.a2md(["list", name])['jout']['output'][0] assert md["renew"] == tc["renew"], \ "Expected renew == {} indicator in {}, test case {}".format(tc["renew"], md, tc)
def test_920_001(self): # simple MD, drive it, check status before activation domain = self.test_domain dnsList = [ domain ] conf = HttpdConf() conf.add_admin( "*****@*****.**" ) conf.add_md( dnsList ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion( [ domain ], restart=False ) # we started without a valid certificate, so we expect /.httpd/certificate-status # to not give information about one and - since we waited for the ACME signup # to complete - to give information in 'renewal' about the new cert. status = TestEnv.get_certificate_status( domain ) assert not 'sha256-fingerprint' in status assert not 'valid-until' in status assert not 'valid-from' in status assert 'renewal' in status assert 'valid-until' in status['renewal'] assert 'valid-from' in status['renewal'] assert 'sha256-fingerprint' in status['renewal'] # restart and activate # once activated, the staging must be gone and attributes exist for the active cert assert TestEnv.apache_restart() == 0 status = TestEnv.get_certificate_status( domain ) assert not 'renewal' in status assert 'sha256-fingerprint' in status assert 'valid-until' in status assert 'valid-from' in status
def test_310_205(self): name = "testdomain.org" HttpdConf(text=""" ServerAdmin mailto:[email protected] MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 # setup: sync with admin info removed HttpdConf(text=""" MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 # check: md stays the same with previous admin info TestEnv.check_md([name, "www.testdomain.org", "mail.testdomain.org"], state=1, contacts=["mailto:[email protected]"])
def test_720_006(self): dns01cmd = ("%s/dns01.py" % TestEnv.TESTROOT) domain = self.test_domain dwild = "*." + domain domain2 = "www." + domain domains = [domain, dwild, domain2] conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_ca_challenges(["dns-01"]) conf.add_dns01_cmd(dns01cmd) conf.add_md(domains) conf.add_vhost(domain2) conf.add_vhost([domain, dwild]) conf.install() # restart, check that md is in store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) # await drive completion assert TestEnv.await_completion([domain]) TestEnv.check_md_complete(domain) # check: SSL is running OK certA = TestEnv.get_cert(domain) altnames = certA.get_san_list() for domain in [domain, dwild]: assert domain in altnames
def test_700_003(self): # generate 1 MD and 2 vhosts domain = self.test_domain nameA = "a." + domain nameB = "b." + domain dns_list = [ domain, nameA, nameB ] conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a") conf.add_vhost( TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b") conf.install() # create docRoot folder self._write_res_file( os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA ) self._write_res_file( os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"), "name.txt", nameB ) # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md( domain, dns_list ) assert TestEnv.await_completion( [ domain, nameA, nameB ] ) TestEnv.check_md_complete(domain) # check: SSL is running OK certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA.get_san_list() certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameB) assert nameB in certB.get_san_list() assert certA.get_serial() == certB.get_serial() assert TestEnv.get_content( nameA, "/name.txt" ) == nameA assert TestEnv.get_content( nameB, "/name.txt" ) == nameB
def test_310_107(self): HttpdConf(text=""" MDomain testdomain.org www.testdomain.org mail.testdomain.org MDomain testdomain2.org www.testdomain2.org mail.testdomain2.org <VirtualHost *:12346> ServerName testdomain.org ServerAlias www.testdomain.org ServerAdmin mailto:[email protected] </VirtualHost> <VirtualHost *:12346> ServerName testdomain2.org ServerAlias www.testdomain2.org ServerAdmin mailto:[email protected] </VirtualHost> """).install() assert TestEnv.apache_restart() == 0 name1 = "testdomain.org" name2 = "testdomain2.org" TestEnv.check_md([name1, "www." + name1, "mail." + name1], state=1, contacts=["mailto:admin@" + name1]) TestEnv.check_md([name2, "www." + name2, "mail." + name2], state=1, contacts=["mailto:admin@" + name2])
def test_700_005(self): # generate 1 MD and 1 vhost domain = self.test_domain nameA = "a." + domain dns_list = [ domain, nameA ] conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "manual" ) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a") conf.install() # create docRoot folder self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA) # restart, check that md is in store assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dns_list) assert TestEnv.await_renew_state( [ domain ] ) # check: that request to domains give 503 Service Unavailable cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in cert1.get_san_list() assert TestEnv.getStatus(nameA, "/name.txt") == 503 # check temporary cert from server cert2 = CertUtil( TestEnv.path_fallback_cert( domain ) ) assert cert1.get_serial() == cert2.get_serial(), \ "Unexpected temporary certificate on vhost %s. Expected cn: %s , but found cn: %s" % ( nameA, cert2.get_cn(), cert1.get_cn() )
def test_700_006(self): # generate 1 MD, 1 vhost domain = self.test_domain nameA = "a." + domain dns_list = [ domain, nameA ] conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_ca_challenges([ "invalid-01", "invalid-02" ]) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a") conf.install() # create docRoot folder self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA) # restart, check that md is in store assert TestEnv.apache_restart() == 0 # await drive completion md = TestEnv.await_error(domain) assert md assert md['renewal']['errors'] > 0 assert md['renewal']['last']['problem'] == 'challenge-mismatch' assert 'account' not in md['ca'] # check: that request to domains give 503 Service Unavailable cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in cert.get_san_list() assert TestEnv.getStatus(nameA, "/name.txt") == 503
def test_901_010(self): # MD with static cert files, lifetime in renewal window, no message about renewal domain = self.test_domain domains = [domain, 'www.%s' % domain] testpath = os.path.join(TestEnv.GEN_DIR, 'test_901_010') # cert that is only 10 more days valid CertUtil.create_self_signed_cert(domains, { "notBefore": -70, "notAfter": 20 }, serial=901010, path=testpath) cert_file = os.path.join(testpath, 'pubcert.pem') pkey_file = os.path.join(testpath, 'privkey.pem') assert os.path.exists(cert_file) assert os.path.exists(pkey_file) conf = HttpdConf() conf.add_admin("*****@*****.**") conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog)) conf.start_md(domains) conf.add_line("MDCertificateFile %s" % (cert_file)) conf.add_line("MDCertificateKeyFile %s" % (pkey_file)) conf.end_md() conf.add_vhost(domain) conf.install() assert TestEnv.apache_restart() == 0 assert not os.path.isfile(self.mlog)
def test_7002(self): domainA = ("%sa-" % self.test_n) + TestAuto.dns_uniq domainB = ("%sb-" % self.test_n) + TestAuto.dns_uniq # generate config with two MDs dnsListA = [ domainA, "www." + domainA ] dnsListB = [ domainB, "www." + domainB ] conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "*****@*****.**" ) conf.add_drive_mode( "auto" ) conf.add_md( dnsListA ) conf.add_md( dnsListB ) conf.add_vhost( TestEnv.HTTPS_PORT, domainA, aliasList=[ dnsListA[1] ], withSSL=True ) conf.add_vhost( TestEnv.HTTPS_PORT, domainB, aliasList=[ dnsListB[1] ], withSSL=True ) conf.install() # restart, check that md is in store assert TestEnv.apache_restart() == 0 self._check_md_names( domainA, dnsListA ) self._check_md_names( domainB, dnsListB ) # await drive completion assert TestEnv.await_completion( [ domainA, domainB ], 30 ) self._check_md_cert(dnsListA) self._check_md_cert(dnsListB) # check: SSL is running OK certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainA) assert dnsListA == certA.get_san_list() certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainB) assert dnsListB == certB.get_san_list()
def test_7006(self): domain = self.test_domain nameA = "test-a." + domain dns_list = [ domain, nameA ] # generate 1 MD, 1 vhost conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_ca_challenges([ "invalid-01", "invalid-02" ]) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), keyPath=TestEnv.path_domain_privkey( domain ) ) conf.install() # create docRoot folder self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA) # restart, check that md is in store assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dns_list) time.sleep( 2 ) # assert drive did not start md = TestEnv.a2md([ "-j", "list", domain ])['jout']['output'][0] assert md['state'] == TestEnv.MD_S_INCOMPLETE assert 'account' not in md['ca'] assert TestEnv.apache_err_scan( re.compile('.*\[md:warn\].*the server offers no ACME challenge that is configured for this MD') ) # check: that request to domains give 503 Service Unavailable cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in cert.get_san_list() assert TestEnv.getStatus(nameA, "/name.txt") == 503
def test_600_000(self): # test case: generate config with md -> restart -> drive -> generate config # with vhost and ssl -> restart -> check HTTPS access domain = "r000-" + TestRoundtrip.dns_uniq dnsList = [domain, "www." + domain] # - generate config with one md conf = HttpdConf(TestRoundtrip.TMP_CONF, True) conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md(dnsList) conf.install() # - restart, check that md is in store assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dnsList) # - drive assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0 self._check_md_cert(dnsList) # - append vhost to config conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dnsList[1]], withSSL=True) conf.install() assert TestEnv.apache_restart() == 0 # check: SSL is running OK cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domain) assert domain in cert.get_san_list() # check file system permissions: TestEnv.check_file_permissions(domain)
def test_710_001(self): domain = self.test_domain # use ACMEv1 initially TestEnv.set_acme('acmev1') # generate config with one MD, restart, gets cert domains = [ domain, "www." + domain ] conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_md( domains ) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([ domain ] ) TestEnv.check_md_complete(domain) cert1 = TestEnv.get_cert(domain) assert domain in cert1.get_san_list() # use ACMEv2 now for everything TestEnv.set_acme('acmev2') conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_md( domains ) conf.add_vhost(domains) conf.install() # restart, gets cert, should still be the same cert as it remains valid assert TestEnv.apache_restart() == 0 status = TestEnv.get_certificate_status( domain ) assert status['serial'] == cert1.get_serial() # change the MD so that we need a new cert domains = [ domain, "www." + domain, "another." + domain ] conf = HttpdConf() conf.add_admin( "admin@" + domain ) conf.add_md( domains ) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([ domain ] ) # should no longer the same cert status = TestEnv.get_certificate_status( domain ) assert status['serial'] != cert1.get_serial() TestEnv.check_md_complete(domain) # should have a 2 accounts now assert 2 == len(TestEnv.list_accounts())
def test_8003(self): domain = self.test_domain dns_list = [domain] conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_must_staple("on") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 self._check_md_cert(dns_list) cert1 = CertUtil(TestEnv.path_domain_pubcert(domain)) assert cert1.get_must_staple() # toggle MDMustStaple off, expect a cert that has it disabled conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_must_staple("off") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 self._check_md_cert(dns_list) cert1 = CertUtil(TestEnv.path_domain_pubcert(domain)) assert not cert1.get_must_staple() # toggle MDMustStaple on again, expect a cert that has it enabled conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_must_staple("on") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 self._check_md_cert(dns_list) cert1 = CertUtil(TestEnv.path_domain_pubcert(domain)) assert cert1.get_must_staple()
def test_8003(self): domain = self.test_domain dns_list = [domain] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_must_staple("on") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert cert1.get_must_staple() # toggle MDMustStaple off, expect a cert that has it disabled conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_must_staple("off") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert not cert1.get_must_staple() # toggle MDMustStaple on again, expect a cert that has it enabled conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_must_staple("on") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[]) conf.install() assert TestEnv.apache_restart() == 0 assert TestEnv.await_completion([domain]) assert TestEnv.apache_restart() == 0 TestEnv.check_md_complete(domain) cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem')) assert cert1.get_must_staple()
def test_310_114(self): HttpdConf(text=""" MDCAChallenges http-01 MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md( ["list"])['jout']['output'][0]['ca']['challenges'] == ['http-01']
def test_310_113b(self): HttpdConf(text=""" MDRenewWindow 10% MDomain testdomain.org www.testdomain.org mail.testdomain.org """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list" ])['jout']['output'][0]['renew-window'] == '10%'
def test_310_108(self): HttpdConf(text=""" MDomain testdomain.org WWW.testdomain.org MAIL.testdomain.org """).install() assert TestEnv.apache_restart() == 0 TestEnv.check_md( ["testdomain.org", "www.testdomain.org", "mail.testdomain.org"], state=1)
def test_310_121(self): HttpdConf(text=""" MDomain testdomain.org www.testdomain.org mail.testdomain.org MDRequireHttps temporary """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md( ["list"])['jout']['output'][0]['require-https'] == "temporary"
def test_300_005(self): HttpdConf(text=""" MDomain not-forbidden.org www.not-forbidden.org mail.not-forbidden.org test3.not-forbidden.org <VirtualHost *:12346> MDomain example2.org www.example2.org www.example3.org </VirtualHost> """).install() assert TestEnv.apache_restart() == 0
def test_310_122(self): HttpdConf(text=""" MDomain testdomain.org www.testdomain.org mail.testdomain.org MDMustStaple on """).install() assert TestEnv.apache_restart() == 0 assert TestEnv.a2md(["list" ])['jout']['output'][0]['must-staple'] == True
def test_702_031(self): domain = self.test_domain nameX = "test-x." + domain nameA = "test-a." + domain nameB = "test-b." + domain nameC = "test-c." + domain domains = [nameX, nameA, nameB] # # generate 1 MD and 2 vhosts conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_md(domains) conf.add_vhost(nameA) conf.add_vhost(nameB) conf.install() # # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) assert TestEnv.await_completion([nameX]) TestEnv.check_md_complete(nameX) # # check: SSL is running OK certA = TestEnv.get_cert(nameA) assert nameA in certA.get_san_list() certB = TestEnv.get_cert(nameB) assert nameB in certB.get_san_list() assert certA.get_serial() == certB.get_serial() # # change MD by removing 1st name and adding another new_list = [nameA, nameB, nameC] conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_md(new_list) conf.add_vhost(nameA) conf.add_vhost(nameB) conf.install() # restart, check that host still works and have new cert assert TestEnv.apache_restart() == 0 TestEnv.check_md(new_list, md=nameX) assert TestEnv.await_completion([nameA]) # certA2 = TestEnv.get_cert(nameA) assert nameA in certA2.get_san_list() assert certA.get_serial() != certA2.get_serial()
def test_500_109(self): # test case: redirect on SSL-only domain # setup: prepare config domain = "test500-109-" + TestDrive.dns_uniq name = "www." + domain conf = HttpdConf( TestDrive.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "manual" ) conf.add_md( [name] ) conf.add_vhost(TestEnv.HTTP_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=False) conf.add_vhost(TestEnv.HTTPS_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=True) conf.install() # setup: create resource files self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "test"), "name.txt", name) self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR), "name.txt", "not-forbidden.org") assert TestEnv.apache_restart() == 0 # drive it assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0 assert TestEnv.apache_restart() == 0 # test HTTP access - no redirect assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org" assert TestEnv.get_content(name, "/name.txt", useHTTPS=False) == name r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert int(r['http_headers']['Content-Length']) == len(name) assert "Location" not in r['http_headers'] # test HTTPS access assert TestEnv.get_content(name, "/name.txt", useHTTPS=True) == name # test HTTP access again -> redirect to default HTTPS port conf.add_require_ssl("temporary") conf.install() assert TestEnv.apache_restart() == 0 r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert r['http_status'] == 302 expLocation = "https://%s/name.txt" % name assert r['http_headers']['Location'] == expLocation # should not see this assert not 'Strict-Transport-Security' in r['http_headers'] # test default HTTP vhost -> still no redirect assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org" r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True) # also not for this assert not 'Strict-Transport-Security' in r['http_headers'] # test HTTP access again -> redirect permanent conf.add_require_ssl("permanent") conf.install() assert TestEnv.apache_restart() == 0 r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert r['http_status'] == 301 expLocation = "https://%s/name.txt" % name assert r['http_headers']['Location'] == expLocation assert not 'Strict-Transport-Security' in r['http_headers'] # should see this r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True) assert r['http_headers']['Strict-Transport-Security'] == 'max-age=15768000'
def configure_httpd(cls, domain, add_lines=""): cls.domain = domain conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line(add_lines) conf.add_md([domain]) conf.add_vhost(domain) conf.install() return domain
def test_600_002(self): # test case: one md, that covers two vhosts domain = "r002-" + TestRoundtrip.dns_uniq nameA = "test-a." + domain nameB = "test-b." + domain dnsList = [domain, nameA, nameB] # - generate config with one md conf = HttpdConf(TestRoundtrip.TMP_CONF, True) conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md(dnsList) conf.install() # - restart, check that md is in store assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dnsList) # - drive assert TestEnv.a2md(["drive", domain])['rv'] == 0 self._check_md_cert(dnsList) # - append vhost to config conf.add_vhost(TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.add_vhost(TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b", withSSL=True, certPath=TestEnv.path_domain_pubcert(domain), keyPath=TestEnv.path_domain_privkey(domain)) conf.install() # - create docRoot folder self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA) self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"), "name.txt", nameB) # check: SSL is running OK assert TestEnv.apache_restart() == 0 certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA) assert nameA in certA.get_san_list() certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameB) assert nameB in certB.get_san_list() assert certA.get_serial() == certB.get_serial() assert TestEnv.get_content(nameA, "/name.txt") == nameA assert TestEnv.get_content(nameB, "/name.txt") == nameB
def test_300_015(self): HttpdConf(text=""" MDPrivateKeys Default MDPrivateKeys RSA MDPrivateKeys RSA 2048 MDPrivateKeys RSA 3072 MDPrivateKeys RSA 4096 """).install() assert TestEnv.apache_restart() == 0 assert (0, 0) == TestEnv.httpd_error_log_count()