def test_801_009(self):
assert TestEnv.apache_stop() == 0
md = TestStapling.mdA
domains = [md]
testpath = os.path.join(TestEnv.GEN_DIR, 'test_801_009')
# cert that is 30 more days valid
CertUtil.create_self_signed_cert(domains, {
"notBefore": -60,
"notAfter": 30
},
serial=801009,
path=testpath)
cert_file = os.path.join(testpath, 'pubcert.pem')
pkey_file = os.path.join(testpath, 'privkey.pem')
assert os.path.exists(cert_file)
assert os.path.exists(pkey_file)
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.start_md(domains)
conf.add_line("MDCertificateFile %s" % (cert_file))
conf.add_line("MDCertificateKeyFile %s" % (pkey_file))
conf.add_line("MDStapling on")
conf.end_md()
conf.add_vhost(md)
conf.install()
assert TestEnv.apache_restart() == 0
time.sleep(1)
stat = TestEnv.get_ocsp_status(md)
assert stat['ocsp'] == "no response sent"
def test_920_002(self):
# simple MD, drive it, manipulate staged credentials and check status
domain = self.test_domain
dnsList = [ domain ]
conf = HttpdConf()
conf.add_admin( "*****@*****.**" )
conf.add_md( dnsList )
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ], restart=False )
# copy a real certificate from LE over to staging
staged_cert = os.path.join(TestEnv.STORE_DIR, 'staging', domain, 'pubcert.pem')
real_cert = os.path.join('data', 'test_920', '002.pubcert')
assert copyfile(real_cert, staged_cert) == None
status = TestEnv.get_certificate_status( domain )
# status shows the copied cert's properties as staged
assert 'renewal' in status
assert 'Thu, 29 Aug 2019 16:06:35 GMT' == status['renewal']['valid-until']
assert 'Fri, 31 May 2019 16:06:35 GMT' == status['renewal']['valid-from']
assert '03039C464D454EDE79FCD2CAE859F668F269' == status['renewal']['serial']
assert 'sha256-fingerprint' in status['renewal']
assert len(status['renewal']['scts']) == 2
assert status['renewal']['scts'][0]['logid'] == '747eda8331ad331091219cce254f4270c2bffd5e422008c6373579e6107bcc56'
assert status['renewal']['scts'][0]['signed'] == 'Fri, 31 May 2019 17:06:35 GMT'
assert status['renewal']['scts'][1]['logid'] == '293c519654c83965baaa50fc5807d4b76fbf587a2972dca4c30cf4e54547f478'
assert status['renewal']['scts'][1]['signed'] == 'Fri, 31 May 2019 17:06:35 GMT'
def test_310_112(self):
HttpdConf(text="""
MDRenewMode always
MDomain testdomain.org www.testdomain.org mail.testdomain.org
""").install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(["list"])['jout']['output'][0]['renew-mode'] == 2
def test_720_005(self):
dns01cmd = ("%s/dns01.py" % TestEnv.TESTROOT)
domain = self.test_domain
domain2 = "www.x" + domain
dnsList = [domain, "*." + domain, domain2]
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_ca_challenges(["dns-01"])
conf.add_dns01_cmd(dns01cmd)
conf.add_md(dnsList)
conf.add_vhost(TestEnv.HTTPS_PORT, domain2, aliasList=[])
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dnsList[1]])
conf.install()
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dnsList)
# await drive completion
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
# check: SSL is running OK
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
altnames = certA.get_san_list()
for domain in dnsList:
assert domain in altnames
def test_500_201(self, renewWindow, testDataList):
# test case: trigger cert renew when entering renew window
# setup: prepare COMPLETE md
domain = "test500-201-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf(TestDrive.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_renew_window(renewWindow)
conf.add_md([name])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# setup: drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
cert1 = CertUtil(TestEnv.path_domain_pubcert(name))
assert TestEnv.a2md(
["list",
name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
# replace cert by self-signed one -> check md status
print "TRACE: start testing renew window: %s" % renewWindow
for tc in testDataList:
print "TRACE: create self-signed cert: %s" % tc["valid"]
CertUtil.create_self_signed_cert([name], tc["valid"])
cert2 = CertUtil(TestEnv.path_domain_pubcert(name))
assert cert2.get_serial() != cert1.get_serial()
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md["renew"] == tc["renew"], \
"Expected renew == {} indicator in {}, test case {}".format(tc["renew"], md, tc)
def test_920_001(self):
# simple MD, drive it, check status before activation
domain = self.test_domain
dnsList = [ domain ]
conf = HttpdConf()
conf.add_admin( "*****@*****.**" )
conf.add_md( dnsList )
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ], restart=False )
# we started without a valid certificate, so we expect /.httpd/certificate-status
# to not give information about one and - since we waited for the ACME signup
# to complete - to give information in 'renewal' about the new cert.
status = TestEnv.get_certificate_status( domain )
assert not 'sha256-fingerprint' in status
assert not 'valid-until' in status
assert not 'valid-from' in status
assert 'renewal' in status
assert 'valid-until' in status['renewal']
assert 'valid-from' in status['renewal']
assert 'sha256-fingerprint' in status['renewal']
# restart and activate
# once activated, the staging must be gone and attributes exist for the active cert
assert TestEnv.apache_restart() == 0
status = TestEnv.get_certificate_status( domain )
assert not 'renewal' in status
assert 'sha256-fingerprint' in status
assert 'valid-until' in status
assert 'valid-from' in status
def test_310_205(self):
name = "testdomain.org"
HttpdConf(text="""
ServerAdmin mailto:[email protected]
MDomain testdomain.org www.testdomain.org mail.testdomain.org
""").install()
assert TestEnv.apache_restart() == 0
# setup: sync with admin info removed
HttpdConf(text="""
MDomain testdomain.org www.testdomain.org mail.testdomain.org
""").install()
assert TestEnv.apache_restart() == 0
# check: md stays the same with previous admin info
TestEnv.check_md([name, "www.testdomain.org", "mail.testdomain.org"],
state=1,
contacts=["mailto:[email protected]"])
def test_720_006(self):
dns01cmd = ("%s/dns01.py" % TestEnv.TESTROOT)
domain = self.test_domain
dwild = "*." + domain
domain2 = "www." + domain
domains = [domain, dwild, domain2]
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_ca_challenges(["dns-01"])
conf.add_dns01_cmd(dns01cmd)
conf.add_md(domains)
conf.add_vhost(domain2)
conf.add_vhost([domain, dwild])
conf.install()
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
# await drive completion
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
# check: SSL is running OK
certA = TestEnv.get_cert(domain)
altnames = certA.get_san_list()
for domain in [domain, dwild]:
assert domain in altnames
def test_700_003(self):
# generate 1 MD and 2 vhosts
domain = self.test_domain
nameA = "a." + domain
nameB = "b." + domain
dns_list = [ domain, nameA, nameB ]
conf = HttpdConf()
conf.add_admin( "admin@" + domain )
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a")
conf.add_vhost( TestEnv.HTTPS_PORT, nameB, aliasList=[], docRoot="htdocs/b")
conf.install()
# create docRoot folder
self._write_res_file( os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA )
self._write_res_file( os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"), "name.txt", nameB )
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
TestEnv.check_md( domain, dns_list )
assert TestEnv.await_completion( [ domain, nameA, nameB ] )
TestEnv.check_md_complete(domain)
# check: SSL is running OK
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA)
assert nameA in certA.get_san_list()
certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameB)
assert nameB in certB.get_san_list()
assert certA.get_serial() == certB.get_serial()
assert TestEnv.get_content( nameA, "/name.txt" ) == nameA
assert TestEnv.get_content( nameB, "/name.txt" ) == nameB
def test_310_107(self):
HttpdConf(text="""
MDomain testdomain.org www.testdomain.org mail.testdomain.org
MDomain testdomain2.org www.testdomain2.org mail.testdomain2.org
<VirtualHost *:12346>
ServerName testdomain.org
ServerAlias www.testdomain.org
ServerAdmin mailto:[email protected]
</VirtualHost>
<VirtualHost *:12346>
ServerName testdomain2.org
ServerAlias www.testdomain2.org
ServerAdmin mailto:[email protected]
</VirtualHost>
""").install()
assert TestEnv.apache_restart() == 0
name1 = "testdomain.org"
name2 = "testdomain2.org"
TestEnv.check_md([name1, "www." + name1, "mail." + name1],
state=1,
contacts=["mailto:admin@" + name1])
TestEnv.check_md([name2, "www." + name2, "mail." + name2],
state=1,
contacts=["mailto:admin@" + name2])
def test_700_005(self):
# generate 1 MD and 1 vhost
domain = self.test_domain
nameA = "a." + domain
dns_list = [ domain, nameA ]
conf = HttpdConf()
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "manual" )
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a")
conf.install()
# create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA)
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dns_list)
assert TestEnv.await_renew_state( [ domain ] )
# check: that request to domains give 503 Service Unavailable
cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA)
assert nameA in cert1.get_san_list()
assert TestEnv.getStatus(nameA, "/name.txt") == 503
# check temporary cert from server
cert2 = CertUtil( TestEnv.path_fallback_cert( domain ) )
assert cert1.get_serial() == cert2.get_serial(), \
"Unexpected temporary certificate on vhost %s. Expected cn: %s , but found cn: %s" % ( nameA, cert2.get_cn(), cert1.get_cn() )
def test_700_006(self):
# generate 1 MD, 1 vhost
domain = self.test_domain
nameA = "a." + domain
dns_list = [ domain, nameA ]
conf = HttpdConf()
conf.add_admin( "admin@" + domain )
conf.add_ca_challenges([ "invalid-01", "invalid-02" ])
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a")
conf.install()
# create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA)
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
# await drive completion
md = TestEnv.await_error(domain)
assert md
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'challenge-mismatch'
assert 'account' not in md['ca']
# check: that request to domains give 503 Service Unavailable
cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA)
assert nameA in cert.get_san_list()
assert TestEnv.getStatus(nameA, "/name.txt") == 503
def test_901_010(self):
# MD with static cert files, lifetime in renewal window, no message about renewal
domain = self.test_domain
domains = [domain, 'www.%s' % domain]
testpath = os.path.join(TestEnv.GEN_DIR, 'test_901_010')
# cert that is only 10 more days valid
CertUtil.create_self_signed_cert(domains, {
"notBefore": -70,
"notAfter": 20
},
serial=901010,
path=testpath)
cert_file = os.path.join(testpath, 'pubcert.pem')
pkey_file = os.path.join(testpath, 'privkey.pem')
assert os.path.exists(cert_file)
assert os.path.exists(pkey_file)
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog))
conf.start_md(domains)
conf.add_line("MDCertificateFile %s" % (cert_file))
conf.add_line("MDCertificateKeyFile %s" % (pkey_file))
conf.end_md()
conf.add_vhost(domain)
conf.install()
assert TestEnv.apache_restart() == 0
assert not os.path.isfile(self.mlog)
def test_7002(self):
domainA = ("%sa-" % self.test_n) + TestAuto.dns_uniq
domainB = ("%sb-" % self.test_n) + TestAuto.dns_uniq
# generate config with two MDs
dnsListA = [ domainA, "www." + domainA ]
dnsListB = [ domainB, "www." + domainB ]
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "*****@*****.**" )
conf.add_drive_mode( "auto" )
conf.add_md( dnsListA )
conf.add_md( dnsListB )
conf.add_vhost( TestEnv.HTTPS_PORT, domainA, aliasList=[ dnsListA[1] ], withSSL=True )
conf.add_vhost( TestEnv.HTTPS_PORT, domainB, aliasList=[ dnsListB[1] ], withSSL=True )
conf.install()
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names( domainA, dnsListA )
self._check_md_names( domainB, dnsListB )
# await drive completion
assert TestEnv.await_completion( [ domainA, domainB ], 30 )
self._check_md_cert(dnsListA)
self._check_md_cert(dnsListB)
# check: SSL is running OK
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainA)
assert dnsListA == certA.get_san_list()
certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainB)
assert dnsListB == certB.get_san_list()
def test_7006(self):
domain = self.test_domain
nameA = "test-a." + domain
dns_list = [ domain, nameA ]
# generate 1 MD, 1 vhost
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_ca_challenges([ "invalid-01", "invalid-02" ])
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a",
withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ),
keyPath=TestEnv.path_domain_privkey( domain ) )
conf.install()
# create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA)
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
time.sleep( 2 )
# assert drive did not start
md = TestEnv.a2md([ "-j", "list", domain ])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_INCOMPLETE
assert 'account' not in md['ca']
assert TestEnv.apache_err_scan( re.compile('.*\[md:warn\].*the server offers no ACME challenge that is configured for this MD') )
# check: that request to domains give 503 Service Unavailable
cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA)
assert nameA in cert.get_san_list()
assert TestEnv.getStatus(nameA, "/name.txt") == 503
def test_600_000(self):
# test case: generate config with md -> restart -> drive -> generate config
# with vhost and ssl -> restart -> check HTTPS access
domain = "r000-" + TestRoundtrip.dns_uniq
dnsList = [domain, "www." + domain]
# - generate config with one md
conf = HttpdConf(TestRoundtrip.TMP_CONF, True)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(dnsList)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dnsList)
# - drive
assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0
self._check_md_cert(dnsList)
# - append vhost to config
conf.add_vhost(TestEnv.HTTPS_PORT,
domain,
aliasList=[dnsList[1]],
withSSL=True)
conf.install()
assert TestEnv.apache_restart() == 0
# check: SSL is running OK
cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert domain in cert.get_san_list()
# check file system permissions:
TestEnv.check_file_permissions(domain)
def test_710_001(self):
domain = self.test_domain
# use ACMEv1 initially
TestEnv.set_acme('acmev1')
# generate config with one MD, restart, gets cert
domains = [ domain, "www." + domain ]
conf = HttpdConf()
conf.add_admin( "admin@" + domain )
conf.add_md( domains )
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([ domain ] )
TestEnv.check_md_complete(domain)
cert1 = TestEnv.get_cert(domain)
assert domain in cert1.get_san_list()
# use ACMEv2 now for everything
TestEnv.set_acme('acmev2')
conf = HttpdConf()
conf.add_admin( "admin@" + domain )
conf.add_md( domains )
conf.add_vhost(domains)
conf.install()
# restart, gets cert, should still be the same cert as it remains valid
assert TestEnv.apache_restart() == 0
status = TestEnv.get_certificate_status( domain )
assert status['serial'] == cert1.get_serial()
# change the MD so that we need a new cert
domains = [ domain, "www." + domain, "another." + domain ]
conf = HttpdConf()
conf.add_admin( "admin@" + domain )
conf.add_md( domains )
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([ domain ] )
# should no longer the same cert
status = TestEnv.get_certificate_status( domain )
assert status['serial'] != cert1.get_serial()
TestEnv.check_md_complete(domain)
# should have a 2 accounts now
assert 2 == len(TestEnv.list_accounts())
def test_8003(self):
domain = self.test_domain
dns_list = [domain]
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_must_staple("on")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
assert TestEnv.apache_restart() == 0
self._check_md_cert(dns_list)
cert1 = CertUtil(TestEnv.path_domain_pubcert(domain))
assert cert1.get_must_staple()
# toggle MDMustStaple off, expect a cert that has it disabled
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_must_staple("off")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
assert TestEnv.apache_restart() == 0
self._check_md_cert(dns_list)
cert1 = CertUtil(TestEnv.path_domain_pubcert(domain))
assert not cert1.get_must_staple()
# toggle MDMustStaple on again, expect a cert that has it enabled
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_must_staple("on")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
assert TestEnv.apache_restart() == 0
self._check_md_cert(dns_list)
cert1 = CertUtil(TestEnv.path_domain_pubcert(domain))
assert cert1.get_must_staple()
def test_8003(self):
domain = self.test_domain
dns_list = [domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_must_staple("on")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert cert1.get_must_staple()
# toggle MDMustStaple off, expect a cert that has it disabled
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_must_staple("off")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert not cert1.get_must_staple()
# toggle MDMustStaple on again, expect a cert that has it enabled
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_must_staple("on")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
assert cert1.get_must_staple()
def test_310_114(self):
HttpdConf(text="""
MDCAChallenges http-01
MDomain testdomain.org www.testdomain.org mail.testdomain.org
""").install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(
["list"])['jout']['output'][0]['ca']['challenges'] == ['http-01']
def test_310_113b(self):
HttpdConf(text="""
MDRenewWindow 10%
MDomain testdomain.org www.testdomain.org mail.testdomain.org
""").install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(["list"
])['jout']['output'][0]['renew-window'] == '10%'
def test_310_108(self):
HttpdConf(text="""
MDomain testdomain.org WWW.testdomain.org MAIL.testdomain.org
""").install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(
["testdomain.org", "www.testdomain.org", "mail.testdomain.org"],
state=1)
def test_310_121(self):
HttpdConf(text="""
MDomain testdomain.org www.testdomain.org mail.testdomain.org
MDRequireHttps temporary
""").install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(
["list"])['jout']['output'][0]['require-https'] == "temporary"
def test_300_005(self):
HttpdConf(text="""
MDomain not-forbidden.org www.not-forbidden.org mail.not-forbidden.org test3.not-forbidden.org
<VirtualHost *:12346>
MDomain example2.org www.example2.org www.example3.org
</VirtualHost>
""").install()
assert TestEnv.apache_restart() == 0
def test_310_122(self):
HttpdConf(text="""
MDomain testdomain.org www.testdomain.org mail.testdomain.org
MDMustStaple on
""").install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md(["list"
])['jout']['output'][0]['must-staple'] == True
def test_702_031(self):
domain = self.test_domain
nameX = "test-x." + domain
nameA = "test-a." + domain
nameB = "test-b." + domain
nameC = "test-c." + domain
domains = [nameX, nameA, nameB]
#
# generate 1 MD and 2 vhosts
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_md(domains)
conf.add_vhost(nameA)
conf.add_vhost(nameB)
conf.install()
#
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert TestEnv.await_completion([nameX])
TestEnv.check_md_complete(nameX)
#
# check: SSL is running OK
certA = TestEnv.get_cert(nameA)
assert nameA in certA.get_san_list()
certB = TestEnv.get_cert(nameB)
assert nameB in certB.get_san_list()
assert certA.get_serial() == certB.get_serial()
#
# change MD by removing 1st name and adding another
new_list = [nameA, nameB, nameC]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_md(new_list)
conf.add_vhost(nameA)
conf.add_vhost(nameB)
conf.install()
# restart, check that host still works and have new cert
assert TestEnv.apache_restart() == 0
TestEnv.check_md(new_list, md=nameX)
assert TestEnv.await_completion([nameA])
#
certA2 = TestEnv.get_cert(nameA)
assert nameA in certA2.get_san_list()
assert certA.get_serial() != certA2.get_serial()
def test_500_109(self):
# test case: redirect on SSL-only domain
# setup: prepare config
domain = "test500-109-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf( TestDrive.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "manual" )
conf.add_md( [name] )
conf.add_vhost(TestEnv.HTTP_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=False)
conf.add_vhost(TestEnv.HTTPS_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=True)
conf.install()
# setup: create resource files
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "test"), "name.txt", name)
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR), "name.txt", "not-forbidden.org")
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
assert TestEnv.apache_restart() == 0
# test HTTP access - no redirect
assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org"
assert TestEnv.get_content(name, "/name.txt", useHTTPS=False) == name
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert int(r['http_headers']['Content-Length']) == len(name)
assert "Location" not in r['http_headers']
# test HTTPS access
assert TestEnv.get_content(name, "/name.txt", useHTTPS=True) == name
# test HTTP access again -> redirect to default HTTPS port
conf.add_require_ssl("temporary")
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 302
expLocation = "https://%s/name.txt" % name
assert r['http_headers']['Location'] == expLocation
# should not see this
assert not 'Strict-Transport-Security' in r['http_headers']
# test default HTTP vhost -> still no redirect
assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org"
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
# also not for this
assert not 'Strict-Transport-Security' in r['http_headers']
# test HTTP access again -> redirect permanent
conf.add_require_ssl("permanent")
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 301
expLocation = "https://%s/name.txt" % name
assert r['http_headers']['Location'] == expLocation
assert not 'Strict-Transport-Security' in r['http_headers']
# should see this
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
assert r['http_headers']['Strict-Transport-Security'] == 'max-age=15768000'
def configure_httpd(cls, domain, add_lines=""):
cls.domain = domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line(add_lines)
conf.add_md([domain])
conf.add_vhost(domain)
conf.install()
return domain
def test_600_002(self):
# test case: one md, that covers two vhosts
domain = "r002-" + TestRoundtrip.dns_uniq
nameA = "test-a." + domain
nameB = "test-b." + domain
dnsList = [domain, nameA, nameB]
# - generate config with one md
conf = HttpdConf(TestRoundtrip.TMP_CONF, True)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(dnsList)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dnsList)
# - drive
assert TestEnv.a2md(["drive", domain])['rv'] == 0
self._check_md_cert(dnsList)
# - append vhost to config
conf.add_vhost(TestEnv.HTTPS_PORT,
nameA,
aliasList=[],
docRoot="htdocs/a",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.add_vhost(TestEnv.HTTPS_PORT,
nameB,
aliasList=[],
docRoot="htdocs/b",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.install()
# - create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
"name.txt", nameA)
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"),
"name.txt", nameB)
# check: SSL is running OK
assert TestEnv.apache_restart() == 0
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameA)
assert nameA in certA.get_san_list()
certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameB)
assert nameB in certB.get_san_list()
assert certA.get_serial() == certB.get_serial()
assert TestEnv.get_content(nameA, "/name.txt") == nameA
assert TestEnv.get_content(nameB, "/name.txt") == nameB
def test_300_015(self):
HttpdConf(text="""
MDPrivateKeys Default
MDPrivateKeys RSA
MDPrivateKeys RSA 2048
MDPrivateKeys RSA 3072
MDPrivateKeys RSA 4096
""").install()
assert TestEnv.apache_restart() == 0
assert (0, 0) == TestEnv.httpd_error_log_count()