def test_500_201(self, renewWindow, testDataList):
# test case: trigger cert renew when entering renew window
# setup: prepare COMPLETE md
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_renew_window(renewWindow)
conf.add_md([name])
conf.install()
assert TestEnv.apache_restart() == 0
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_INCOMPLETE
assert md['renew-window'] == renewWindow
# setup: drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
cert1 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_COMPLETE
assert md['renew-window'] == renewWindow
# replace cert by self-signed one -> check md status
print("TRACE: start testing renew window: %s" % renewWindow)
for tc in testDataList:
print("TRACE: create self-signed cert: %s" % tc["valid"])
CertUtil.create_self_signed_cert([name], tc["valid"])
cert2 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert cert2.get_serial() != cert1.get_serial()
r = TestEnv.a2md(["-vvvv", "list", name])
md = r['jout']['output'][0]
assert md["renew"] == tc["renew"], \
"Expected renew == {} indicator in {}, test case {}, stderr {}".format(tc["renew"], md, tc, r['stderr'])
def test_500_201(self, renewWindow, testDataList):
# test case: trigger cert renew when entering renew window
# setup: prepare COMPLETE md
domain = "test500-201-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf( TestDrive.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "manual" )
conf.add_renew_window( renewWindow )
conf.add_md( [name] )
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# setup: drive it
assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
cert1 = CertUtil(TestEnv.path_domain_pubcert(name))
assert TestEnv.a2md([ "list", name ])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
# replace cert by self-signed one -> check md status
print "TRACE: start testing renew window: %s" % renewWindow
for tc in testDataList:
print "TRACE: create self-signed cert: %s" % tc["valid"]
CertUtil.create_self_signed_cert( [name], tc["valid"])
cert2 = CertUtil(TestEnv.path_domain_pubcert(name))
assert cert2.get_serial() != cert1.get_serial()
md = TestEnv.a2md([ "list", name ])['jout']['output'][0]
assert md["renew"] == tc["renew"], \
"Expected renew == {} indicator in {}, test case {}".format(tc["renew"], md, tc)
def test_730_003(self):
# just configuring one file will not work
domain = self.test_domain
domains = [domain, 'www.%s' % domain]
testpath = os.path.join(TestEnv.GEN_DIR, 'test_920_001')
# cert that is only 10 more days valid
CertUtil.create_self_signed_cert(domains, {
"notBefore": -80,
"notAfter": 10
},
serial=730001,
path=testpath)
cert_file = os.path.join(testpath, 'pubcert.pem')
pkey_file = os.path.join(testpath, 'privkey.pem')
assert os.path.exists(cert_file)
assert os.path.exists(pkey_file)
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.start_md(domains)
conf.add_line("MDCertificateFile %s" % (cert_file))
conf.end_md()
conf.add_vhost(domain)
conf.install()
assert TestEnv.apache_fail() == 0
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.start_md(domains)
conf.add_line("MDCertificateKeyFile %s" % (pkey_file))
conf.end_md()
conf.add_vhost(domain)
conf.install()
assert TestEnv.apache_fail() == 0
def test_730_002(self):
# MD with static cert files, force driving
domain = self.test_domain
domains = [domain, 'www.%s' % domain]
testpath = os.path.join(TestEnv.GEN_DIR, 'test_920_001')
# cert that is only 10 more days valid
CertUtil.create_self_signed_cert(domains, {
"notBefore": -80,
"notAfter": 10
},
serial=730001,
path=testpath)
cert_file = os.path.join(testpath, 'pubcert.pem')
pkey_file = os.path.join(testpath, 'privkey.pem')
assert os.path.exists(cert_file)
assert os.path.exists(pkey_file)
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.start_md(domains)
conf.add_line("MDCertificateFile %s" % (cert_file))
conf.add_line("MDCertificateKeyFile %s" % (pkey_file))
conf.add_line("MDRenewMode always")
conf.end_md()
conf.add_vhost(domain)
conf.install()
assert TestEnv.apache_restart() == 0
# check if the domain uses it, it appears in our stats and renewal is off
cert = TestEnv.get_cert(domain)
assert ('%X' % 730001) == cert.get_serial()
stat = TestEnv.get_md_status(domain)
assert stat
assert 'cert' in stat
assert stat['renew'] == True
assert TestEnv.await_renewal(domains)
def test_700_009(self):
domain = self.test_domain
dns_list = [ domain ]
# prepare md
conf = HttpdConf()
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "auto" )
conf.add_renew_window( "10d" )
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[])
conf.install()
# restart (-> drive), check that md+cert is in store, TLS is up
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ] )
TestEnv.check_md_complete(domain)
cert1 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') )
# compare with what md reports as status
stat = TestEnv.get_certificate_status(domain);
assert stat['serial'] == cert1.get_serial()
# create self-signed cert, with critical remaining valid duration -> drive again
CertUtil.create_self_signed_cert( [domain], { "notBefore": -120, "notAfter": 2 }, serial=7009)
cert3 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') )
assert cert3.get_serial() == '1B61'
assert TestEnv.apache_restart() == 0
stat = TestEnv.get_certificate_status(domain);
assert stat['serial'] == cert3.get_serial()
# cert should renew and be different afterwards
assert TestEnv.await_completion( [ domain ], must_renew=True )
stat = TestEnv.get_certificate_status(domain);
assert stat['serial'] != cert3.get_serial()
def test_901_010(self):
# MD with static cert files, lifetime in renewal window, no message about renewal
domain = self.test_domain
domains = [domain, 'www.%s' % domain]
testpath = os.path.join(TestEnv.GEN_DIR, 'test_901_010')
# cert that is only 10 more days valid
CertUtil.create_self_signed_cert(domains, {
"notBefore": -70,
"notAfter": 20
},
serial=901010,
path=testpath)
cert_file = os.path.join(testpath, 'pubcert.pem')
pkey_file = os.path.join(testpath, 'privkey.pem')
assert os.path.exists(cert_file)
assert os.path.exists(pkey_file)
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog))
conf.start_md(domains)
conf.add_line("MDCertificateFile %s" % (cert_file))
conf.add_line("MDCertificateKeyFile %s" % (pkey_file))
conf.end_md()
conf.add_vhost(domain)
conf.install()
assert TestEnv.apache_restart() == 0
assert not os.path.isfile(self.mlog)
def test_801_009(self):
assert TestEnv.apache_stop() == 0
md = TestStapling.mdA
domains = [md]
testpath = os.path.join(TestEnv.GEN_DIR, 'test_801_009')
# cert that is 30 more days valid
CertUtil.create_self_signed_cert(domains, {
"notBefore": -60,
"notAfter": 30
},
serial=801009,
path=testpath)
cert_file = os.path.join(testpath, 'pubcert.pem')
pkey_file = os.path.join(testpath, 'privkey.pem')
assert os.path.exists(cert_file)
assert os.path.exists(pkey_file)
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.start_md(domains)
conf.add_line("MDCertificateFile %s" % (cert_file))
conf.add_line("MDCertificateKeyFile %s" % (pkey_file))
conf.add_line("MDStapling on")
conf.end_md()
conf.add_vhost(md)
conf.install()
assert TestEnv.apache_restart() == 0
time.sleep(1)
stat = TestEnv.get_ocsp_status(md)
assert stat['ocsp'] == "no response sent"
def test_7009(self):
domain = self.test_domain
dns_list = [domain]
# prepare md
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_renew_window("10d")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True)
conf.install()
# restart (-> drive), check that md+cert is in store, TLS is up
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain], 30)
self._check_md_cert(dns_list)
cert1 = CertUtil(TestEnv.path_domain_pubcert(domain))
# fetch cert from server
cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert cert1.get_serial() == cert2.get_serial()
# create self-signed cert, with critical remaining valid duration -> drive again
CertUtil.create_self_signed_cert([domain], {
"notBefore": -120,
"notAfter": 9
})
cert3 = CertUtil(TestEnv.path_domain_pubcert(domain))
assert cert3.get_serial() == 1000
time.sleep(1)
assert TestEnv.a2md(["list",
domain])['jout']['output'][0]['renew'] == True
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain], 30)
# fetch cert from server -> self-signed still active, activation of new ACME is delayed
cert4 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert cert4.get_serial() == cert3.get_serial()
time.sleep(1)
# restart -> new ACME cert becomes active
assert TestEnv.apache_stop() == 0
assert TestEnv.apache_start() == 0
time.sleep(1)
cert5 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert cert5.get_serial() != cert3.get_serial()
def test_901_011(self):
# MD with static cert files, lifetime in warn window, check message
domain = self.test_domain
domains = [domain, 'www.%s' % domain]
testpath = os.path.join(TestEnv.GEN_DIR, 'test_901_011')
# cert that is only 10 more days valid
CertUtil.create_self_signed_cert(domains, {
"notBefore": -85,
"notAfter": 5
},
serial=901011,
path=testpath)
cert_file = os.path.join(testpath, 'pubcert.pem')
pkey_file = os.path.join(testpath, 'privkey.pem')
assert os.path.exists(cert_file)
assert os.path.exists(pkey_file)
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_message_cmd("%s %s" % (self.mcmd, self.mlog))
conf.start_md(domains)
conf.add_line("MDCertificateFile %s" % (cert_file))
conf.add_line("MDCertificateKeyFile %s" % (pkey_file))
conf.end_md()
conf.add_vhost(domain)
conf.install()
assert TestEnv.apache_restart() == 0
time.sleep(1)
nlines = open(self.mlog).readlines()
assert 1 == len(nlines)
assert ("['%s', '%s', 'expiring', '%s']" %
(self.mcmd, self.mlog, domain)) == nlines[0].strip()
# check that we do not get it resend right away again
assert TestEnv.apache_restart() == 0
time.sleep(1)
nlines = open(self.mlog).readlines()
assert 1 == len(nlines)
assert ("['%s', '%s', 'expiring', '%s']" %
(self.mcmd, self.mlog, domain)) == nlines[0].strip()
