def test_7021(self):
domain = ("%s-" % self.test_n) + TestAuto.dns_uniq
# generate config with two MDs
dnsList = [domain, "www." + domain]
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("*****@*****.**")
conf._add_line("MDNotifyCmd %s/notify.py" % TestEnv.TESTROOT)
conf.add_drive_mode("auto")
conf.add_md(dnsList)
conf.add_vhost(TestEnv.HTTPS_PORT,
domain,
aliasList=[dnsList[1]],
withSSL=True)
conf.install()
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dnsList)
# await drive completion
assert TestEnv.await_completion([domain], 30)
self._check_md_cert(dnsList)
# this command should have failed and logged an error
TestEnv.apachectl_stderr = None
assert (0, 0) == TestEnv.apache_err_total()
def test_702_005(self):
domain = self.test_domain
nameA = "test-a." + domain
domains = [domain, nameA]
#
# generate 1 MD and 1 vhost
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(domains)
conf.add_vhost(nameA, docRoot="htdocs/a")
conf.install()
#
# create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
"name.txt", nameA)
#
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
#
# check: that request to domains give 503 Service Unavailable
cert1 = TestEnv.get_cert(nameA)
assert nameA in cert1.get_san_list()
assert TestEnv.getStatus(nameA, "/name.txt") == 503
#
# check temporary cert from server
cert2 = CertUtil(TestEnv.path_fallback_cert(domain))
assert cert1.get_serial() == cert2.get_serial(), \
"Unexpected temporary certificate on vhost %s. Expected cn: %s , but found cn: %s" % ( nameA, cert2.get_cn(), cert1.get_cn() )
def test_702_001(self):
domain = self.test_domain
# generate config with one MD
dns_list = [domain, "www." + domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_md(dns_list)
conf.install()
# restart, check that MD is synched to store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dns_list)
time.sleep(2)
# assert drive did not start
TestEnv.check_md(domain, dns_list, TestEnv.MD_S_INCOMPLETE)
assert TestEnv.apache_err_scan(
re.compile('.*\[md:debug\].*no mds to drive'))
# add vhost for MD, restart should drive it
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]])
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert domain in cert.get_san_list()
# challenges should have been removed
TestEnv.check_dir_empty(TestEnv.store_challenges())
# file system needs to have correct permissions
TestEnv.check_file_permissions(domain)
def test_700_002(self):
domain = "test700-002-" + TestAuto.dns_uniq
domainA = "a-" + domain
domainB = "b-" + domain
# generate config with two MDs
dnsListA = [ domainA, "www." + domainA ]
dnsListB = [ domainB, "www." + domainB ]
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "*****@*****.**" )
conf.add_drive_mode( "auto" )
conf.add_md( dnsListA )
conf.add_md( dnsListB )
conf.add_vhost( TestEnv.HTTPS_PORT, domainA, aliasList=[ dnsListA[1] ], withSSL=True )
conf.add_vhost( TestEnv.HTTPS_PORT, domainB, aliasList=[ dnsListB[1] ], withSSL=True )
conf.install()
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names( domainA, dnsListA )
self._check_md_names( domainB, dnsListB )
# await drive completion
assert TestEnv.await_completion( [ domainA, domainB ] )
self._check_md_cert(dnsListA)
self._check_md_cert(dnsListB)
# check: SSL is running OK
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainA)
assert dnsListA == certA.get_san_list()
certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainB)
assert dnsListB == certB.get_san_list()
# should have a single account now
assert 1 == len(TestEnv.list_accounts())
def test_702_041(self):
domain = "test702-041-" + TestAuto.dns_uniq
dns_list = [domain, "www." + domain]
# generate 1 MD and 1 vhost
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_line("LogLevel core:debug")
conf.add_line("LogLevel ssl:debug")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT,
domain,
aliasList=[dns_list[1]],
withSSL=True)
conf.install()
# restart (-> drive), check that MD job shows errors
# and that missing proto is detected
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
assert TestEnv.await_error([domain]) == True
md = self._get_md(domain)
assert False == md["proto"]["acme-tls/1"]
def test_700_009(self):
domain = self.test_domain
dns_list = [ domain ]
# prepare md
conf = HttpdConf()
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "auto" )
conf.add_renew_window( "10d" )
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[])
conf.install()
# restart (-> drive), check that md+cert is in store, TLS is up
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ] )
TestEnv.check_md_complete(domain)
cert1 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') )
# compare with what md reports as status
stat = TestEnv.get_certificate_status(domain);
assert stat['serial'] == cert1.get_serial()
# create self-signed cert, with critical remaining valid duration -> drive again
CertUtil.create_self_signed_cert( [domain], { "notBefore": -120, "notAfter": 2 }, serial=7009)
cert3 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') )
assert cert3.get_serial() == '1B61'
assert TestEnv.apache_restart() == 0
stat = TestEnv.get_certificate_status(domain);
assert stat['serial'] == cert3.get_serial()
# cert should renew and be different afterwards
assert TestEnv.await_completion( [ domain ], must_renew=True )
stat = TestEnv.get_certificate_status(domain);
assert stat['serial'] != cert3.get_serial()
def test_702_040(self):
domain = "test702-040-" + TestAuto.dns_uniq
dns_list = [domain, "www." + domain]
# generate 1 MD and 1 vhost
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_line("LogLevel core:debug")
conf.add_line("LogLevel ssl:debug")
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT,
domain,
aliasList=[dns_list[1]],
withSSL=True)
conf.install()
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
assert TestEnv.await_completion([domain])
self._check_md_cert(dns_list)
# check SSL running OK
cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert domain in cert.get_san_list()
def test_600_000(self):
# test case: generate config with md -> restart -> drive -> generate config
# with vhost and ssl -> restart -> check HTTPS access
domain = "r000-" + TestRoundtrip.dns_uniq
dnsList = [domain, "www." + domain]
# - generate config with one md
conf = HttpdConf(TestRoundtrip.TMP_CONF, True)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(dnsList)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dnsList)
# - drive
assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0
self._check_md_cert(dnsList)
# - append vhost to config
conf.add_vhost(TestEnv.HTTPS_PORT,
domain,
aliasList=[dnsList[1]],
withSSL=True)
conf.install()
assert TestEnv.apache_restart() == 0
# check: SSL is running OK
cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert domain in cert.get_san_list()
# check file system permissions:
TestEnv.check_file_permissions(domain)
def test_602_000(self):
# test case: generate config with md -> restart -> drive -> generate config
# with vhost and ssl -> restart -> check HTTPS access
domain = self.test_domain
domains = [domain, "www." + domain]
# - generate config with one md
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(domains)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
# - drive
assert TestEnv.a2md(["-v", "drive", domain])['rv'] == 0
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
# - append vhost to config
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
# check: SSL is running OK
cert = TestEnv.get_cert(domain)
assert domain in cert.get_san_list()
# check file system permissions:
TestEnv.check_file_permissions(domain)
def test_700_011(self):
domain = "test700-011-" + TestAuto.dns_uniq
dns_list = [ domain, "www." + domain ]
# generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "auto" )
conf.add_ca_challenges( [ "tls-sni-01" ] )
conf._add_line("MDPortMap 443:99")
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True )
conf.install()
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
assert TestEnv.await_error( [ domain ] )
# now the same with a 80 mapped to a supported port
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "auto" )
conf.add_ca_challenges( [ "tls-sni-01" ] )
conf._add_line("MDPortMap 443:%s" % TestEnv.HTTPS_PORT)
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True )
conf.install()
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
assert TestEnv.await_completion( [ domain ] )
def test_500_201(self, renewWindow, testDataList):
# test case: trigger cert renew when entering renew window
# setup: prepare COMPLETE md
domain = "test500-201-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf( TestDrive.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "manual" )
conf.add_renew_window( renewWindow )
conf.add_md( [name] )
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# setup: drive it
assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
cert1 = CertUtil(TestEnv.path_domain_pubcert(name))
assert TestEnv.a2md([ "list", name ])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
# replace cert by self-signed one -> check md status
print "TRACE: start testing renew window: %s" % renewWindow
for tc in testDataList:
print "TRACE: create self-signed cert: %s" % tc["valid"]
CertUtil.create_self_signed_cert( [name], tc["valid"])
cert2 = CertUtil(TestEnv.path_domain_pubcert(name))
assert cert2.get_serial() != cert1.get_serial()
md = TestEnv.a2md([ "list", name ])['jout']['output'][0]
assert md["renew"] == tc["renew"], \
"Expected renew == {} indicator in {}, test case {}".format(tc["renew"], md, tc)
def test_700_002(self):
# generate config with two MDs
domain = self.test_domain
domainA = "a-" + domain
domainB = "b-" + domain
domainsA = [domainA, "www." + domainA]
domainsB = [domainB, "www." + domainB]
conf = HttpdConf()
conf.add_admin("*****@*****.**")
conf.add_drive_mode("auto")
conf.add_md(domainsA)
conf.add_md(domainsB)
conf.add_vhost(domainsA)
conf.add_vhost(domainsB)
conf.install()
#
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domainsA)
TestEnv.check_md(domainsB)
# await drive completion
assert TestEnv.await_completion([domainA, domainB])
TestEnv.check_md_complete(domainA)
TestEnv.check_md_complete(domainB)
#
# check: SSL is running OK
certA = TestEnv.get_cert(domainA)
assert domainsA == certA.get_san_list()
certB = TestEnv.get_cert(domainB)
assert domainsB == certB.get_san_list()
#
# should have a single account now
assert 1 == len(TestEnv.list_accounts())
def test_702_011(self):
domain = self.test_domain
dns_list = [domain, "www." + domain]
# generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf._add_line("MDPortMap 443:99")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]])
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dns_list)
assert not TestEnv.is_renewing(domain)
# now the same with a 80 mapped to a supported port
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("Protocols http/1.1 acme-tls/1")
conf.add_drive_mode("auto")
conf.add_ca_challenges(["tls-alpn-01"])
conf._add_line("MDPortMap 443:%s" % TestEnv.HTTPS_PORT)
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]])
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dns_list)
assert TestEnv.await_completion([domain])
def test_700_001(self):
# generate config with one MD
domain = self.test_domain
domains = [domain, "www." + domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_md(domains)
conf.install()
#
# restart, check that MD is synched to store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
stat = TestEnv.get_md_status(domain)
assert stat["watched"] == 0
#
# add vhost for MD, restart should drive it
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
TestEnv.check_md_complete(domain)
stat = TestEnv.get_md_status(domain)
assert stat["watched"] == 1
#
cert = TestEnv.get_cert(domain)
assert domain in cert.get_san_list()
#
# challenges should have been removed
# file system needs to have correct permissions
TestEnv.check_dir_empty(TestEnv.store_challenges())
TestEnv.check_file_permissions(domain)
def test_700_010(self):
domain = self.test_domain
domains = [domain, "www." + domain]
# generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_ca_challenges(["http-01"])
conf._add_line("MDPortMap http:99")
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert not TestEnv.is_renewing(domain)
#
# now the same with a 80 mapped to a supported port
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_ca_challenges(["http-01"])
conf._add_line("MDPortMap http:%s" % TestEnv.HTTP_PORT)
conf.add_md(domains)
conf.add_vhost(domains)
conf.install()
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domains)
assert TestEnv.await_completion([domain])
def test_500_203(self):
# test case: reproduce issue with initially wrong agreement URL
domain = "test500-203-" + TestDrive.dns_uniq
name = "www." + domain
# setup: prepare md with invalid TOS url
conf = HttpdConf( TestDrive.TMP_CONF, acmeTos=TestEnv.ACME_TOS2 )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "manual" )
conf.add_md( [name] )
conf.install()
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# drive it -> fail after account registration
assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 1
# adjust config: replace TOS url with correct one
conf = HttpdConf( TestDrive.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "manual" )
conf.add_md( [name] )
conf.install()
time.sleep(1)
assert TestEnv.apache_restart() == 0
assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
# drive it -> runs OK
assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0
assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
def test_700_004(self, challengeType):
domain = "test700-004-" + TestAuto.dns_uniq
dns_list = [domain, "www." + domain]
# generate 1 MD and 1 vhost
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_ca_challenges([challengeType])
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT,
domain,
aliasList=[dns_list[1]],
withSSL=True)
conf.install()
# restart (-> drive), check that MD was synched and completes
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
assert TestEnv.await_completion([domain])
self._check_md_cert(dns_list)
# check SSL running OK
cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert domain in cert.get_san_list()
def test_500_201(self, renewWindow, testDataList):
# test case: trigger cert renew when entering renew window
# setup: prepare COMPLETE md
domain = self.test_domain
name = "www." + domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_renew_window(renewWindow)
conf.add_md([name])
conf.install()
assert TestEnv.apache_restart() == 0
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_INCOMPLETE
assert md['renew-window'] == renewWindow
# setup: drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
cert1 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
md = TestEnv.a2md(["list", name])['jout']['output'][0]
assert md['state'] == TestEnv.MD_S_COMPLETE
assert md['renew-window'] == renewWindow
# replace cert by self-signed one -> check md status
print("TRACE: start testing renew window: %s" % renewWindow)
for tc in testDataList:
print("TRACE: create self-signed cert: %s" % tc["valid"])
CertUtil.create_self_signed_cert([name], tc["valid"])
cert2 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
assert cert2.get_serial() != cert1.get_serial()
r = TestEnv.a2md(["-vvvv", "list", name])
md = r['jout']['output'][0]
assert md["renew"] == tc["renew"], \
"Expected renew == {} indicator in {}, test case {}, stderr {}".format(tc["renew"], md, tc, r['stderr'])
def test_7002(self):
domainA = ("%sa-" % self.test_n) + TestAuto.dns_uniq
domainB = ("%sb-" % self.test_n) + TestAuto.dns_uniq
# generate config with two MDs
dnsListA = [ domainA, "www." + domainA ]
dnsListB = [ domainB, "www." + domainB ]
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "*****@*****.**" )
conf.add_drive_mode( "auto" )
conf.add_md( dnsListA )
conf.add_md( dnsListB )
conf.add_vhost( TestEnv.HTTPS_PORT, domainA, aliasList=[ dnsListA[1] ], withSSL=True )
conf.add_vhost( TestEnv.HTTPS_PORT, domainB, aliasList=[ dnsListB[1] ], withSSL=True )
conf.install()
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names( domainA, dnsListA )
self._check_md_names( domainB, dnsListB )
# await drive completion
assert TestEnv.await_completion( [ domainA, domainB ], 30 )
self._check_md_cert(dnsListA)
self._check_md_cert(dnsListB)
# check: SSL is running OK
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainA)
assert dnsListA == certA.get_san_list()
certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, domainB)
assert dnsListB == certB.get_san_list()
def test_600_000(self):
# test case: generate config with md -> restart -> drive -> generate config
# with vhost and ssl -> restart -> check HTTPS access
domain = self.test_domain
dnsList = [domain, "www." + domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(dnsList)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dnsList)
# - drive
assert TestEnv.a2md(["-vvvv", "drive", domain])['rv'] == 0
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
# - append vhost to config
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dnsList[1]])
conf.install()
assert TestEnv.apache_restart() == 0
# check: SSL is running OK
cert = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert domain in cert.get_san_list()
# check file system permissions:
TestEnv.check_file_permissions(domain)
def test_700_005(self):
domain = "test700-005-" + TestAuto.dns_uniq
nameA = "test-a." + domain
dns_list = [ domain, nameA ]
# generate 1 MD and 1 vhost
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "manual" )
conf.add_md( dns_list )
conf.add_vhost( TestEnv.HTTPS_PORT, nameA, aliasList=[], docRoot="htdocs/a",
withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ),
keyPath=TestEnv.path_domain_privkey( domain ) )
conf.install()
# create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"), "name.txt", nameA)
# restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dns_list)
assert TestEnv.await_renew_state( [ domain ] )
# check: that request to domains give 503 Service Unavailable
cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, nameA)
assert nameA in cert1.get_san_list()
assert TestEnv.getStatus(nameA, "/name.txt") == 503
# check temporary cert from server
cert2 = CertUtil( TestEnv.path_fallback_cert( domain ) )
assert cert1.get_serial() == cert2.get_serial(), \
"Unexpected temporary certificate on vhost %s. Expected cn: %s , but found cn: %s" % ( nameA, cert2.get_cn(), cert1.get_cn() )
def test_500_109(self):
# test case: redirect on SSL-only domain
# setup: prepare config
domain = "test500-109-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf( TestDrive.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "manual" )
conf.add_md( [name] )
conf.add_vhost(TestEnv.HTTP_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=False)
conf.add_vhost(TestEnv.HTTPS_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=True)
conf.install()
# setup: create resource files
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "test"), "name.txt", name)
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR), "name.txt", "not-forbidden.org")
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
assert TestEnv.apache_restart() == 0
# test HTTP access - no redirect
assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org"
assert TestEnv.get_content(name, "/name.txt", useHTTPS=False) == name
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert int(r['http_headers']['Content-Length']) == len(name)
assert "Location" not in r['http_headers']
# test HTTPS access
assert TestEnv.get_content(name, "/name.txt", useHTTPS=True) == name
# test HTTP access again -> redirect to default HTTPS port
conf.add_require_ssl("temporary")
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 302
expLocation = "https://%s/name.txt" % name
assert r['http_headers']['Location'] == expLocation
# should not see this
assert not 'Strict-Transport-Security' in r['http_headers']
# test default HTTP vhost -> still no redirect
assert TestEnv.get_content("not-forbidden.org", "/name.txt", useHTTPS=False) == "not-forbidden.org"
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
# also not for this
assert not 'Strict-Transport-Security' in r['http_headers']
# test HTTP access again -> redirect permanent
conf.add_require_ssl("permanent")
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 301
expLocation = "https://%s/name.txt" % name
assert r['http_headers']['Location'] == expLocation
assert not 'Strict-Transport-Security' in r['http_headers']
# should see this
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
assert r['http_headers']['Strict-Transport-Security'] == 'max-age=15768000'
def test_600_002(self):
# test case: one md, that covers two vhosts
domain = "r002-" + TestRoundtrip.dns_uniq
nameA = "test-a." + domain
nameB = "test-b." + domain
dnsList = [domain, nameA, nameB]
# - generate config with one md
conf = HttpdConf(TestRoundtrip.TMP_CONF, True)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(dnsList)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
self._check_md_names(domain, dnsList)
# - drive
assert TestEnv.a2md(["drive", domain])['rv'] == 0
self._check_md_cert(dnsList)
# - append vhost to config
conf.add_vhost(TestEnv.HTTPS_PORT,
nameA,
aliasList=[],
docRoot="htdocs/a",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.add_vhost(TestEnv.HTTPS_PORT,
nameB,
aliasList=[],
docRoot="htdocs/b",
withSSL=True,
certPath=TestEnv.path_domain_pubcert(domain),
keyPath=TestEnv.path_domain_privkey(domain))
conf.install()
# - create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
"name.txt", nameA)
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"),
"name.txt", nameB)
# check: SSL is running OK
assert TestEnv.apache_restart() == 0
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameA)
assert nameA in certA.get_san_list()
certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameB)
assert nameB in certB.get_san_list()
assert certA.get_serial() == certB.get_serial()
assert TestEnv.get_content(nameA, "/name.txt") == nameA
assert TestEnv.get_content(nameB, "/name.txt") == nameB
def test_702_042(self):
domain = self.test_domain
dns_list = [domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_line("LogLevel core:debug")
conf.add_line("LogLevel ssl:debug")
conf.add_line("SSLCertificateChainFile %s" %
(self._path_conf_ssl("valid_cert.pem")))
conf.add_drive_mode("auto")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, dns_list)
conf.install()
assert TestEnv.apache_restart() == 0
def test_310_310(self, window):
# non-default renewal setting
domain = self.test_domain
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.start_md( [domain])
conf.add_drive_mode("manual")
conf.add_renew_window(window)
conf.end_md()
conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ domain ])
conf.install()
assert TestEnv.apache_restart() == 0
stat = TestEnv.get_md_status(domain)
assert stat["renew-window"] == window
def test_7009(self):
domain = self.test_domain
dns_list = [domain]
# prepare md
conf = HttpdConf(TestAuto.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("auto")
conf.add_renew_window("10d")
conf.add_md(dns_list)
conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[], withSSL=True)
conf.install()
# restart (-> drive), check that md+cert is in store, TLS is up
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain], 30)
self._check_md_cert(dns_list)
cert1 = CertUtil(TestEnv.path_domain_pubcert(domain))
# fetch cert from server
cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert cert1.get_serial() == cert2.get_serial()
# create self-signed cert, with critical remaining valid duration -> drive again
CertUtil.create_self_signed_cert([domain], {
"notBefore": -120,
"notAfter": 9
})
cert3 = CertUtil(TestEnv.path_domain_pubcert(domain))
assert cert3.get_serial() == 1000
time.sleep(1)
assert TestEnv.a2md(["list",
domain])['jout']['output'][0]['renew'] == True
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain], 30)
# fetch cert from server -> self-signed still active, activation of new ACME is delayed
cert4 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert cert4.get_serial() == cert3.get_serial()
time.sleep(1)
# restart -> new ACME cert becomes active
assert TestEnv.apache_stop() == 0
assert TestEnv.apache_start() == 0
time.sleep(1)
cert5 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, domain)
assert cert5.get_serial() != cert3.get_serial()
def test_500_110(self):
# test case: SSL-only domain, override headers generated by mod_md
# setup: prepare config
if not TestEnv.httpd_is_at_least("2.5.0"):
return
domain = "test500-110-" + TestDrive.dns_uniq
name = "www." + domain
conf = HttpdConf(TestDrive.TMP_CONF)
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_require_ssl("permanent")
conf.add_md([name])
conf._add_line(" SSLEngine *:" + TestEnv.HTTPS_PORT)
conf.add_vhost(TestEnv.HTTPS_PORT + " *:" + TestEnv.HTTP_PORT,
name,
aliasList=[],
withSSL=False)
conf.install()
assert TestEnv.apache_restart() == 0
# drive it
assert TestEnv.a2md(["drive", name])['rv'] == 0
assert TestEnv.apache_restart() == 0
# test override HSTS header
conf._add_line(
' Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"'
)
conf.install()
assert TestEnv.apache_restart() == 0
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True)
assert r['http_headers'][
'Strict-Transport-Security'] == 'max-age=10886400; includeSubDomains; preload'
# test override Location header
conf._add_line(' Redirect /a /name.txt')
conf._add_line(' Redirect seeother /b /name.txt')
conf.install()
assert TestEnv.apache_restart() == 0
# check: default redirect by mod_md still works
expLocation = "https://%s/name.txt" % name
r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False)
assert r['http_status'] == 301
assert r['http_headers']['Location'] == expLocation
# check: redirect as given by mod_alias
expLocation = "https://%s/a" % name
r = TestEnv.get_meta(name, "/a", useHTTPS=False)
assert r[
'http_status'] == 301 # FAIL: mod_alias generates Location header instead of mod_md
assert r['http_headers']['Location'] == expLocation
def test_600_002(self):
# test case: one md, that covers two vhosts
domain = self.test_domain
nameA = "a-" + domain
nameB = "b-" + domain
dnsList = [domain, nameA, nameB]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("manual")
conf.add_md(dnsList)
conf.install()
# - restart, check that md is in store
assert TestEnv.apache_restart() == 0
TestEnv.check_md(domain, dnsList)
# - drive
assert TestEnv.a2md(["drive", domain])['rv'] == 0
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
# - append vhost to config
conf.add_vhost(TestEnv.HTTPS_PORT,
nameA,
aliasList=[],
docRoot="htdocs/a")
conf.add_vhost(TestEnv.HTTPS_PORT,
nameB,
aliasList=[],
docRoot="htdocs/b")
conf.install()
# - create docRoot folder
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
"name.txt", nameA)
self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "b"),
"name.txt", nameB)
# check: SSL is running OK
assert TestEnv.apache_restart() == 0
certA = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameA)
assert nameA in certA.get_san_list()
certB = CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
TestEnv.HTTPS_PORT, nameB)
assert nameB in certB.get_san_list()
assert certA.get_serial() == certB.get_serial()
assert TestEnv.get_content(nameA, "/name.txt") == nameA
assert TestEnv.get_content(nameB, "/name.txt") == nameB
def test_700_008a(self):
domain = self.test_domain
domains = [domain]
conf = HttpdConf()
conf.add_admin("admin@" + domain)
conf.add_drive_mode("always")
conf.add_http_proxy("http://localhost:%s" % TestEnv.HTTP_PROXY_PORT)
conf.add_md(domains)
conf.install()
#
# - restart (-> drive), check that md is in store
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion([domain])
assert TestEnv.apache_restart() == 0
TestEnv.check_md_complete(domain)
def test_700_008a(self):
domain = "test700-008a-" + TestAuto.dns_uniq
dns_list = [ domain ]
conf = HttpdConf( TestAuto.TMP_CONF )
conf.add_admin( "admin@" + domain )
conf.add_drive_mode( "always" )
conf.add_http_proxy( "http://localhost:%s" % TestEnv.HTTP_PROXY_PORT)
conf.add_md( dns_list )
conf.install()
# - restart (-> drive), check that md is in store
assert TestEnv.apache_restart() == 0
assert TestEnv.await_completion( [ domain ] )
assert TestEnv.apache_restart() == 0
self._check_md_cert( dns_list )
