def test_http_challenge_https_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to an HTTPS
# address with the same path.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(challengePath, "https://{0}{1}".format(d, challengePath))
auth_and_issue([d], client=client, chall_type="http-01")
remove_http_redirect(challengePath)
def test_http_challenge_loop_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to itself
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(challengePath, "http://{0}{1}".format(d, challengePath))
# Issuing for the the name should fail because of the challenge domains's
# redirect loop.
chisel.expect_problem(
"urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
remove_http_redirect(challengePath)
def test_http_challenge_badproto_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to whacky
# non-http/https protocol URL.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(challengePath,
"gopher://{0}{1}".format(d, challengePath))
# Issuing for the name should cause a connection error because the redirect
# URL an invalid protocol scheme.
chisel.expect_problem(
"urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
remove_http_redirect(challengePath)
def test_http_challenge_badhost_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to a bare IP
# hostname.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(challengePath,
"https://127.0.0.1{0}".format(challengePath))
# Issuing for the name should cause a connection error because the redirect
# domain name is an IP address.
chisel.expect_problem(
"urn:acme:error:connection",
lambda: auth_and_issue([d], client=client, chall_type="http-01"))
remove_http_redirect(challengePath)
def test_http_challenge_http_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Calculate its keyauth so we can add it in a special non-standard location
# for the redirect result
resp = chall.response(client.key)
keyauth = resp.key_authorization
add_http01_response("http-redirect", keyauth)
# Create a HTTP redirect from the challenge's validation path to some other
# token path where we have registered the key authorization.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(
challengePath,
"http://{0}/.well-known/acme-challenge/http-redirect".format(d))
auth_and_issue([d], client=client, chall_type="http-01")
remove_http_redirect(challengePath)
remove_http01_response("http-redirect")
def test_http_challenge_https_redirect():
client = chisel.make_client()
# Create an authz for a random domain and get its HTTP-01 challenge token
d, chall = rand_http_chall(client)
token = chall.encode("token")
# Create a HTTP redirect from the challenge's validation path to an HTTPS
# address with the same path.
challengePath = "/.well-known/acme-challenge/{0}".format(token)
add_http_redirect(challengePath, "https://{0}{1}".format(d, challengePath))
# Also add an A record for the domain pointing to the interface that the
# HTTPS HTTP-01 challtestsrv is bound.
urllib2.urlopen("{0}/add-a".format(challsrv_url_base),
data=json.dumps({
"host": d,
"addresses": ["10.77.77.77"],
})).read()
auth_and_issue([d], client=client, chall_type="http-01")
remove_http_redirect(challengePath)
