def test_702_011(self): domain = self.test_domain domains = [domain, "www." + domain] # # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf._add_line("MDPortMap https:99") conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) assert not TestEnv.is_renewing(domain) # # now the same with a 80 mapped to a supported port conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_line("Protocols http/1.1 acme-tls/1") conf.add_drive_mode("auto") conf.add_ca_challenges(["tls-alpn-01"]) conf._add_line("MDPortMap https:%s" % TestEnv.HTTPS_PORT) conf.add_md(domains) conf.add_vhost(domains) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domains) assert TestEnv.await_completion([domain])
def test_700_011(self): domain = "test700-011-" + TestAuto.dns_uniq dns_list = [ domain, "www." + domain ] # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "auto" ) conf.add_ca_challenges( [ "tls-sni-01" ] ) conf._add_line("MDPortMap 443:99") conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True ) conf.install() assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dns_list) assert TestEnv.await_error( [ domain ] ) # now the same with a 80 mapped to a supported port conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf.add_drive_mode( "auto" ) conf.add_ca_challenges( [ "tls-sni-01" ] ) conf._add_line("MDPortMap 443:%s" % TestEnv.HTTPS_PORT) conf.add_md( dns_list ) conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[ dns_list[1] ], withSSL=True ) conf.install() assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dns_list) assert TestEnv.await_completion( [ domain ] )
def test_702_010(self): domain = self.test_domain dns_list = [domain, "www." + domain] # generate 1 MD and 1 vhost, map port 80 onto itself where the server does not listen conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("auto") conf.add_ca_challenges(["http-01"]) conf._add_line("MDPortMap 80:99") conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]]) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dns_list) assert not TestEnv.is_renewing(domain) # now the same with a 80 mapped to a supported port conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("auto") conf.add_ca_challenges(["http-01"]) conf._add_line("MDPortMap 80:%s" % TestEnv.HTTP_PORT) conf.add_md(dns_list) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dns_list[1]]) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(domain, dns_list) assert TestEnv.await_completion([domain])
def test_7021(self): domain = ("%s-" % self.test_n) + TestAuto.dns_uniq # generate config with two MDs dnsList = [domain, "www." + domain] conf = HttpdConf(TestAuto.TMP_CONF) conf.add_admin("*****@*****.**") conf._add_line("MDNotifyCmd %s/notify.py" % TestEnv.TESTROOT) conf.add_drive_mode("auto") conf.add_md(dnsList) conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[dnsList[1]], withSSL=True) conf.install() # restart, check that md is in store assert TestEnv.apache_restart() == 0 self._check_md_names(domain, dnsList) # await drive completion assert TestEnv.await_completion([domain], 30) self._check_md_cert(dnsList) # this command should have failed and logged an error TestEnv.apachectl_stderr = None assert (0, 0) == TestEnv.apache_err_total()
def test_702_032(self): domain = self.test_domain name1 = "server1." + domain name2 = "server2.b" + domain # need a separate TLD to avoid rate limites # generate 2 MDs and 2 vhosts conf = HttpdConf() conf.add_admin("admin@" + domain) conf._add_line("MDMembers auto") conf.add_md([name1]) conf.add_md([name2]) conf.add_vhost(TestEnv.HTTPS_PORT, name1, aliasList=[], docRoot="htdocs/a") conf.add_vhost(TestEnv.HTTPS_PORT, name2, aliasList=[], docRoot="htdocs/b") conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md(name1, [name1]) TestEnv.check_md(name2, [name2]) assert TestEnv.await_completion([name1, name2]) TestEnv.check_md_complete(name2) # check: SSL is running OK cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1) assert name1 in cert1.get_san_list() cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name2) assert name2 in cert2.get_san_list() # remove second md and vhost, add name2 to vhost1 conf = HttpdConf() conf.add_admin("admin@" + domain) conf._add_line("MDMembers auto") conf.add_md([name1]) conf.add_vhost(TestEnv.HTTPS_PORT, name1, aliasList=[name2], docRoot="htdocs/a") conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md(name1, [name1, name2]) assert TestEnv.await_completion([name1]) cert1b = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1) assert name1 in cert1b.get_san_list() assert name2 in cert1b.get_san_list() assert cert1.get_serial() != cert1b.get_serial()
def test_700_032(self): domain = "test700-032-" + TestAuto.dns_uniq name1 = "server1." + domain name2 = "server2." + TestAuto.dns_uniq # need a separate TLD to avoid rate limites # generate 2 MDs and 2 vhosts conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf._add_line( "MDMembers auto" ) conf.add_md( [ name1 ] ) conf.add_md( [ name2 ] ) conf.add_vhost( TestEnv.HTTPS_PORT, name1, aliasList=[], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), keyPath=TestEnv.path_domain_privkey( domain ) ) conf.add_vhost( TestEnv.HTTPS_PORT, name2, aliasList=[], docRoot="htdocs/b", withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), keyPath=TestEnv.path_domain_privkey( domain ) ) conf.install() # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 self._check_md_names( name1, [ name1 ] ) self._check_md_names( name2, [ name2 ] ) assert TestEnv.await_completion( [ name1 ] ) self._check_md_cert( [ name2 ] ) # check: SSL is running OK cert1 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1) assert name1 in cert1.get_san_list() cert2 = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name2) assert name2 in cert2.get_san_list() # remove second md and vhost, add name2 to vhost1 conf = HttpdConf( TestAuto.TMP_CONF ) conf.add_admin( "admin@" + domain ) conf._add_line( "MDMembers auto" ) conf.add_md( [ name1 ] ) conf.add_vhost( TestEnv.HTTPS_PORT, name1, aliasList=[ name2 ], docRoot="htdocs/a", withSSL=True, certPath=TestEnv.path_domain_pubcert( domain ), keyPath=TestEnv.path_domain_privkey( domain ) ) conf.install() # restart, check that host still works and have same cert assert TestEnv.apache_restart() == 0 self._check_md_names( name1, [ name1, name2 ] ) assert TestEnv.await_completion( [ name1 ] ) cert1b = CertUtil.load_server_cert(TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT, name1) assert name1 in cert1b.get_san_list() assert name2 in cert1b.get_san_list() assert cert1.get_serial() != cert1b.get_serial()
def test_702_032(self): domain = self.test_domain name1 = "server1." + domain name2 = "server2.b" + domain # need a separate TLD to avoid rate limites # # generate 2 MDs and 2 vhosts conf = HttpdConf() conf.add_admin("admin@" + domain) conf._add_line("MDMembers auto") conf.add_md([name1]) conf.add_md([name2]) conf.add_vhost(name1) conf.add_vhost(name2) conf.install() # # restart (-> drive), check that MD was synched and completes assert TestEnv.apache_restart() == 0 TestEnv.check_md([name1]) TestEnv.check_md([name2]) assert TestEnv.await_completion([name1, name2]) TestEnv.check_md_complete(name2) # # check: SSL is running OK cert1 = TestEnv.get_cert(name1) assert name1 in cert1.get_san_list() cert2 = TestEnv.get_cert(name2) assert name2 in cert2.get_san_list() # # remove second md and vhost, add name2 to vhost1 conf = HttpdConf() conf.add_admin("admin@" + domain) conf._add_line("MDMembers auto") conf.add_md([name1]) conf.add_vhost([name1, name2]) conf.install() assert TestEnv.apache_restart() == 0 TestEnv.check_md([name1, name2]) assert TestEnv.await_completion([name1]) # cert1b = TestEnv.get_cert(name1) assert name1 in cert1b.get_san_list() assert name2 in cert1b.get_san_list() assert cert1.get_serial() != cert1b.get_serial()
def test_500_110(self): # test case: SSL-only domain, override headers generated by mod_md # setup: prepare config if not TestEnv.httpd_is_at_least("2.5.0"): return domain = "test500-110-" + TestDrive.dns_uniq name = "www." + domain conf = HttpdConf(TestDrive.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_require_ssl("permanent") conf.add_md([name]) conf._add_line(" SSLEngine *:" + TestEnv.HTTPS_PORT) conf.add_vhost(TestEnv.HTTPS_PORT + " *:" + TestEnv.HTTP_PORT, name, aliasList=[], withSSL=False) conf.install() assert TestEnv.apache_restart() == 0 # drive it assert TestEnv.a2md(["drive", name])['rv'] == 0 assert TestEnv.apache_restart() == 0 # test override HSTS header conf._add_line( ' Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"' ) conf.install() assert TestEnv.apache_restart() == 0 r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True) assert r['http_headers'][ 'Strict-Transport-Security'] == 'max-age=10886400; includeSubDomains; preload' # test override Location header conf._add_line(' Redirect /a /name.txt') conf._add_line(' Redirect seeother /b /name.txt') conf.install() assert TestEnv.apache_restart() == 0 # check: default redirect by mod_md still works expLocation = "https://%s/name.txt" % name r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert r['http_status'] == 301 assert r['http_headers']['Location'] == expLocation # check: redirect as given by mod_alias expLocation = "https://%s/a" % name r = TestEnv.get_meta(name, "/a", useHTTPS=False) assert r[ 'http_status'] == 301 # FAIL: mod_alias generates Location header instead of mod_md assert r['http_headers']['Location'] == expLocation
def test_500_111(self): # test case: vhost with parallel HTTP/HTTPS, check mod_alias redirects # setup: prepare config if not TestEnv.httpd_is_at_least("2.5.0"): return domain = "test500-111-" + TestDrive.dns_uniq name = "www." + domain conf = HttpdConf(TestDrive.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md([name]) conf._add_line(" LogLevel alias:debug") conf._add_line(" SSLEngine *:" + TestEnv.HTTPS_PORT) conf.start_vhost(TestEnv.HTTPS_PORT + " *:" + TestEnv.HTTP_PORT, name, aliasList=[], withSSL=False) conf.end_vhost() conf.install() assert TestEnv.apache_restart() == 0 # drive it assert TestEnv.a2md(["drive", name])['rv'] == 0 assert TestEnv.apache_restart() == 0 # setup: place redirect rules conf._add_line(' Redirect /a /name.txt') conf._add_line(' Redirect seeother /b /name.txt') conf.install() assert TestEnv.apache_restart() == 0 # check: redirects on HTTP expLocation = "http://%s:%s/name.txt" % (name, TestEnv.HTTP_PORT) r = TestEnv.get_meta(name, "/a", useHTTPS=False) assert r['http_status'] == 302 assert r['http_headers']['Location'] == expLocation r = TestEnv.get_meta(name, "/b", useHTTPS=False) assert r['http_status'] == 303 assert r['http_headers']['Location'] == expLocation # check: redirects on HTTPS expLocation = "https://%s:%s/name.txt" % (name, TestEnv.HTTPS_PORT) r = TestEnv.get_meta(name, "/a", useHTTPS=True) assert r['http_status'] == 302 assert r['http_headers'][ 'Location'] == expLocation # FAIL: expected 'https://...' but found 'http://...' r = TestEnv.get_meta(name, "/b", useHTTPS=True) assert r['http_status'] == 303 assert r['http_headers']['Location'] == expLocation
def test_500_111(self): # test case: vhost with parallel HTTP/HTTPS, check mod_alias redirects # setup: prepare config domain = self.test_domain name = "www." + domain conf = HttpdConf() conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md([name]) conf._add_line(" LogLevel alias:debug") conf.add_vhost(name, port=TestEnv.HTTP_PORT) conf.add_vhost(name) conf.install() assert TestEnv.apache_restart() == 0 # drive it assert TestEnv.a2md(["drive", name])['rv'] == 0 assert TestEnv.apache_restart() == 0 # setup: place redirect rules conf._add_line(' Redirect /a /name.txt') conf._add_line(' Redirect seeother /b /name.txt') conf.install() assert TestEnv.apache_restart() == 0 # check: redirects on HTTP expLocation = "http://%s:%s/name.txt" % (name, TestEnv.HTTP_PORT) r = TestEnv.get_meta(name, "/a", useHTTPS=False) assert r['http_status'] == 302 assert r['http_headers']['Location'] == expLocation r = TestEnv.get_meta(name, "/b", useHTTPS=False) assert r['http_status'] == 303 assert r['http_headers']['Location'] == expLocation # check: redirects on HTTPS expLocation = "https://%s:%s/name.txt" % (name, TestEnv.HTTPS_PORT) r = TestEnv.get_meta(name, "/a", useHTTPS=True) assert r['http_status'] == 302 assert r['http_headers'][ 'Location'] == expLocation # FAIL: expected 'https://...' but found 'http://...' r = TestEnv.get_meta(name, "/b", useHTTPS=True) assert r['http_status'] == 303 assert r['http_headers']['Location'] == expLocation
def test_500_109(self): # test case: redirect on SSL-only domain # setup: prepare config if not TestEnv.httpd_is_at_least("2.5.0"): return domain = "test500-109-" + TestDrive.dns_uniq name = "www." + domain conf = HttpdConf(TestDrive.TMP_CONF) conf.add_admin("admin@" + domain) conf.add_drive_mode("manual") conf.add_md([name]) conf._add_line(" SSLEngine *:" + TestEnv.HTTPS_PORT) conf.add_vhost(TestEnv.HTTPS_PORT + " *:" + TestEnv.HTTP_PORT, name, aliasList=[], docRoot="htdocs/test", withSSL=False) conf.install() # setup: create resource files self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "test"), "name.txt", name) self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR), "name.txt", "example.org") assert TestEnv.apache_restart() == 0 # drive it assert TestEnv.a2md(["drive", name])['rv'] == 0 assert TestEnv.apache_restart() == 0 # test HTTP access - no redirect assert TestEnv.get_content("example.org", "/name.txt", useHTTPS=False) == "example.org" assert TestEnv.get_content(name, "/name.txt", useHTTPS=False) == name r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert int(r['http_headers']['Content-Length']) == len(name) assert "Location" not in r['http_headers'] # test HTTPS access assert TestEnv.get_content(name, "/name.txt", useHTTPS=True) == name # test HTTP access again -> redirect to default HTTPS port conf.add_require_ssl("temporary") conf.install() assert TestEnv.apache_restart() == 0 r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert r['http_status'] == 302 expLocation = "https://%s/name.txt" % name assert r['http_headers']['Location'] == expLocation # should not see this assert not 'Strict-Transport-Security' in r['http_headers'] # test default HTTP vhost -> still no redirect assert TestEnv.get_content("example.org", "/name.txt", useHTTPS=False) == "example.org" r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True) # also not for this assert not 'Strict-Transport-Security' in r['http_headers'] # test HTTP access again -> redirect permanent conf.add_require_ssl("permanent") conf.install() assert TestEnv.apache_restart() == 0 r = TestEnv.get_meta(name, "/name.txt", useHTTPS=False) assert r['http_status'] == 301 expLocation = "https://%s/name.txt" % name assert r['http_headers']['Location'] == expLocation assert not 'Strict-Transport-Security' in r['http_headers'] # should see this r = TestEnv.get_meta(name, "/name.txt", useHTTPS=True) assert r['http_headers'][ 'Strict-Transport-Security'] == 'max-age=15768000'