1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
|
# test mod_md status resources
import os
import re
from datetime import timedelta
import pytest
from pyhttpd.certs import CertificateSpec
from .md_conf import MDConf
from shutil import copyfile
from .md_env import MDTestEnv
@pytest.mark.skipif(condition=not MDTestEnv.has_acme_server(),
reason="no ACME test server configured")
class TestStatus:
@pytest.fixture(autouse=True, scope='class')
def _class_scope(self, env, acme):
acme.start(config='default')
env.check_acme()
env.clear_store()
@pytest.fixture(autouse=True, scope='function')
def _method_scope(self, env, request):
env.clear_store()
self.test_domain = env.get_request_domain(request)
# simple MD, drive it, check status before activation
def test_md_920_001(self, env):
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add_md(domains)
conf.add_vhost(domain)
conf.install()
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
assert env.await_completion([domain], restart=False)
# we started without a valid certificate, so we expect /.httpd/certificate-status
# to not give information about one and - since we waited for the ACME signup
# to complete - to give information in 'renewal' about the new cert.
status = env.get_certificate_status(domain)
assert 'sha256-fingerprint' not in status
assert 'valid' not in status
assert 'renewal' in status
assert 'valid' in status['renewal']['cert']
assert 'sha256-fingerprint' in status['renewal']['cert']['rsa']
# restart and activate
# once activated, the staging must be gone and attributes exist for the active cert
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
status = env.get_certificate_status(domain)
assert 'renewal' not in status
assert 'sha256-fingerprint' in status['rsa']
assert 'valid' in status['rsa']
assert 'from' in status['rsa']['valid']
# simple MD, drive it, manipulate staged credentials and check status
def test_md_920_002(self, env):
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add_md(domains)
conf.add_vhost(domain)
conf.install()
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
assert env.await_completion([domain], restart=False)
# copy a real certificate from LE over to staging
staged_cert = os.path.join(env.store_dir, 'staging', domain, 'pubcert.pem')
real_cert = os.path.join(env.test_dir, '../modules/md/data', 'test_920', '002.pubcert')
assert copyfile(real_cert, staged_cert)
status = env.get_certificate_status(domain)
# status shows the copied cert's properties as staged
assert 'renewal' in status
assert 'Thu, 29 Aug 2019 16:06:35 GMT' == status['renewal']['cert']['rsa']['valid']['until']
assert 'Fri, 31 May 2019 16:06:35 GMT' == status['renewal']['cert']['rsa']['valid']['from']
assert '03039C464D454EDE79FCD2CAE859F668F269' == status['renewal']['cert']['rsa']['serial']
assert 'sha256-fingerprint' in status['renewal']['cert']['rsa']
# test if switching status off has effect
def test_md_920_003(self, env):
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add_md(domains)
conf.add("MDCertificateStatus off")
conf.add_vhost(domain)
conf.install()
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
assert env.await_completion([domain], restart=False)
status = env.get_certificate_status(domain)
assert not status
def test_md_920_004(self, env):
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add_md(domains)
conf.add("MDCertificateStatus off")
conf.add_vhost(domain)
conf.install()
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
assert env.await_completion([domain])
status = env.get_md_status("")
assert "version" in status
assert "managed-domains" in status
assert 1 == len(status["managed-domains"])
# get the status of a domain on base server
def test_md_920_010(self, env):
domain = self.test_domain
domains = [domain]
conf = MDConf(env, std_vhosts=False, std_ports=False, text=f"""
MDBaseServer on
MDPortMap http:- https:{env.https_port}
MDStapling on
ServerName {domain}
<IfModule ssl_module>
SSLEngine on
</IfModule>
<IfModule tls_module>
TLSListen {env.https_port}
TLSStrictSNI off
</IfModule>
Protocols h2 http/1.1 acme-tls/1
<Location "/server-status">
SetHandler server-status
</Location>
<Location "/md-status">
SetHandler md-status
</Location>
<VirtualHost *:{env.http_port}>
SSLEngine off
</VirtualHost>
""")
conf.add_md(domains)
conf.install()
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
assert env.await_completion([domain], restart=False,
via_domain=env.http_addr, use_https=False)
status = env.get_md_status("", via_domain=env.http_addr, use_https=False)
assert "version" in status
assert "managed-domains" in status
assert 1 == len(status["managed-domains"])
# get the html page
status = env.get_server_status(via_domain=env.http_addr, use_https=False)
assert re.search(r'<h3>Managed Certificates</h3>', status, re.MULTILINE)
# get the ascii summary
status = env.get_server_status(query="?auto", via_domain=env.http_addr, use_https=False)
m = re.search(r'ManagedCertificatesTotal: (\d+)', status, re.MULTILINE)
assert m, status
assert int(m.group(1)) == 1
m = re.search(r'ManagedCertificatesOK: (\d+)', status, re.MULTILINE)
assert int(m.group(1)) == 0
m = re.search(r'ManagedCertificatesRenew: (\d+)', status, re.MULTILINE)
assert int(m.group(1)) == 1
m = re.search(r'ManagedCertificatesErrored: (\d+)', status, re.MULTILINE)
assert int(m.group(1)) == 0
m = re.search(r'ManagedCertificatesReady: (\d+)', status, re.MULTILINE)
assert int(m.group(1)) == 1
m = re.search(r'ManagedDomain\[0]Stapling: (on)', status, re.MULTILINE)
assert m, f'{status}'
def test_md_920_011(self, env):
# MD with static cert files in base server, see issue #161
domain = self.test_domain
domains = [domain, 'www.%s' % domain]
testpath = os.path.join(env.gen_dir, 'test_920_011')
env.mkpath(testpath)
# cert that is only 20 more days valid
creds = env.create_self_signed_cert(CertificateSpec(domains=domains),
valid_from=timedelta(days=-70),
valid_to=timedelta(days=20),
serial=920011)
cert_file = os.path.join(testpath, 'pubcert.pem')
pkey_file = os.path.join(testpath, 'privkey.pem')
creds.save_cert_pem(cert_file)
creds.save_pkey_pem(pkey_file)
conf = MDConf(env, std_vhosts=False, std_ports=False, text=f"""
MDBaseServer on
MDPortMap http:- https:{env.https_port}
ServerName {domain}
<IfModule ssl_module>
SSLEngine on
</IfModule>
<IfModule tls_module>
TLSListen {env.https_port}
TLSStrictSNI off
</IfModule>
Protocols h2 http/1.1 acme-tls/1
<Location "/server-status">
SetHandler server-status
</Location>
<Location "/md-status">
SetHandler md-status
</Location>
""")
conf.start_md(domains)
conf.add(f"MDCertificateFile {cert_file}")
conf.add(f"MDCertificateKeyFile {pkey_file}")
conf.end_md()
conf.start_vhost([env.http_addr], port=env.http_port)
conf.add("SSLEngine off")
conf.end_vhost()
conf.install()
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
status = env.get_md_status(domain, via_domain=env.http_addr, use_https=False)
assert status
assert 'renewal' not in status
print(status)
assert status['state'] == env.MD_S_COMPLETE
assert status['renew-mode'] == 0 # manual
env.httpd_error_log.ignore_recent(
matches = [
r'.*cert has no authority key id extension.*'
]
)
# MD with 2 certificates
def test_md_920_020(self, env):
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDStapling on")
conf.add("MDPrivateKeys secp256r1 RSA")
conf.add_md(domains)
conf.add_vhost(domain)
conf.install()
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
assert env.await_completion([domain], restart=False)
# In the stats JSON, we expect 2 certificates under 'renewal'
stat = env.get_md_status(domain)
assert 'renewal' in stat
assert 'cert' in stat['renewal']
assert 'rsa' in stat['renewal']['cert']
assert 'secp256r1' in stat['renewal']['cert']
# In /.httpd/certificate-status 'renewal' we expect 2 certificates
status = env.get_certificate_status(domain)
assert 'renewal' in status
assert 'cert' in status['renewal']
assert 'secp256r1' in status['renewal']['cert']
assert 'rsa' in status['renewal']['cert']
# restart and activate
# once activated, certs are listed in status
assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
stat = env.get_md_status(domain)
assert 'cert' in stat
assert 'valid' in stat['cert']
for ktype in ['rsa', 'secp256r1']:
assert ktype in stat['cert']
if env.acme_server == 'boulder':
assert 'ocsp' in stat['cert'][ktype]
#
env.httpd_error_log.ignore_recent(
matches = [
r'.*certificate with serial \w+ has no OCSP responder URL.*'
]
)
|
