test/modules/md/test_720_wildcard.py - httpd - Git at Google

 # test wildcard certifcates
 import os

 import pytest

 from .md_conf import MDConf, MDConf
 from .md_env import MDTestEnv


 @pytest.mark.skipif(condition=not MDTestEnv.has_acme_server(),
                     reason="no ACME test server configured")
 class TestWildcard:

     @pytest.fixture(autouse=True, scope='class')
     def _class_scope(self, env, acme):
         env.APACHE_CONF_SRC = "data/test_auto"
         acme.start(config='default')
         env.check_acme()
         env.clear_store()
         MDConf(env).install()
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'

     @pytest.fixture(autouse=True, scope='function')
     def _method_scope(self, env, request):
         env.clear_store()
         self.test_domain = env.get_request_domain(request)

     # test case: a wildcard certificate with ACMEv2, no dns-01 supported
     def test_md_720_001(self, env):
         domain = self.test_domain

         # generate config with DNS wildcard
         domains = [domain, "*." + domain]
         conf = MDConf(env)
         conf.add_md(domains)
         conf.add_vhost(domains)
         conf.install()

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         md = env.await_error(domain)
         assert md
         assert md['renewal']['errors'] > 0
         assert md['renewal']['last']['problem'] == 'challenge-mismatch'
         #
         env.httpd_error_log.ignore_recent(
             lognos = [
                 "AH10056"   # None of offered challenge types
             ],
             matches = [
                 r'.*problem\[challenge-mismatch\].*'
             ]
         )

     # test case: a wildcard certificate with ACMEv2, only dns-01 configured, invalid command path
     def test_md_720_002(self, env):
         dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01-not-found.py")

         domain = self.test_domain
         domains = [domain, "*." + domain]

         conf = MDConf(env)
         conf.add("MDCAChallenges dns-01")
         conf.add(f"MDChallengeDns01 {dns01cmd}")
         conf.add_md(domains)
         conf.add_vhost(domains)
         conf.install()

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         md = env.await_error(domain)
         assert md
         assert md['renewal']['errors'] > 0
         assert md['renewal']['last']['problem'] == 'challenge-setup-failure'
         #
         env.httpd_error_log.ignore_recent(
             lognos = [
                 "AH10056"   # None of offered challenge types
             ],
             matches = [
                 r'.*problem\[challenge-setup-failure\].*',
                 r'.*setup command failed to execute.*'
             ]
         )

     # variation, invalid cmd path, other challenges still get certificate for non-wildcard
     def test_md_720_002b(self, env):
         dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01-not-found.py")
         domain = self.test_domain
         domains = [domain, "xxx." + domain]

         conf = MDConf(env)
         conf.add(f"MDChallengeDns01 {dns01cmd}")
         conf.add_md(domains)
         conf.add_vhost(domains)
         conf.install()

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         assert env.await_completion([domain])
         env.check_md_complete(domain)
         # check: SSL is running OK
         cert_a = env.get_cert(domain)
         altnames = cert_a.get_san_list()
         for domain in domains:
             assert domain in altnames

     # test case: a wildcard certificate with ACMEv2, only dns-01 configured, invalid command option
     def test_md_720_003(self, env):
         dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py fail")
         domain = self.test_domain
         domains = [domain, "*." + domain]

         conf = MDConf(env)
         conf.add("MDCAChallenges dns-01")
         conf.add(f"MDChallengeDns01 {dns01cmd}")
         conf.add_md(domains)
         conf.add_vhost(domains)
         conf.install()

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         md = env.await_error(domain)
         assert md
         assert md['renewal']['errors'] > 0
         assert md['renewal']['last']['problem'] == 'challenge-setup-failure'
         #
         env.httpd_error_log.ignore_recent(
             lognos = [
                 "AH10056"   # None of offered challenge types
             ],
             matches = [
                 r'.*problem\[challenge-setup-failure\].*'
             ]
         )

     # test case: a wildcard name certificate with ACMEv2, only dns-01 configured
     def test_md_720_004(self, env):
         dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
         domain = self.test_domain
         domains = [domain, "*." + domain]

         conf = MDConf(env)
         conf.add("MDCAChallenges dns-01")
         conf.add(f"MDChallengeDns01 {dns01cmd}")
         conf.add_md(domains)
         conf.add_vhost(domains)
         conf.install()

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         assert env.await_completion([domain])
         env.check_md_complete(domain)
         # check: SSL is running OK
         cert_a = env.get_cert(domain)
         altnames = cert_a.get_san_list()
         for domain in domains:
             assert domain in altnames

     # test case: a wildcard name and 2nd normal vhost, not overlapping
     def test_md_720_005(self, env):
         dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
         domain = self.test_domain
         domain2 = "www.x" + domain
         domains = [domain, "*." + domain, domain2]

         conf = MDConf(env)
         conf.add("MDCAChallenges dns-01")
         conf.add(f"MDChallengeDns01 {dns01cmd}")
         conf.add_md(domains)
         conf.add_vhost(domain2)
         conf.add_vhost(domains)
         conf.install()

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         assert env.await_completion([domain])
         env.check_md_complete(domain)
         # check: SSL is running OK
         cert_a = env.get_cert(domain)
         altnames = cert_a.get_san_list()
         for domain in domains:
             assert domain in altnames

     # test case: a wildcard name and 2nd normal vhost, overlapping
     def test_md_720_006(self, env):
         dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
         domain = self.test_domain
         dwild = "*." + domain
         domain2 = "www." + domain
         domains = [domain, dwild, domain2]

         conf = MDConf(env)
         conf.add("MDCAChallenges dns-01")
         conf.add(f"MDChallengeDns01 {dns01cmd}")
         conf.add_md(domains)
         conf.add_vhost(domain2)
         conf.add_vhost([domain, dwild])
         conf.install()

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         assert env.await_completion([domain])
         env.check_md_complete(domain)
         # check: SSL is running OK
         cert_a = env.get_cert(domain)
         altnames = cert_a.get_san_list()
         for domain in [domain, dwild]:
             assert domain in altnames

     # test case: a MDomain with just a wildcard, see #239
     def test_md_720_007(self, env):
         dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
         domain = self.test_domain
         dwild = "*." + domain
         wwwdomain = "www." + domain
         domains = [dwild]

         conf = MDConf(env)
         conf.add("MDCAChallenges dns-01")
         conf.add(f"MDChallengeDns01 {dns01cmd}")
         conf.add_md(domains)
         conf.add_vhost(wwwdomain)
         conf.install()

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         assert env.await_completion([wwwdomain])
         env.check_md_complete(dwild)
         # check: SSL is running OK
         cert_a = env.get_cert(wwwdomain)
         altnames = cert_a.get_san_list()
         assert domains == altnames

     # test case: a plain name, only dns-01 configured,
     # http-01 should not be intercepted. See #279
     def test_md_720_008(self, env):
         dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
         domain = self.test_domain
         domains = [domain]

         conf = MDConf(env)
         conf.add("MDCAChallenges dns-01")
         conf.add(f"MDChallengeDns01 {dns01cmd}")
         conf.add_md(domains)
         conf.add_vhost(domains)
         conf.add("LogLevel http:trace4")
         conf.install()

         challengedir = os.path.join(env.server_dir, "htdocs/test1/.well-known/acme-challenge")
         env.mkpath(challengedir)
         content = b'not a challenge'
         with open(os.path.join(challengedir, "123456"), "wb") as fd:
             fd.write(content)

         # restart, check that md is in store
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md(domains)
         # await drive completion
         assert env.await_completion([domain], restart=False)
         # access a fake http-01 challenge on the domain
         r = env.curl_get(f"http://{domain}:{env.http_port}/.well-known/acme-challenge/123456")
         assert r.response['status'] == 200
         assert r.response['body'] == content
         assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
         env.check_md_complete(domain)
	# test wildcard certifcates
	import os

	import pytest

	from .md_conf import MDConf, MDConf
	from .md_env import MDTestEnv


	@pytest.mark.skipif(condition=not MDTestEnv.has_acme_server(),
	reason="no ACME test server configured")
	class TestWildcard:

	@pytest.fixture(autouse=True, scope='class')
	def _class_scope(self, env, acme):
	env.APACHE_CONF_SRC = "data/test_auto"
	acme.start(config='default')
	env.check_acme()
	env.clear_store()
	MDConf(env).install()
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'

	@pytest.fixture(autouse=True, scope='function')
	def _method_scope(self, env, request):
	env.clear_store()
	self.test_domain = env.get_request_domain(request)

	# test case: a wildcard certificate with ACMEv2, no dns-01 supported
	def test_md_720_001(self, env):
	domain = self.test_domain

	# generate config with DNS wildcard
	domains = [domain, "*." + domain]
	conf = MDConf(env)
	conf.add_md(domains)
	conf.add_vhost(domains)
	conf.install()

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	md = env.await_error(domain)
	assert md
	assert md['renewal']['errors'] > 0
	assert md['renewal']['last']['problem'] == 'challenge-mismatch'
	#
	env.httpd_error_log.ignore_recent(
	lognos = [
	"AH10056" # None of offered challenge types
	],
	matches = [
	r'.problem\[challenge-mismatch\].'
	]
	)

	# test case: a wildcard certificate with ACMEv2, only dns-01 configured, invalid command path
	def test_md_720_002(self, env):
	dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01-not-found.py")

	domain = self.test_domain
	domains = [domain, "*." + domain]

	conf = MDConf(env)
	conf.add("MDCAChallenges dns-01")
	conf.add(f"MDChallengeDns01 {dns01cmd}")
	conf.add_md(domains)
	conf.add_vhost(domains)
	conf.install()

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	md = env.await_error(domain)
	assert md
	assert md['renewal']['errors'] > 0
	assert md['renewal']['last']['problem'] == 'challenge-setup-failure'
	#
	env.httpd_error_log.ignore_recent(
	lognos = [
	"AH10056" # None of offered challenge types
	],
	matches = [
	r'.problem\[challenge-setup-failure\].',
	r'.setup command failed to execute.'
	]
	)

	# variation, invalid cmd path, other challenges still get certificate for non-wildcard
	def test_md_720_002b(self, env):
	dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01-not-found.py")
	domain = self.test_domain
	domains = [domain, "xxx." + domain]

	conf = MDConf(env)
	conf.add(f"MDChallengeDns01 {dns01cmd}")
	conf.add_md(domains)
	conf.add_vhost(domains)
	conf.install()

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	assert env.await_completion([domain])
	env.check_md_complete(domain)
	# check: SSL is running OK
	cert_a = env.get_cert(domain)
	altnames = cert_a.get_san_list()
	for domain in domains:
	assert domain in altnames

	# test case: a wildcard certificate with ACMEv2, only dns-01 configured, invalid command option
	def test_md_720_003(self, env):
	dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py fail")
	domain = self.test_domain
	domains = [domain, "*." + domain]

	conf = MDConf(env)
	conf.add("MDCAChallenges dns-01")
	conf.add(f"MDChallengeDns01 {dns01cmd}")
	conf.add_md(domains)
	conf.add_vhost(domains)
	conf.install()

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	md = env.await_error(domain)
	assert md
	assert md['renewal']['errors'] > 0
	assert md['renewal']['last']['problem'] == 'challenge-setup-failure'
	#
	env.httpd_error_log.ignore_recent(
	lognos = [
	"AH10056" # None of offered challenge types
	],
	matches = [
	r'.problem\[challenge-setup-failure\].'
	]
	)

	# test case: a wildcard name certificate with ACMEv2, only dns-01 configured
	def test_md_720_004(self, env):
	dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
	domain = self.test_domain
	domains = [domain, "*." + domain]

	conf = MDConf(env)
	conf.add("MDCAChallenges dns-01")
	conf.add(f"MDChallengeDns01 {dns01cmd}")
	conf.add_md(domains)
	conf.add_vhost(domains)
	conf.install()

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	assert env.await_completion([domain])
	env.check_md_complete(domain)
	# check: SSL is running OK
	cert_a = env.get_cert(domain)
	altnames = cert_a.get_san_list()
	for domain in domains:
	assert domain in altnames

	# test case: a wildcard name and 2nd normal vhost, not overlapping
	def test_md_720_005(self, env):
	dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
	domain = self.test_domain
	domain2 = "www.x" + domain
	domains = [domain, "*." + domain, domain2]

	conf = MDConf(env)
	conf.add("MDCAChallenges dns-01")
	conf.add(f"MDChallengeDns01 {dns01cmd}")
	conf.add_md(domains)
	conf.add_vhost(domain2)
	conf.add_vhost(domains)
	conf.install()

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	assert env.await_completion([domain])
	env.check_md_complete(domain)
	# check: SSL is running OK
	cert_a = env.get_cert(domain)
	altnames = cert_a.get_san_list()
	for domain in domains:
	assert domain in altnames

	# test case: a wildcard name and 2nd normal vhost, overlapping
	def test_md_720_006(self, env):
	dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
	domain = self.test_domain
	dwild = "*." + domain
	domain2 = "www." + domain
	domains = [domain, dwild, domain2]

	conf = MDConf(env)
	conf.add("MDCAChallenges dns-01")
	conf.add(f"MDChallengeDns01 {dns01cmd}")
	conf.add_md(domains)
	conf.add_vhost(domain2)
	conf.add_vhost([domain, dwild])
	conf.install()

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	assert env.await_completion([domain])
	env.check_md_complete(domain)
	# check: SSL is running OK
	cert_a = env.get_cert(domain)
	altnames = cert_a.get_san_list()
	for domain in [domain, dwild]:
	assert domain in altnames

	# test case: a MDomain with just a wildcard, see #239
	def test_md_720_007(self, env):
	dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
	domain = self.test_domain
	dwild = "*." + domain
	wwwdomain = "www." + domain
	domains = [dwild]

	conf = MDConf(env)
	conf.add("MDCAChallenges dns-01")
	conf.add(f"MDChallengeDns01 {dns01cmd}")
	conf.add_md(domains)
	conf.add_vhost(wwwdomain)
	conf.install()

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	assert env.await_completion([wwwdomain])
	env.check_md_complete(dwild)
	# check: SSL is running OK
	cert_a = env.get_cert(wwwdomain)
	altnames = cert_a.get_san_list()
	assert domains == altnames

	# test case: a plain name, only dns-01 configured,
	# http-01 should not be intercepted. See #279
	def test_md_720_008(self, env):
	dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
	domain = self.test_domain
	domains = [domain]

	conf = MDConf(env)
	conf.add("MDCAChallenges dns-01")
	conf.add(f"MDChallengeDns01 {dns01cmd}")
	conf.add_md(domains)
	conf.add_vhost(domains)
	conf.add("LogLevel http:trace4")
	conf.install()

	challengedir = os.path.join(env.server_dir, "htdocs/test1/.well-known/acme-challenge")
	env.mkpath(challengedir)
	content = b'not a challenge'
	with open(os.path.join(challengedir, "123456"), "wb") as fd:
	fd.write(content)

	# restart, check that md is in store
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md(domains)
	# await drive completion
	assert env.await_completion([domain], restart=False)
	# access a fake http-01 challenge on the domain
	r = env.curl_get(f"http://{domain}:{env.http_port}/.well-known/acme-challenge/123456")
	assert r.response['status'] == 200
	assert r.response['body'] == content
	assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
	env.check_md_complete(domain)