@ -164,6 +164,9 @@ in import ./make-test-python.nix ({ lib, ... }: {
# reaches the active state. Targets do not have this issue.
''
import time
has_switched = False
@ -175,69 +178,67 @@ in import ./make-test-python.nix ({ lib, ... }: {
)
has_switched = True
node . succeed (
" / r u n / c u r r e n t - s y s t e m / s p e c i a l i s a t i o n / { } / b i n / s w i t c h - t o - c o n f i g u r a t i o n t e s t " . format (
name
)
f " / r u n / c u r r e n t - s y s t e m / s p e c i a l i s a t i o n / { n a m e } / b i n / s w i t c h - t o - c o n f i g u r a t i o n t e s t "
)
# In order to determine if a config reload has finished, we need to watch
# the log files for the relevant lines
def wait_httpd_reload ( node ) :
# Check for SIGUSER received
node . succeed ( " ( t a i l - n 3 - f / v a r / l o g / h t t p d / e r r o r . l o g & ) | g r e p - q A H 0 0 4 9 3 " )
# Check for service restart. This line also occurs when the service is started,
# hence the above check is necessary too.
node . succeed ( " ( t a i l - n 1 - f / v a r / l o g / h t t p d / e r r o r . l o g & ) | g r e p - q A H 0 0 0 9 4 " )
def wait_nginx_reload ( node ) :
# Check for SIGHUP received
node . succeed ( " ( j o u r n a l c t l - f u n g i n x - n 1 8 & ) | g r e p - q S I G H U P " )
# Check for SIGCHLD from killed worker processes
node . succeed ( " ( j o u r n a l c t l - f u n g i n x - n 1 0 & ) | g r e p - q S I G C H L D " )
# Ensures the issuer of our cert matches the chain
# and matches the issuer we expect it to be.
# It's a good validation to ensure the cert.pem and fullchain.pem
# are not still selfsigned afer verification
def check_issuer ( node , cert_name , issuer ) :
for fname in ( " c e r t . p e m " , " f u l l c h a i n . p e m " ) :
node . succeed (
(
" " " o p e n s s l x 5 0 9 - n o o u t - i s s u e r - i n / v a r / l i b / a c m e / { c e r t _ n a m e } / { f n a m e } \
| tee /proc/self/fd/2 \
| cut - d' = ' - f2- \
| grep " $ ( o p e n s s l x 5 0 9 - n o o u t - s u b j e c t - i n / v a r / l i b / a c m e / { c e r t _ n a m e } / c h a i n . p e m \
| cut - d' = ' - f2- ) \ " \
| grep - i ' { issuer } '
" " "
) . format ( cert_name = cert_name , issuer = issuer , fname = fname )
)
actual_issuer = node . succeed (
f " o p e n s s l x 5 0 9 - n o o u t - i s s u e r - i n / v a r / l i b / a c m e / { c e r t _ n a m e } / { f n a m e } "
) . partition ( " = " ) [ 2 ]
print ( f " { f n a m e } i s s u e r : { a c t u a l _ i s s u e r } " )
assert issuer . lower ( ) in actual_issuer . lower ( )
# Ensure cert comes before chain in fullchain.pem
def check_fullchain ( node , cert_name ) :
node . succeed (
(
" " " o p e n s s l c r l 2 p k c s 7 - n o c r l - c e r t f i l e / v a r / l i b / a c m e / { c e r t _ n a m e } / f u l l c h a i n . p e m \
| tee /proc/self/fd/2 \
| openssl pkcs7 - print_certs - noout | head -1 | grep { cert_name }
" " "
) . format ( cert_name = cert_name )
subject_data = node . succeed (
f " o p e n s s l c r l 2 p k c s 7 - n o c r l - c e r t f i l e / v a r / l i b / a c m e / { c e r t _ n a m e } / f u l l c h a i n . p e m "
" | o p e n s s l p k c s 7 - p r i n t _ c e r t s - n o o u t "
)
for line in subject_data . lower ( ) . split ( " \n " ) :
if " s u b j e c t " in line :
print ( f " F i r s t s u b j e c t i n f u l l c h a i n . p e m : " , line )
assert cert_name . lower ( ) in line
return
assert False
def check_connection ( node , domain ) :
node . succeed (
(
" " " o p e n s s l s _ c l i e n t - b r i e f - v e r i f y 2 - v e r i f y _ r e t u r n _ e r r o r - C A f i l e / t m p / c a . c r t \
- servername { domain } - connect { domain }: 443 < /dev/null 2 > & 1 \
| tee /proc/self/fd/2
" " "
) . format ( domain = domain )
def check_connection ( node , domain , retries = 3 ) :
if retries == 0 :
assert False
result = node . succeed (
" o p e n s s l s _ c l i e n t - b r i e f - v e r i f y 2 - C A f i l e / t m p / c a . c r t "
f " - s e r v e r n a m e { d o m a i n } - c o n n e c t { d o m a i n } : 4 4 3 < / d e v / n u l l 2 > & 1 "
)
for line in result . lower ( ) . split ( " \n " ) :
if " v e r i f i c a t i o n " in line and " e r r o r " in line :
time . sleep ( 1 )
return check_connection ( node , domain , retries - 1 )
def check_connection_key_bits ( node , domain , bits , retries = 3 ) :
if retries == 0 :
assert False
result = node . succeed (
" o p e n s s l s _ c l i e n t - C A f i l e / t m p / c a . c r t "
f " - s e r v e r n a m e { d o m a i n } - c o n n e c t { d o m a i n } : 4 4 3 < / d e v / n u l l "
" | o p e n s s l x 5 0 9 - n o o u t - t e x t | g r e p - i P u b l i c - K e y "
)
print ( " K e y t y p e : " , result )
if bits not in result :
time . sleep ( 1 )
return check_connection_key_bits ( node , domain , bits , retries - 1 )
client . start ( )
@ -261,7 +262,6 @@ in import ./make-test-python.nix ({ lib, ... }: {
with subtest ( " C a n r e q u e s t c e r t i f i c a t e w i t h H T T P S - 0 1 c h a l l e n g e " ) :
webserver . wait_for_unit ( " a c m e - f i n i s h e d - a . e x a m p l e . t e s t . t a r g e t " )
wait_nginx_reload ( webserver )
check_fullchain ( webserver , " a . e x a m p l e . t e s t " )
check_issuer ( webserver , " a . e x a m p l e . t e s t " , " p e b b l e " )
check_connection ( client , " a . e x a m p l e . t e s t " )
@ -273,35 +273,26 @@ in import ./make-test-python.nix ({ lib, ... }: {
check_issuer ( webserver , " a . e x a m p l e . t e s t " , " m i n i c a " )
# Will succeed if nginx can load the certs
webserver . succeed ( " s y s t e m c t l s t a r t n g i n x - c o n f i g - r e l o a d . s e r v i c e " )
wait_nginx_reload ( webserver )
with subtest ( " C a n r e l o a d n g i n x w h e n t i m e r t r i g g e r s r e n e w a l " ) :
webserver . succeed ( " s y s t e m c t l s t a r t t e s t - r e n e w - n g i n x . t a r g e t " )
wait_nginx_reload ( webserver )
check_issuer ( webserver , " a . e x a m p l e . t e s t " , " p e b b l e " )
check_connection ( client , " a . e x a m p l e . t e s t " )
with subtest ( " C a n r e l o a d w e b s e r v e r w h e n c e r t c o n f i g u r a t i o n c h a n g e s " ) :
switch_to ( webserver , " c e r t - c h a n g e " )
webserver . wait_for_unit ( " a c m e - f i n i s h e d - a . e x a m p l e . t e s t . t a r g e t " )
wait_nginx_reload ( webserver )
client . succeed (
" " " o p e n s s l s _ c l i e n t - C A f i l e / t m p / c a . c r t - c o n n e c t a . e x a m p l e . t e s t : 4 4 3 < / d e v / n u l l \
| openssl x509 - noout - text | grep - i Public-Key | grep 384
" " "
)
check_connection_key_bits ( client , " a . e x a m p l e . t e s t " , " 3 8 4 " )
with subtest ( " C a n r e q u e s t c e r t i f i c a t e w i t h H T T P S - 0 1 w h e n n g i n x s t a r t u p i s d e l a y e d " ) :
switch_to ( webserver , " s l o w - s t a r t u p " )
webserver . wait_for_unit ( " a c m e - f i n i s h e d - s l o w . e x a m p l e . c o m . t a r g e t " )
wait_nginx_reload ( webserver )
check_issuer ( webserver , " s l o w . e x a m p l e . c o m " , " p e b b l e " )
check_connection ( client , " s l o w . e x a m p l e . c o m " )
with subtest ( " C a n r e q u e s t c e r t i f i c a t e f o r v h o s t + a l i a s e s ( n g i n x ) " ) :
switch_to ( webserver , " n g i n x - a l i a s e s " )
webserver . wait_for_unit ( " a c m e - f i n i s h e d - a . e x a m p l e . t e s t . t a r g e t " )
wait_nginx_reload ( webserver )
check_issuer ( webserver , " a . e x a m p l e . t e s t " , " p e b b l e " )
check_connection ( client , " a . e x a m p l e . t e s t " )
check_connection ( client , " b . e x a m p l e . t e s t " )
@ -309,7 +300,6 @@ in import ./make-test-python.nix ({ lib, ... }: {
with subtest ( " C a n r e q u e s t c e r t i f i c a t e s f o r v h o s t + a l i a s e s ( a p a c h e - h t t p d ) " ) :
switch_to ( webserver , " h t t p d - a l i a s e s " )
webserver . wait_for_unit ( " a c m e - f i n i s h e d - c . e x a m p l e . t e s t . t a r g e t " )
wait_httpd_reload ( webserver )
check_issuer ( webserver , " c . e x a m p l e . t e s t " , " p e b b l e " )
check_connection ( client , " c . e x a m p l e . t e s t " )
check_connection ( client , " d . e x a m p l e . t e s t " )
@ -318,18 +308,15 @@ in import ./make-test-python.nix ({ lib, ... }: {
# Switch to selfsigned first
webserver . succeed ( " s y s t e m c t l c l e a n a c m e - c . e x a m p l e . t e s t . s e r v i c e - - w h a t = s t a t e " )
webserver . succeed ( " s y s t e m c t l s t a r t a c m e - s e l f s i g n e d - c . e x a m p l e . t e s t . s e r v i c e " )
wait_httpd_reload ( webserver )
check_issuer ( webserver , " c . e x a m p l e . t e s t " , " m i n i c a " )
webserver . succeed ( " s y s t e m c t l s t a r t h t t p d - c o n f i g - r e l o a d . s e r v i c e " )
webserver . succeed ( " s y s t e m c t l s t a r t t e s t - r e n e w - h t t p d . t a r g e t " )
wait_httpd_reload ( webserver )
check_issuer ( webserver , " c . e x a m p l e . t e s t " , " p e b b l e " )
check_connection ( client , " c . e x a m p l e . t e s t " )
with subtest ( " C a n r e q u e s t w i l d c a r d c e r t i f i c a t e s u s i n g D N S - 0 1 c h a l l e n g e " ) :
switch_to ( webserver , " d n s - 0 1 " )
webserver . wait_for_unit ( " a c m e - f i n i s h e d - e x a m p l e . t e s t . t a r g e t " )
wait_nginx_reload ( webserver )
check_issuer ( webserver , " e x a m p l e . t e s t " , " p e b b l e " )
check_connection ( client , " d n s . e x a m p l e . t e s t " )
'' ;