diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:01:30 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:01:30 +0000 |
commit | 6beeb1b708550be0d4a53b272283e17e5e35fe17 (patch) | |
tree | 1ce8673d4aaa948e5554000101f46536a1e4cc29 /test/modules/md/test_702_auto.py | |
parent | Initial commit. (diff) | |
download | apache2-3d46059c28a1d66e6e1aeb209491f1324c913a25.tar.xz apache2-3d46059c28a1d66e6e1aeb209491f1324c913a25.zip |
Adding upstream version 2.4.57.upstream/2.4.57
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/modules/md/test_702_auto.py')
-rw-r--r-- | test/modules/md/test_702_auto.py | 756 |
1 files changed, 756 insertions, 0 deletions
diff --git a/test/modules/md/test_702_auto.py b/test/modules/md/test_702_auto.py new file mode 100644 index 0000000..8e8f5f1 --- /dev/null +++ b/test/modules/md/test_702_auto.py @@ -0,0 +1,756 @@ +import os +import time + +import pytest + +from pyhttpd.conf import HttpdConf +from pyhttpd.env import HttpdTestEnv +from .md_cert_util import MDCertUtil +from .md_env import MDTestEnv +from .md_conf import MDConf + + +@pytest.mark.skipif(condition=not MDTestEnv.has_acme_server(), + reason="no ACME test server configured") +class TestAutov2: + + @pytest.fixture(autouse=True, scope='class') + def _class_scope(self, env, acme): + env.APACHE_CONF_SRC = "data/test_auto" + acme.start(config='default') + env.check_acme() + env.clear_store() + MDConf(env).install() + assert env.apache_restart() == 0 + + @pytest.fixture(autouse=True, scope='function') + def _method_scope(self, env, request): + env.clear_store() + self.test_domain = env.get_request_domain(request) + + def _write_res_file(self, doc_root, name, content): + if not os.path.exists(doc_root): + os.makedirs(doc_root) + open(os.path.join(doc_root, name), "w").write(content) + + # create a MD not used in any virtual host, auto drive should NOT pick it up + def test_md_702_001(self, env): + domain = self.test_domain + # generate config with one MD + domains = [domain, "www." + domain] + conf = MDConf(env, admin="admin@" + domain) + conf.add_drive_mode("auto") + conf.add_md(domains) + conf.install() + # + # restart, check that MD is synched to store + assert env.apache_restart() == 0 + env.check_md(domains) + stat = env.get_md_status(domain) + assert stat["watched"] == 0 + # + # add vhost for MD, restart should drive it + conf.add_vhost(domains) + conf.install() + assert env.apache_restart() == 0 + assert env.await_completion([domain]) + env.check_md_complete(domain) + stat = env.get_md_status(domain) + assert stat["watched"] == 1 + cert = env.get_cert(domain) + assert domain in cert.get_san_list() + # + # challenges should have been removed + # file system needs to have correct permissions + env.check_dir_empty(env.store_challenges()) + env.check_file_permissions(domain) + + # test case: same as test_702_001, but with two parallel managed domains + def test_md_702_002(self, env): + domain = self.test_domain + domain_a = "a-" + domain + domain_b = "b-" + domain + # + # generate config with two MDs + domains_a = [domain_a, "www." + domain_a] + domains_b = [domain_b, "www." + domain_b] + conf = MDConf(env) + conf.add_drive_mode("auto") + conf.add_md(domains_a) + conf.add_md(domains_b) + conf.add_vhost(domains_a) + conf.add_vhost(domains_b) + conf.install() + # + # restart, check that md is in store + assert env.apache_restart() == 0 + env.check_md(domains_a) + env.check_md(domains_b) + # + # await drive completion, do not restart + assert env.await_completion([domain_a, domain_b], restart=False) + # staged certificates are now visible on the status resources + status = env.get_md_status(domain_a) + assert 'renewal' in status + assert 'cert' in status['renewal'] + assert 'rsa' in status['renewal']['cert'] + assert 'sha256-fingerprint' in status['renewal']['cert']['rsa'] + # check the non-staged status + assert status['state'] == 1 + assert status['state-descr'] == "certificate(rsa) is missing" + + # restart and activate + assert env.apache_restart() == 0 + # check: SSL is running OK + cert_a = env.get_cert(domain_a) + assert domains_a == cert_a.get_san_list() + cert_b = env.get_cert(domain_b) + assert domains_b == cert_b.get_san_list() + # check that we created only one account + md_a = env.get_md_status(domain_a) + md_b = env.get_md_status(domain_b) + assert md_a['ca'] == md_b['ca'] + + # test case: one MD, that covers two vhosts + def test_md_702_003(self, env): + domain = self.test_domain + name_a = "test-a." + domain + name_b = "test-b." + domain + domains = [domain, name_a, name_b] + # + # generate 1 MD and 2 vhosts + conf = MDConf(env, admin="admin@" + domain) + conf.add_md(domains) + conf.add_vhost(name_a, doc_root="htdocs/a") + conf.add_vhost(name_b, doc_root="htdocs/b") + conf.install() + # + # create docRoot folder + self._write_res_file(os.path.join(env.server_docs_dir, "a"), "name.txt", name_a) + self._write_res_file(os.path.join(env.server_docs_dir, "b"), "name.txt", name_b) + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + env.check_md(domains) + assert env.await_completion([domain]) + md = env.check_md_complete(domain) + assert md['ca']['url'], f"URL of CA used not set in md: {md}" + # + # check: SSL is running OK + cert_a = env.get_cert(name_a) + assert name_a in cert_a.get_san_list() + cert_b = env.get_cert(name_b) + assert name_b in cert_b.get_san_list() + assert cert_a.same_serial_as(cert_b) + # + assert env.get_content(name_a, "/name.txt") == name_a + assert env.get_content(name_b, "/name.txt") == name_b + + # test case: drive with using single challenge type explicitly + @pytest.mark.parametrize("challenge_type", [ + "tls-alpn-01", "http-01", + ]) + def test_md_702_004(self, env, challenge_type): + domain = self.test_domain + domains = [domain, "www." + domain] + # + # generate 1 MD and 1 vhost + conf = MDConf(env, admin="admin@" + domain) + conf.add("Protocols http/1.1 acme-tls/1") + conf.add_drive_mode("auto") + conf.add(f"MDCAChallenges {challenge_type}") + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + env.check_md(domains) + assert env.await_completion([domain]) + env.check_md_complete(domain) + # + # check SSL running OK + cert = env.get_cert(domain) + assert domain in cert.get_san_list() + + # test case: drive_mode manual, check that server starts, but requests to domain are 503'd + def test_md_702_005(self, env): + domain = self.test_domain + name_a = "test-a." + domain + domains = [domain, name_a] + # + # generate 1 MD and 1 vhost + conf = MDConf(env, admin="admin@" + domain) + conf.add_drive_mode("manual") + conf.add_md(domains) + conf.add_vhost(name_a, doc_root="htdocs/a") + conf.install() + # + # create docRoot folder + self._write_res_file(os.path.join(env.server_docs_dir, "a"), "name.txt", name_a) + # + # restart, check that md is in store + assert env.apache_restart() == 0 + env.check_md(domains) + # + # check: that request to domains give 503 Service Unavailable + cert1 = env.get_cert(name_a) + assert name_a in cert1.get_san_list() + assert env.get_http_status(name_a, "/name.txt") == 503 + # + # check temporary cert from server + cert2 = MDCertUtil(env.path_fallback_cert(domain)) + assert cert1.same_serial_as(cert2), \ + "Unexpected temporary certificate on vhost %s. Expected cn: %s , "\ + "but found cn: %s" % (name_a, cert2.get_cn(), cert1.get_cn()) + + # test case: drive MD with only invalid challenges, domains should stay 503'd + def test_md_702_006(self, env): + domain = self.test_domain + name_a = "test-a." + domain + domains = [domain, name_a] + # + # generate 1 MD, 1 vhost + conf = MDConf(env, admin="admin@" + domain) + conf.add("MDCAChallenges invalid-01 invalid-02") + conf.add_md(domains) + conf.add_vhost(name_a, doc_root="htdocs/a") + conf.install() + # + # create docRoot folder + self._write_res_file(os.path.join(env.server_docs_dir, "a"), "name.txt", name_a) + # + # restart, check that md is in store + assert env.apache_restart() == 0 + env.check_md(domains) + # await drive completion + md = env.await_error(domain) + assert md + assert md['renewal']['errors'] > 0 + assert md['renewal']['last']['problem'] == 'challenge-mismatch' + assert 'account' not in md['ca'] + # + # check: that request to domains give 503 Service Unavailable + cert = env.get_cert(name_a) + assert name_a in cert.get_san_list() + assert env.get_http_status(name_a, "/name.txt") == 503 + + # Specify a non-working http proxy + def test_md_702_008(self, env): + domain = self.test_domain + domains = [domain] + # + conf = MDConf(env, admin="admin@" + domain) + conf.add_drive_mode("always") + conf.add("MDHttpProxy http://localhost:1") + conf.add_md(domains) + conf.install() + # + # - restart (-> drive) + assert env.apache_restart() == 0 + # await drive completion + md = env.await_error(domain) + assert md + assert md['renewal']['errors'] > 0 + assert md['renewal']['last']['status-description'] == 'Connection refused' + assert 'account' not in md['ca'] + + # Specify a valid http proxy + def test_md_702_008a(self, env): + domain = self.test_domain + domains = [domain] + # + conf = MDConf(env, admin=f"admin@{domain}", proxy=True) + conf.add_drive_mode("always") + conf.add(f"MDHttpProxy http://localhost:{env.proxy_port}") + conf.add_md(domains) + conf.install() + # + # - restart (-> drive), check that md is in store + assert env.apache_restart() == 0 + assert env.await_completion([domain]) + assert env.apache_restart() == 0 + env.check_md_complete(domain) + + # Force cert renewal due to critical remaining valid duration + # Assert that new cert activation is delayed + def test_md_702_009(self, env): + domain = self.test_domain + domains = [domain] + # + # prepare md + conf = MDConf(env, admin="admin@" + domain) + conf.add_drive_mode("auto") + conf.add_renew_window("10d") + conf.add_md(domains) + conf.add_vhost(domain) + conf.install() + # + # restart (-> drive), check that md+cert is in store, TLS is up + assert env.apache_restart() == 0 + assert env.await_completion([domain]) + env.check_md_complete(domain) + cert1 = MDCertUtil(env.store_domain_file(domain, 'pubcert.pem')) + # compare with what md reports as status + stat = env.get_certificate_status(domain) + assert cert1.same_serial_as(stat['rsa']['serial']) + # + # create self-signed cert, with critical remaining valid duration -> drive again + env.create_self_signed_cert([domain], {"notBefore": -120, "notAfter": 2}, serial=7029) + cert3 = MDCertUtil(env.store_domain_file(domain, 'pubcert.pem')) + assert cert3.same_serial_as('1B75') + assert env.apache_restart() == 0 + stat = env.get_certificate_status(domain) + assert cert3.same_serial_as(stat['rsa']['serial']) + # + # cert should renew and be different afterwards + assert env.await_completion([domain], must_renew=True) + stat = env.get_certificate_status(domain) + assert not cert3.same_serial_as(stat['rsa']['serial']) + + # test case: drive with an unsupported challenge due to port availability + def test_md_702_010(self, env): + domain = self.test_domain + domains = [domain, "www." + domain] + # + # generate 1 MD and 1 vhost, map port 80 to where the server does not listen + conf = MDConf(env, admin="admin@" + domain) + conf.add_drive_mode("auto") + conf.add("MDPortMap 80:99") + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + assert env.apache_restart() == 0 + md = env.await_error(domain) + assert md["renewal"]["errors"] > 0 + # + # now the same with a 80 mapped to a supported port + conf = MDConf(env, admin="admin@" + domain) + conf.add_drive_mode("auto") + conf.add("MDCAChallenges http-01") + conf.add("MDPortMap 80:%s" % env.http_port) + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + assert env.apache_restart() == 0 + env.check_md(domains) + assert env.await_completion([domain]) + + def test_md_702_011(self, env): + domain = self.test_domain + domains = [domain, "www." + domain] + # + # generate 1 MD and 1 vhost, map port 443 to where the server does not listen + conf = MDConf(env, admin="admin@" + domain) + conf.add("Protocols http/1.1 acme-tls/1") + conf.add_drive_mode("auto") + conf.add("MDPortMap https:99 http:99") + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + assert env.apache_restart() == 0 + md = env.await_error(domain) + assert md["renewal"]["errors"] > 0 + # + # now the same with a 443 mapped to a supported port + conf = MDConf(env, admin="admin@" + domain) + conf.add("Protocols http/1.1 acme-tls/1") + conf.add_drive_mode("auto") + conf.add("MDCAChallenges tls-alpn-01") + conf.add("MDPortMap https:%s" % env.https_port) + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + assert env.apache_restart() == 0 + env.check_md(domains) + assert env.await_completion([domain]) + + # test case: one MD with several dns names. sign up. remove the *first* name + # in the MD. restart. should find and keep the existing MD. + # See: https://github.com/icing/mod_md/issues/68 + def test_md_702_030(self, env): + domain = self.test_domain + name_x = "test-x." + domain + name_a = "test-a." + domain + name_b = "test-b." + domain + domains = [name_x, name_a, name_b] + # + # generate 1 MD and 2 vhosts + conf = MDConf(env, admin="admin@" + domain) + conf.add_md(domains) + conf.add_vhost(name_a) + conf.add_vhost(name_b) + conf.install() + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + env.check_md(domains) + assert env.await_completion([name_x]) + env.check_md_complete(name_x) + # + # check: SSL is running OK + cert_a = env.get_cert(name_a) + assert name_a in cert_a.get_san_list() + cert_b = env.get_cert(name_b) + assert name_b in cert_b.get_san_list() + assert cert_a.same_serial_as(cert_b) + # + # change MD by removing 1st name + new_list = [name_a, name_b] + conf = MDConf(env, admin="admin@" + domain) + conf.add_md(new_list) + conf.add_vhost(name_a) + conf.add_vhost(name_b) + conf.install() + # restart, check that host still works and kept the cert + assert env.apache_restart() == 0 + env.check_md(new_list) + status = env.get_certificate_status(name_a) + assert cert_a.same_serial_as(status['rsa']['serial']) + + # test case: Same as 7030, but remove *and* add another at the same time. + # restart. should find and keep the existing MD and renew for additional name. + # See: https://github.com/icing/mod_md/issues/68 + def test_md_702_031(self, env): + domain = self.test_domain + name_x = "test-x." + domain + name_a = "test-a." + domain + name_b = "test-b." + domain + name_c = "test-c." + domain + domains = [name_x, name_a, name_b] + # + # generate 1 MD and 2 vhosts + conf = MDConf(env, admin="admin@" + domain) + conf.add_md(domains) + conf.add_vhost(name_a) + conf.add_vhost(name_b) + conf.install() + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + env.check_md(domains) + assert env.await_completion([name_x]) + env.check_md_complete(name_x) + # + # check: SSL is running OK + cert_a = env.get_cert(name_a) + assert name_a in cert_a.get_san_list() + cert_b = env.get_cert(name_b) + assert name_b in cert_b.get_san_list() + assert cert_a.same_serial_as(cert_b) + # + # change MD by removing 1st name and adding another + new_list = [name_a, name_b, name_c] + conf = MDConf(env, admin="admin@" + domain) + conf.add_md(new_list) + conf.add_vhost(name_a) + conf.add_vhost(name_b) + conf.install() + # restart, check that host still works and have new cert + assert env.apache_restart() == 0 + env.check_md(new_list) + assert env.await_completion([name_a]) + # + cert_a2 = env.get_cert(name_a) + assert name_a in cert_a2.get_san_list() + assert not cert_a.same_serial_as(cert_a2) + + # test case: create two MDs, move them into one + # see: <https://bz.apache.org/bugzilla/show_bug.cgi?id=62572> + def test_md_702_032(self, env): + domain = self.test_domain + name1 = "server1." + domain + name2 = "server2.b" + domain # need a separate TLD to avoid rate limites + # + # generate 2 MDs and 2 vhosts + conf = MDConf(env, admin="admin@" + domain) + conf.add("MDMembers auto") + conf.add_md([name1]) + conf.add_md([name2]) + conf.add_vhost(name1) + conf.add_vhost(name2) + conf.install() + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + env.check_md([name1]) + env.check_md([name2]) + assert env.await_completion([name1, name2]) + env.check_md_complete(name2) + # + # check: SSL is running OK + cert1 = env.get_cert(name1) + assert name1 in cert1.get_san_list() + cert2 = env.get_cert(name2) + assert name2 in cert2.get_san_list() + # + # remove second md and vhost, add name2 to vhost1 + conf = MDConf(env, admin="admin@" + domain) + conf.add("MDMembers auto") + conf.add_md([name1]) + conf.add_vhost([name1, name2]) + conf.install() + assert env.apache_restart() == 0 + env.check_md([name1, name2]) + assert env.await_completion([name1]) + # + cert1b = env.get_cert(name1) + assert name1 in cert1b.get_san_list() + assert name2 in cert1b.get_san_list() + assert not cert1.same_serial_as(cert1b) + + # test case: test "tls-alpn-01" challenge handling + def test_md_702_040(self, env): + domain = self.test_domain + domains = [domain, "www." + domain] + # + # generate 1 MD and 1 vhost + conf = MDConf(env, admin="admin@" + domain) + conf.add("LogLevel core:debug") + conf.add("Protocols http/1.1 acme-tls/1") + conf.add_drive_mode("auto") + conf.add("MDCAChallenges tls-alpn-01") + conf.add_md(domains) + conf.add_vhost(domains=domains) + conf.install() + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + env.check_md(domains) + # check that acme-tls/1 is available for all domains + stat = env.get_md_status(domain) + assert stat["proto"]["acme-tls/1"] == domains + assert env.await_completion([domain]) + env.check_md_complete(domain) + # + # check SSL running OK + cert = env.get_cert(domain) + assert domain in cert.get_san_list() + + # test case: test "tls-alpn-01" without enabling 'acme-tls/1' challenge protocol + def test_md_702_041(self, env): + domain = self.test_domain + domains = [domain, "www." + domain] + # + # generate 1 MD and 1 vhost + conf = MDConf(env, admin="admin@" + domain) + conf.add("LogLevel core:debug") + conf.add_drive_mode("auto") + conf.add("MDCAChallenges tls-alpn-01") + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + # + # restart (-> drive), check that MD job shows errors + # and that missing proto is detected + assert env.apache_restart() == 0 + env.check_md(domains) + # check that acme-tls/1 is available for none of the domains + stat = env.get_md_status(domain) + assert stat["proto"]["acme-tls/1"] == [] + + # test case: 2.4.40 mod_ssl stumbles over a SSLCertificateChainFile when installing + # a fallback certificate + @pytest.mark.skipif(HttpdTestEnv.get_ssl_module() != "mod_ssl", reason="only for mod_ssl") + def test_md_702_042(self, env): + domain = self.test_domain + dns_list = [domain] + conf = MDConf(env, admin="admin@" + domain) + conf.add("LogLevel core:debug") + cred = env.get_credentials_for_name(f"test1.{env.http_tld}")[0] + conf.add(f"SSLCertificateChainFile {cred.cert_file}") + conf.add_drive_mode("auto") + conf.add_md(dns_list) + conf.add_vhost(dns_list) + conf.install() + assert env.apache_restart() == 0 + assert env.await_completion([domain]) + + # test case: test "tls-alpn-01" without enabling 'acme-tls/1' challenge protocol + # and fallback "http-01" configured, see https://github.com/icing/mod_md/issues/255 + def test_md_702_043(self, env): + domain = self.test_domain + domains = [domain, "www." + domain] + # + # generate 1 MD and 1 vhost + conf = MDConf(env, admin="admin@" + domain) + conf.add("LogLevel core:debug") + conf.add_drive_mode("auto") + conf.add("MDPortMap 80:%s" % env.http_port) + conf.add("MDCAChallenges tls-alpn-01 http-01") + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + # + # restart (-> drive), check that MD job shows errors + # and that missing proto is detected + assert env.apache_restart() == 0 + env.check_md(domains) + # check that acme-tls/1 is available for none of the domains + stat = env.get_md_status(domain) + assert stat["proto"]["acme-tls/1"] == [] + # but make sure it completes nevertheless + assert env.await_completion([domain]) + + # test case: drive with using single challenge type explicitly + # and make sure that dns names not mapped to a VirtualHost also work + @pytest.mark.parametrize("challenge_type", [ + "tls-alpn-01" # , "http-01", + ]) + def test_md_702_044(self, env, challenge_type): + domain = self.test_domain + md_domains = [domain, "mail." + domain] + domains = [domain] + # + # generate 1 MD and 1 vhost + conf = MDConf(env, admin="admin@" + domain) + conf.add("Protocols http/1.1 acme-tls/1") + conf.add_drive_mode("auto") + conf.add(f"MDCAChallenges {challenge_type}") + conf.add_md(md_domains) + conf.add_vhost(domains) + conf.install() + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + env.check_md(md_domains) + assert env.await_completion([domain]) + env.check_md_complete(domain) + # + # check SSL running OK + cert = env.get_cert(domain) + assert md_domains[0] in cert.get_san_list() + assert md_domains[1] in cert.get_san_list() + + # Make a setup using the base server. It will use http-01 challenge. + def test_md_702_050(self, env): + domain = self.test_domain + conf = MDConf(env, admin=f"admin@{domain}") + conf.add(f""" + MDBaseServer on + ServerName {domain} + """) + conf.add_md([domain]) + conf.install() + assert env.apache_restart() == 0 + assert env.await_completion([domain]) + + # Make a setup using the base server without http:, will fail. + def test_md_702_051(self, env): + domain = self.test_domain + conf = MDConf(env, admin=f"admin@{domain}") + conf.add(f""" + MDBaseServer on + MDPortMap http:- + ServerName {domain} + """) + conf.add_md([domain]) + conf.install() + assert env.apache_restart() == 0 + assert env.await_error(domain) + + # Make a setup using the base server without http:, but with acme-tls/1, should work. + def test_md_702_052(self, env): + domain = self.test_domain + conf = MDConf(env, std_vhosts=False, admin=f"admin@{domain}") + conf.add([ + "MDBaseServer on", + "MDPortMap http:-", + "Protocols h2 http/1.1 acme-tls/1", + f"ServerName {domain}", + "<IfModule ssl_module>", + " SSLEngine on", + "</IfModule>", + "<IfModule tls_module>", + f" TLSEngine {env.https_port}", + "</IfModule>", + ]) + conf.add_md([domain]) + conf.install() + assert env.apache_restart() == 0 + stat = env.get_md_status(domain, via_domain=env.http_addr, use_https=False) + assert stat["proto"]["acme-tls/1"] == [domain] + assert env.await_completion([domain], via_domain=env.http_addr, use_https=False) + + # Test a domain name longer than 64 chars, but components < 64, see #227 + # Background: DNS has an official limit of 253 ASCII chars and components must be + # of length [1, 63]. + # However the CN in a certificate is restricted too, see + # <https://github.com/letsencrypt/boulder/issues/2093>. + @pytest.mark.skipif(MDTestEnv.is_pebble(), reason="pebble differs here from boulder") + @pytest.mark.parametrize("challenge_type", [ + "tls-alpn-01", "http-01" + ]) + def test_md_702_060(self, env, challenge_type): + domain = self.test_domain + # use only too long names, this is expected to fail: + # see <https://github.com/jetstack/cert-manager/issues/1462> + long_domain = ("x" * (65 - len(domain))) + domain + domains = [long_domain, "www." + long_domain] + conf = MDConf(env, admin="admin@" + domain) + conf.add("Protocols http/1.1 acme-tls/1") + conf.add_drive_mode("auto") + conf.add(f"MDCAChallenges {challenge_type}") + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + assert env.apache_restart() == 0 + env.check_md(domains) + assert env.await_error(long_domain) + # add a short domain to the SAN list, the CA should now use that one + # and issue a cert. + long_domain = ("y" * (65 - len(domain))) + domain + domains = [long_domain, "www." + long_domain, "xxx." + domain] + conf = MDConf(env, admin="admin@" + domain) + conf.add("Protocols http/1.1 acme-tls/1") + conf.add_drive_mode("auto") + conf.add(f"MDCAChallenges {challenge_type}") + conf.add_md(domains) + conf.add_vhost(domains) + conf.install() + assert env.apache_restart() == 0 + assert env.await_completion([long_domain]) + env.check_md_complete(long_domain) + # + # check SSL running OK + cert = env.get_cert(long_domain) + assert long_domain in cert.get_san_list() + + # test case: fourth level domain + def test_md_702_070(self, env): + domain = self.test_domain + name_a = "one.test." + domain + name_b = "two.test." + domain + domains = [name_a, name_b] + # + # generate 1 MD and 2 vhosts + conf = MDConf(env) + conf.add_admin("admin@" + domain) + conf.add_md(domains) + conf.add_vhost(name_a) + conf.install() + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + assert env.await_completion(domains) + env.check_md_complete(domains[0]) + + # test case: fifth level domain + def test_md_702_071(self, env): + domain = self.test_domain + name_a = "one.more.test." + domain + name_b = "two.more.test." + domain + domains = [name_a, name_b] + # + # generate 1 MD and 2 vhosts + conf = MDConf(env) + conf.add_admin("admin@" + domain) + conf.add_md(domains) + conf.add_vhost(name_a) + conf.install() + # + # restart (-> drive), check that MD was synched and completes + assert env.apache_restart() == 0 + assert env.await_completion(domains) + env.check_md_complete(domains[0]) + |