import os import re import time import pytest from .md_conf import MDConf # set the environment variables # SECTIGO_EAB="$kid $hmac" for # SECTIGO_TLD="" # these tests to become active # DEMO_ACME = "https://acme.demo.sectigo.com/" DEMO_TLD = None EABS = [ {'kid': '0123', 'hmac': 'abcdef'}, ] def missing_eab(): global EABS if len(EABS) == 1 and 'SECTIGO_EAB' in os.environ: m = re.match(r'^\s*(\S+)\s+(\S+)\s*$', os.environ['SECTIGO_EAB']) if m: EABS.append({'kid': m.group(1), 'hmac': m.group(2)}) return len(EABS) == 1 def missing_tld(): global DEMO_TLD if 'SECTIGO_TLD' in os.environ: DEMO_TLD = os.environ['SECTIGO_TLD'] return DEMO_TLD is None @pytest.mark.skipif(condition=missing_tld(), reason="env var SECTIGO_TLD not set") @pytest.mark.skipif(condition=missing_eab(), reason="env var SECTIGO_EAB not set") class TestSectigo: @pytest.fixture(autouse=True, scope='class') def _class_scope(self, env, acme): acme.start(config='eab') env.check_acme() env.clear_store() MDConf(env).install() assert env.apache_restart() == 0 @pytest.fixture(autouse=True, scope='function') def _method_scope(self, env, request): env.clear_store() self.test_domain = env.get_request_domain(request) def test_md_751_001(self, env): # valid config, expect cert with correct chain domain = f"test1.{DEMO_TLD}" domains = [domain] conf = MDConf(env) conf.start_md(domains) conf.add(f"MDCertificateAuthority {DEMO_ACME}") conf.add("MDCACertificateFile none") conf.add(f"MDExternalAccountBinding {EABS[1]['kid']} {EABS[1]['hmac']}") conf.end_md() conf.add_vhost(domains=domains) conf.install() assert env.apache_restart() == 0 assert env.await_completion(domains) r = env.curl_get(f"https://{domain}:{env.https_port}", options=[ "--cacert", f"{env.test_dir}/data/sectigo-demo-root.pem" ]) assert r.response['status'] == 200 def test_md_751_002(self, env): # without EAB set domain = f"test1.{DEMO_TLD}" domains = [domain] conf = MDConf(env) conf.start_md(domains) conf.add(f"MDCertificateAuthority {DEMO_ACME}") conf.add("MDCACertificateFile none") conf.end_md() conf.add_vhost(domains=domains) conf.install() assert env.apache_restart() == 0 assert env.await_error(domain) md = env.get_md_status(domain) assert md['renewal']['errors'] > 0 assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired' def test_md_751_003(self, env): # with wrong EAB set domain = f"test1.{DEMO_TLD}" domains = [domain] conf = MDConf(env) conf.start_md(domains) conf.add(f"MDCertificateAuthority {DEMO_ACME}") conf.add("MDCACertificateFile none") conf.add(f"MDExternalAccountBinding xxxxxx aaaaaaaaaaaaasdddddsdasdsadsadsadasdsadsa") conf.end_md() conf.add_vhost(domains=domains) conf.install() assert env.apache_restart() == 0 assert env.await_error(domain) md = env.get_md_status(domain) assert md['renewal']['errors'] > 0 assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:unauthorized' def test_md_751_004(self, env): # valid config, get cert, add dns name, renew cert domain = f"test1.{DEMO_TLD}" domain2 = f"test2.{DEMO_TLD}" domains = [domain] conf = MDConf(env) conf.start_md(domains) conf.add(f"MDCertificateAuthority {DEMO_ACME}") conf.add("MDCACertificateFile none") conf.add(f"MDExternalAccountBinding {EABS[1]['kid']} {EABS[1]['hmac']}") conf.end_md() conf.add_vhost(domains=domains) conf.install() assert env.apache_restart() == 0 assert env.await_completion(domains) r = env.curl_get(f"https://{domain}:{env.https_port}", options=[ "--cacert", f"{env.test_dir}/data/sectigo-demo-root.pem" ]) assert r.response['status'] == 200 r = env.curl_get(f"https://{domain2}:{env.https_port}", options=[ "--cacert", f"{env.test_dir}/data/sectigo-demo-root.pem" ]) assert r.exit_code != 0 md1 = env.get_md_status(domain) acct1 = md1['ca']['account'] # add the domain2 to the dns names domains = [domain, domain2] conf = MDConf(env) conf.start_md(domains) conf.add(f"MDCertificateAuthority {DEMO_ACME}") conf.add("MDCACertificateFile none") conf.add(f"MDExternalAccountBinding {EABS[1]['kid']} {EABS[1]['hmac']}") conf.end_md() conf.add_vhost(domains=domains) conf.install() assert env.apache_restart() == 0 assert env.await_completion(domains) r = env.curl_get(f"https://{domain2}:{env.https_port}", options=[ "--cacert", f"{env.test_dir}/data/sectigo-demo-root.pem" ]) assert r.response['status'] == 200 md2 = env.get_md_status(domain) acct2 = md2['ca']['account'] assert acct2 == acct1, f"ACME account was not reused: {acct1} became {acct2}" def test_md_751_020(self, env): # valid config, get cert, check OCSP status domain = f"test1.{DEMO_TLD}" domains = [domain] conf = MDConf(env) conf.add("MDStapling on") conf.start_md(domains) conf.add(f""" MDCertificateAuthority {DEMO_ACME} MDCACertificateFile none MDExternalAccountBinding {EABS[1]['kid']} {EABS[1]['hmac']} """) conf.end_md() conf.add_vhost(domains=domains) conf.install() assert env.apache_restart() == 0 assert env.await_completion(domains) r = env.curl_get(f"https://{domain}:{env.https_port}", options=[ "--cacert", f"{env.test_dir}/data/sectigo-demo-root.pem" ]) assert r.response['status'] == 200 time.sleep(1) for domain in domains: stat = env.await_ocsp_status(domain, ca_file=f"{env.test_dir}/data/sectigo-demo-root.pem") assert stat['ocsp'] == "successful (0x0)" assert stat['verify'] == "0 (ok)"