basic integration testing
This commit is contained in:
parent
6fee39764a
commit
d96ac748f8
|
@ -0,0 +1,3 @@
|
|||
# generate-csr.sh:
|
||||
/key.pem
|
||||
/csr.der
|
|
@ -0,0 +1,25 @@
|
|||
# This is an example of the kind of things you can do in a configuration file.
|
||||
# All flags used by the client can be configured here. Run Certbot with
|
||||
# "--help" to learn more about the available options.
|
||||
|
||||
# Use a 4096 bit RSA key instead of 2048
|
||||
rsa-key-size = 4096
|
||||
|
||||
# Uncomment and update to register with the specified e-mail address
|
||||
# email = foo@example.com
|
||||
|
||||
# Uncomment and update to generate certificates for the specified
|
||||
# domains.
|
||||
# domains = example.com, www.example.com
|
||||
|
||||
# Uncomment to use a text interface instead of ncurses
|
||||
# text = True
|
||||
|
||||
# Uncomment to use the standalone authenticator on port 443
|
||||
# authenticator = standalone
|
||||
# standalone-supported-challenges = tls-sni-01
|
||||
|
||||
# Uncomment to use the webroot authenticator. Replace webroot-path with the
|
||||
# path to the public_html / webroot folder being served by your web server.
|
||||
# authenticator = webroot
|
||||
# webroot-path = /usr/share/nginx/html
|
|
@ -0,0 +1,20 @@
|
|||
# Always use the staging/testing server - avoids rate limiting
|
||||
server = https://acme-staging.api.letsencrypt.org/directory
|
||||
|
||||
# This is an example configuration file for developers
|
||||
config-dir = /tmp/le/conf
|
||||
work-dir = /tmp/le/conf
|
||||
logs-dir = /tmp/le/logs
|
||||
|
||||
# make sure to use a valid email and domains!
|
||||
email = foo@example.com
|
||||
domains = example.com
|
||||
|
||||
text = True
|
||||
agree-tos = True
|
||||
debug = True
|
||||
# Unfortunately, it's not possible to specify "verbose" multiple times
|
||||
# (correspondingly to -vvvvvv)
|
||||
verbose = True
|
||||
|
||||
authenticator = standalone
|
|
@ -0,0 +1,28 @@
|
|||
#!/bin/sh
|
||||
# This script generates a simple SAN CSR to be used with Let's Encrypt
|
||||
# CA. Mostly intended for "auth --csr" testing, but, since it's easily
|
||||
# auditable, feel free to adjust it and use it on your production web
|
||||
# server.
|
||||
|
||||
if [ "$#" -lt 1 ]
|
||||
then
|
||||
echo "Usage: $0 domain [domain...]" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
domains="DNS:$1"
|
||||
shift
|
||||
for x in "$@"
|
||||
do
|
||||
domains="$domains,DNS:$x"
|
||||
done
|
||||
|
||||
SAN="$domains" openssl req -config "${OPENSSL_CNF:-openssl.cnf}" \
|
||||
-new -nodes -subj '/' -reqexts san \
|
||||
-out "${CSR_PATH:-csr.der}" \
|
||||
-keyout "${KEY_PATH:-key.pem}" \
|
||||
-newkey rsa:2048 \
|
||||
-outform DER
|
||||
# 512 or 1024 too low for Boulder, 2048 is smallest for tests
|
||||
|
||||
echo "You can now run: certbot auth --csr ${CSR_PATH:-csr.der}"
|
|
@ -0,0 +1,5 @@
|
|||
[ req ]
|
||||
distinguished_name = req_distinguished_name
|
||||
[ req_distinguished_name ]
|
||||
[ san ]
|
||||
subjectAltName=${ENV::SAN}
|
|
@ -0,0 +1,31 @@
|
|||
"""Example Certbot plugins.
|
||||
|
||||
For full examples, see `certbot.plugins`.
|
||||
|
||||
"""
|
||||
import zope.interface
|
||||
|
||||
from certbot import interfaces
|
||||
from certbot.plugins import common
|
||||
|
||||
|
||||
@zope.interface.implementer(interfaces.IAuthenticator)
|
||||
@zope.interface.provider(interfaces.IPluginFactory)
|
||||
class Authenticator(common.Plugin):
|
||||
"""Example Authenticator."""
|
||||
|
||||
description = "Example Authenticator plugin"
|
||||
|
||||
# Implement all methods from IAuthenticator, remembering to add
|
||||
# "self" as first argument, e.g. def prepare(self)...
|
||||
|
||||
|
||||
@zope.interface.implementer(interfaces.IInstaller)
|
||||
@zope.interface.provider(interfaces.IPluginFactory)
|
||||
class Installer(common.Plugin):
|
||||
"""Example Installer."""
|
||||
|
||||
description = "Example Installer plugin"
|
||||
|
||||
# Implement all methods from IInstaller, remembering to add
|
||||
# "self" as first argument, e.g. def get_all_names(self)...
|
|
@ -0,0 +1,17 @@
|
|||
from setuptools import setup
|
||||
|
||||
|
||||
setup(
|
||||
name='certbot-example-plugins',
|
||||
package='certbot_example_plugins.py',
|
||||
install_requires=[
|
||||
'certbot',
|
||||
'zope.interface',
|
||||
],
|
||||
entry_points={
|
||||
'certbot.plugins': [
|
||||
'example_authenticator = certbot_example_plugins:Authenticator',
|
||||
'example_installer = certbot_example_plugins:Installer',
|
||||
],
|
||||
},
|
||||
)
|
|
@ -0,0 +1,116 @@
|
|||
#!/bin/sh -xe
|
||||
# Simple integration test. Make sure to activate virtualenv beforehand
|
||||
# (source venv/bin/activate) and that you are running Boulder test
|
||||
# instance (see ./boulder-start.sh).
|
||||
#
|
||||
# Environment variables:
|
||||
# SERVER: Passed as "certbot --server" argument.
|
||||
#
|
||||
# Note: this script is called by Boulder integration test suite!
|
||||
|
||||
set -v
|
||||
|
||||
. ./tests/integration/_common.sh
|
||||
export PATH="/usr/sbin:$PATH" # /usr/sbin/nginx
|
||||
|
||||
export GOPATH="${GOPATH:-/tmp/go}"
|
||||
export PATH="$GOPATH/bin:$PATH"
|
||||
|
||||
if [ `uname` = "Darwin" ];then
|
||||
readlink="greadlink"
|
||||
else
|
||||
readlink="readlink"
|
||||
fi
|
||||
|
||||
common_no_force_renew() {
|
||||
certbot_test_no_force_renew \
|
||||
--authenticator certbot-haproxy:haproxy-authenticator\
|
||||
--installer certbot-haproxy:haproxy-installer\
|
||||
"$@"
|
||||
}
|
||||
|
||||
common() {
|
||||
common_no_force_renew \
|
||||
--authenticator certbot-haproxy:haproxy-authenticator\
|
||||
--installer certbot-haproxy:haproxy-installer\
|
||||
--renew-by-default \
|
||||
"$@"
|
||||
}
|
||||
|
||||
# common --domains le1.wtf --standalone-supported-challenges tls-sni-01 auth
|
||||
common --domains le2.wtf --standalone-supported-challenges http-01 run
|
||||
common -a manual -d le.wtf auth --rsa-key-size 4096
|
||||
|
||||
export CSR_PATH="${root}/csr.der" KEY_PATH="${root}/key.pem" \
|
||||
OPENSSL_CNF=examples/openssl.cnf
|
||||
./examples/generate-csr.sh le3.wtf
|
||||
common auth --csr "$CSR_PATH" \
|
||||
--cert-path "${root}/csr/cert.pem" \
|
||||
--chain-path "${root}/csr/chain.pem"
|
||||
openssl x509 -in "${root}/csr/cert.pem" -text
|
||||
openssl x509 -in "${root}/csr/chain.pem" -text
|
||||
|
||||
# TODO: key-path was "${root}/csr/key.pem", so maybe make that work as well?
|
||||
common --domains le3.wtf install \
|
||||
--cert-path "${root}/csr/cert.pem" \
|
||||
--key-path "${root}/key.pem"
|
||||
|
||||
CheckCertCount() {
|
||||
CERTCOUNT=`ls "${root}/conf/archive/le.wtf/cert"* | wc -l`
|
||||
if [ "$CERTCOUNT" -ne "$1" ] ; then
|
||||
echo Wrong cert count, not "$1" `ls "${root}/conf/archive/le.wtf/"*`
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
CheckCertCount 1
|
||||
# This won't renew (because it's not time yet)
|
||||
common_no_force_renew renew
|
||||
CheckCertCount 1
|
||||
|
||||
# --renew-by-default is used, so renewal should occur
|
||||
common renew
|
||||
CheckCertCount 2
|
||||
|
||||
# This will renew because the expiry is less than 10 years from now
|
||||
sed -i "4arenew_before_expiry = 4 years" "$root/conf/renewal/le.wtf.conf"
|
||||
common_no_force_renew renew --rsa-key-size 2048
|
||||
CheckCertCount 3
|
||||
|
||||
# The 4096 bit setting should persist to the first renewal, but be overriden in the second
|
||||
|
||||
size1=`wc -c ${root}/conf/archive/le.wtf/privkey1.pem | cut -d" " -f1`
|
||||
size2=`wc -c ${root}/conf/archive/le.wtf/privkey2.pem | cut -d" " -f1`
|
||||
size3=`wc -c ${root}/conf/archive/le.wtf/privkey3.pem | cut -d" " -f1`
|
||||
# 4096 bit PEM keys are about ~3270 bytes, 2048 ones are about 1700 bytes
|
||||
if [ "$size1" -lt 3000 ] || [ "$size2" -lt 3000 ] || [ "$size3" -gt 1800 ] ; then
|
||||
echo key sizes violate assumptions:
|
||||
ls -l "${root}/conf/archive/le.wtf/privkey"*
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ECDSA
|
||||
openssl ecparam -genkey -name secp384r1 -out "${root}/privkey-p384.pem"
|
||||
SAN="DNS:ecdsa.le.wtf" openssl req -new -sha256 \
|
||||
-config "${OPENSSL_CNF:-openssl.cnf}" \
|
||||
-key "${root}/privkey-p384.pem" \
|
||||
-subj "/" \
|
||||
-reqexts san \
|
||||
-outform der \
|
||||
-out "${root}/csr-p384.der"
|
||||
common auth --csr "${root}/csr-p384.der" \
|
||||
--cert-path "${root}/csr/cert-p384.pem" \
|
||||
--chain-path "${root}/csr/chain-p384.pem"
|
||||
openssl x509 -in "${root}/csr/cert-p384.pem" -text | grep 'ASN1 OID: secp384r1'
|
||||
|
||||
# OCSP Must Staple
|
||||
common auth --must-staple --domains "must-staple.le.wtf"
|
||||
openssl x509 -in "${root}/conf/live/must-staple.le.wtf/cert.pem" -text | grep '1.3.6.1.5.5.7.1.24'
|
||||
|
||||
# revoke by account key
|
||||
common revoke --cert-path "$root/conf/live/le.wtf/cert.pem"
|
||||
# revoke renewed
|
||||
# common revoke --cert-path "$root/conf/live/le1.wtf/cert.pem"
|
||||
# revoke by cert key
|
||||
common revoke --cert-path "$root/conf/live/le2.wtf/cert.pem" \
|
||||
--key-path "$root/conf/live/le2.wtf/privkey.pem"
|
|
@ -0,0 +1,35 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ "xxx$root" = "xxx" ];
|
||||
then
|
||||
# The -t is required on OS X. It provides a template file path for
|
||||
# the kernel to use.
|
||||
root="$(mktemp -d -t leitXXXX)"
|
||||
echo "Root integration tests directory: $root"
|
||||
fi
|
||||
store_flags="--config-dir $root/conf --work-dir $root/work"
|
||||
store_flags="$store_flags --logs-dir $root/logs"
|
||||
export root store_flags
|
||||
|
||||
certbot_test () {
|
||||
certbot_test_no_force_renew \
|
||||
--renew-by-default \
|
||||
"$@"
|
||||
}
|
||||
|
||||
certbot_test_no_force_renew () {
|
||||
certbot \
|
||||
--server "${SERVER:-http://localhost:4000/directory}" \
|
||||
--no-verify-ssl \
|
||||
--tls-sni-01-port 5001 \
|
||||
--http-01-port 8000 \
|
||||
--manual-test-mode \
|
||||
$store_flags \
|
||||
--non-interactive \
|
||||
--no-redirect \
|
||||
--agree-tos \
|
||||
--register-unsafely-without-email \
|
||||
--debug \
|
||||
-vvvvvvv \
|
||||
"$@"
|
||||
}
|
Reference in New Issue