2017-07-06 14:28:13 +00:00
|
|
|
package integration
|
2016-12-12 17:30:31 +00:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/tls"
|
2018-05-16 09:44:03 +00:00
|
|
|
"crypto/x509"
|
2017-06-27 12:42:12 +00:00
|
|
|
"fmt"
|
2016-12-12 17:30:31 +00:00
|
|
|
"net/http"
|
2017-09-13 08:34:04 +00:00
|
|
|
"os"
|
2016-12-12 17:30:31 +00:00
|
|
|
"time"
|
|
|
|
|
|
2017-05-17 13:22:44 +00:00
|
|
|
"github.com/containous/traefik/integration/try"
|
2017-06-27 12:42:12 +00:00
|
|
|
"github.com/containous/traefik/testhelpers"
|
2016-12-12 17:30:31 +00:00
|
|
|
"github.com/go-check/check"
|
|
|
|
|
checker "github.com/vdemeester/shakers"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// ACME test suites (using libcompose)
|
|
|
|
|
type AcmeSuite struct {
|
|
|
|
|
BaseSuite
|
2017-05-17 13:22:44 +00:00
|
|
|
boulderIP string
|
2016-12-12 17:30:31 +00:00
|
|
|
}
|
|
|
|
|
|
2017-06-19 11:22:41 +00:00
|
|
|
// Acme tests configuration
|
|
|
|
|
type AcmeTestCase struct {
|
|
|
|
|
onDemand bool
|
|
|
|
|
traefikConfFilePath string
|
|
|
|
|
domainToCheck string
|
2018-05-16 09:44:03 +00:00
|
|
|
algorithm x509.PublicKeyAlgorithm
|
2016-12-12 17:30:31 +00:00
|
|
|
}
|
|
|
|
|
|
2017-06-27 12:42:12 +00:00
|
|
|
const (
|
|
|
|
|
// Domain to check
|
|
|
|
|
acmeDomain = "traefik.acme.wtf"
|
2017-06-19 11:22:41 +00:00
|
|
|
|
2017-06-27 12:42:12 +00:00
|
|
|
// Wildcard domain to check
|
|
|
|
|
wildcardDomain = "*.acme.wtf"
|
2018-03-06 13:50:03 +00:00
|
|
|
|
|
|
|
|
// Traefik default certificate
|
|
|
|
|
traefikDefaultDomain = "TRAEFIK DEFAULT CERT"
|
2017-06-27 12:42:12 +00:00
|
|
|
)
|
2017-06-19 11:22:41 +00:00
|
|
|
|
2016-12-12 17:30:31 +00:00
|
|
|
func (s *AcmeSuite) SetUpSuite(c *check.C) {
|
|
|
|
|
s.createComposeProject(c, "boulder")
|
|
|
|
|
s.composeProject.Start(c)
|
|
|
|
|
|
2017-05-17 13:22:44 +00:00
|
|
|
s.boulderIP = s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress
|
2016-12-12 17:30:31 +00:00
|
|
|
|
|
|
|
|
// wait for boulder
|
2018-03-26 12:12:03 +00:00
|
|
|
err := try.GetRequest("http://"+s.boulderIP+":4001/directory", 120*time.Second, try.StatusCodeIs(http.StatusOK))
|
2016-12-12 17:30:31 +00:00
|
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *AcmeSuite) TearDownSuite(c *check.C) {
|
|
|
|
|
// shutdown and delete compose project
|
|
|
|
|
if s.composeProject != nil {
|
|
|
|
|
s.composeProject.Stop(c)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-05 19:54:04 +00:00
|
|
|
// Test ACME provider with certificate at start
|
|
|
|
|
func (s *AcmeSuite) TestACMEProviderAtStart(c *check.C) {
|
2017-06-27 12:42:12 +00:00
|
|
|
testCase := AcmeTestCase{
|
2018-03-05 19:54:04 +00:00
|
|
|
traefikConfFilePath: "fixtures/provideracme/acme.toml",
|
|
|
|
|
onDemand: false,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: acmeDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
2017-06-19 11:22:41 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-05 19:54:04 +00:00
|
|
|
// Test ACME provider with certificate at start
|
|
|
|
|
func (s *AcmeSuite) TestACMEProviderAtStartInSAN(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/provideracme/acme_insan.toml",
|
|
|
|
|
onDemand: false,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: "acme.wtf",
|
|
|
|
|
algorithm: x509.RSA}
|
2018-03-05 19:54:04 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test ACME provider with certificate at start
|
|
|
|
|
func (s *AcmeSuite) TestACMEProviderOnHost(c *check.C) {
|
2017-06-27 12:42:12 +00:00
|
|
|
testCase := AcmeTestCase{
|
2018-03-05 19:54:04 +00:00
|
|
|
traefikConfFilePath: "fixtures/provideracme/acme_onhost.toml",
|
2017-06-19 11:22:41 +00:00
|
|
|
onDemand: false,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: acmeDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
|
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test ACME provider with certificate at start ECDSA algo
|
|
|
|
|
func (s *AcmeSuite) TestACMEProviderOnHostECDSA(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/provideracme/acme_onhost_ecdsa.toml",
|
|
|
|
|
onDemand: false,
|
|
|
|
|
domainToCheck: acmeDomain,
|
|
|
|
|
algorithm: x509.ECDSA}
|
|
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test ACME provider with certificate at start invalid algo default RSA
|
|
|
|
|
func (s *AcmeSuite) TestACMEProviderOnHostInvalidAlgo(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/provideracme/acme_onhost_invalid_algo.toml",
|
|
|
|
|
onDemand: false,
|
|
|
|
|
domainToCheck: acmeDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
2017-06-19 11:22:41 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-06 13:50:03 +00:00
|
|
|
// Test ACME provider with certificate at start and no ACME challenge
|
|
|
|
|
func (s *AcmeSuite) TestACMEProviderOnHostWithNoACMEChallenge(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/acme/no_challenge_acme.toml",
|
|
|
|
|
onDemand: false,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: traefikDefaultDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2018-03-06 13:50:03 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-15 15:04:05 +00:00
|
|
|
// Test OnDemand option with none provided certificate and challenge HTTP-01
|
|
|
|
|
func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateHTTP01(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_http01.toml",
|
|
|
|
|
onDemand: true,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: acmeDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2018-01-15 15:04:05 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test OnHostRule option with none provided certificate and challenge HTTP-01
|
|
|
|
|
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateHTTP01(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_http01.toml",
|
|
|
|
|
onDemand: false,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: acmeDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2018-01-15 15:04:05 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-17 17:46:03 +00:00
|
|
|
// Test OnHostRule option with none provided certificate and challenge HTTP-01 and web path
|
|
|
|
|
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateHTTP01WithPath(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_http01_web.toml",
|
|
|
|
|
onDemand: false,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: acmeDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2018-01-17 17:46:03 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-19 11:22:41 +00:00
|
|
|
// Test OnDemand option with a wildcard provided certificate
|
|
|
|
|
func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithWildcard(c *check.C) {
|
2017-06-27 12:42:12 +00:00
|
|
|
testCase := AcmeTestCase{
|
2017-06-19 11:22:41 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_provided.toml",
|
|
|
|
|
onDemand: true,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: wildcardDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
2017-06-19 11:22:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test onHostRule option with a wildcard provided certificate
|
|
|
|
|
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c *check.C) {
|
2017-06-27 12:42:12 +00:00
|
|
|
testCase := AcmeTestCase{
|
2017-06-19 11:22:41 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_provided.toml",
|
|
|
|
|
onDemand: false,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: wildcardDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2017-05-17 13:22:44 +00:00
|
|
|
|
2017-06-27 12:42:12 +00:00
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
2017-11-09 11:16:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test OnDemand option with a wildcard provided certificate
|
|
|
|
|
func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithDynamicWildcard(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_provided_dynamic.toml",
|
|
|
|
|
onDemand: true,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: wildcardDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2017-11-09 11:16:03 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test onHostRule option with a wildcard provided certificate
|
|
|
|
|
func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithDynamicWildcard(c *check.C) {
|
|
|
|
|
testCase := AcmeTestCase{
|
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_provided_dynamic.toml",
|
|
|
|
|
onDemand: false,
|
2018-05-16 09:44:03 +00:00
|
|
|
domainToCheck: wildcardDomain,
|
|
|
|
|
algorithm: x509.RSA}
|
2017-11-09 11:16:03 +00:00
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
2017-06-19 11:22:41 +00:00
|
|
|
}
|
|
|
|
|
|
2018-02-05 17:20:04 +00:00
|
|
|
// Test Let's encrypt down
|
|
|
|
|
func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
|
|
|
|
|
cmd, display := s.traefikCmd(withConfigFile("fixtures/acme/wrong_acme.toml"))
|
|
|
|
|
defer display(c)
|
|
|
|
|
err := cmd.Start()
|
|
|
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
|
defer cmd.Process.Kill()
|
|
|
|
|
|
|
|
|
|
// Expected traefik works
|
|
|
|
|
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.StatusCodeIs(http.StatusOK))
|
|
|
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
|
}
|
2017-06-19 11:22:41 +00:00
|
|
|
|
|
|
|
|
// Doing an HTTPS request and test the response certificate
|
2017-06-27 12:42:12 +00:00
|
|
|
func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
|
|
|
|
|
file := s.adaptFile(c, testCase.traefikConfFilePath, struct {
|
2018-05-16 09:44:03 +00:00
|
|
|
BoulderHost string
|
|
|
|
|
OnDemand bool
|
|
|
|
|
OnHostRule bool
|
2017-06-27 12:42:12 +00:00
|
|
|
}{
|
|
|
|
|
BoulderHost: s.boulderIP,
|
|
|
|
|
OnDemand: testCase.onDemand,
|
|
|
|
|
OnHostRule: !testCase.onDemand,
|
|
|
|
|
})
|
2017-09-13 08:34:04 +00:00
|
|
|
defer os.Remove(file)
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2017-09-13 08:34:04 +00:00
|
|
|
cmd, display := s.traefikCmd(withConfigFile(file))
|
|
|
|
|
defer display(c)
|
2016-12-12 17:30:31 +00:00
|
|
|
err := cmd.Start()
|
|
|
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
|
defer cmd.Process.Kill()
|
2018-04-10 08:52:04 +00:00
|
|
|
// A real file is needed to have the right mode on acme.json file
|
|
|
|
|
defer os.Remove("/tmp/acme.json")
|
2016-12-12 17:30:31 +00:00
|
|
|
|
2017-05-17 13:22:44 +00:00
|
|
|
backend := startTestServer("9010", http.StatusOK)
|
2016-12-12 17:30:31 +00:00
|
|
|
defer backend.Close()
|
|
|
|
|
|
|
|
|
|
tr := &http.Transport{
|
|
|
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
|
|
|
}
|
|
|
|
|
client := &http.Client{Transport: tr}
|
|
|
|
|
|
|
|
|
|
// wait for traefik (generating acme account take some seconds)
|
2017-05-17 13:22:44 +00:00
|
|
|
err = try.Do(90*time.Second, func() error {
|
2017-12-04 19:04:08 +00:00
|
|
|
_, errGet := client.Get("https://127.0.0.1:5001")
|
|
|
|
|
return errGet
|
2016-12-12 17:30:31 +00:00
|
|
|
})
|
|
|
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
|
|
|
|
|
|
tr = &http.Transport{
|
|
|
|
|
TLSClientConfig: &tls.Config{
|
|
|
|
|
InsecureSkipVerify: true,
|
2017-06-19 11:22:41 +00:00
|
|
|
ServerName: acmeDomain,
|
2016-12-12 17:30:31 +00:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
client = &http.Client{Transport: tr}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
|
|
|
|
req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
|
2017-06-19 11:22:41 +00:00
|
|
|
req.Host = acmeDomain
|
|
|
|
|
req.Header.Set("Host", acmeDomain)
|
2016-12-12 17:30:31 +00:00
|
|
|
req.Header.Set("Accept", "*/*")
|
2017-06-19 11:22:41 +00:00
|
|
|
|
|
|
|
|
var resp *http.Response
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2017-06-19 11:22:41 +00:00
|
|
|
// Retry to send a Request which uses the LE generated certificate
|
2017-06-27 12:42:12 +00:00
|
|
|
err = try.Do(60*time.Second, func() error {
|
2017-06-19 11:22:41 +00:00
|
|
|
resp, err = client.Do(req)
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2017-06-19 11:22:41 +00:00
|
|
|
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
|
|
|
|
|
req.Close = true
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2017-06-19 11:22:41 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
|
|
|
|
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
|
|
|
|
|
if cn != testCase.domainToCheck {
|
2018-03-05 19:54:04 +00:00
|
|
|
return fmt.Errorf("domain %s found instead of %s", cn, testCase.domainToCheck)
|
2017-06-27 12:42:12 +00:00
|
|
|
}
|
|
|
|
|
|
2017-06-19 11:22:41 +00:00
|
|
|
return nil
|
|
|
|
|
})
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2016-12-12 17:30:31 +00:00
|
|
|
c.Assert(err, checker.IsNil)
|
2017-05-17 13:22:44 +00:00
|
|
|
c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
|
2017-06-19 11:22:41 +00:00
|
|
|
// Check Domain into response certificate
|
2017-06-27 12:42:12 +00:00
|
|
|
c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, testCase.domainToCheck)
|
2018-05-16 09:44:03 +00:00
|
|
|
c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, testCase.algorithm)
|
2016-12-12 17:30:31 +00:00
|
|
|
}
|
