2017-07-06 14:28:13 +00:00
|
|
|
package integration
|
2016-12-12 17:30:31 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
2018-05-16 09:44:03 +00:00
|
|
|
"crypto/x509"
|
2017-06-27 12:42:12 +00:00
|
|
|
"fmt"
|
2021-11-25 10:10:06 +00:00
|
|
|
"net"
|
2016-12-12 17:30:31 +00:00
|
|
|
"net/http"
|
2017-09-13 08:34:04 +00:00
|
|
|
"os"
|
2018-07-03 10:44:04 +00:00
|
|
|
"path/filepath"
|
2016-12-12 17:30:31 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/go-check/check"
|
2018-07-03 10:44:04 +00:00
|
|
|
"github.com/miekg/dns"
|
2023-02-03 14:24:05 +00:00
|
|
|
"github.com/traefik/traefik/v3/integration/try"
|
|
|
|
"github.com/traefik/traefik/v3/pkg/config/static"
|
|
|
|
"github.com/traefik/traefik/v3/pkg/provider/acme"
|
|
|
|
"github.com/traefik/traefik/v3/pkg/testhelpers"
|
|
|
|
"github.com/traefik/traefik/v3/pkg/types"
|
2016-12-12 17:30:31 +00:00
|
|
|
checker "github.com/vdemeester/shakers"
|
|
|
|
)
|
|
|
|
|
2021-11-25 10:10:06 +00:00
|
|
|
// ACME test suites.
|
2016-12-12 17:30:31 +00:00
|
|
|
type AcmeSuite struct {
|
|
|
|
BaseSuite
|
2018-07-03 10:44:04 +00:00
|
|
|
pebbleIP string
|
|
|
|
fakeDNSServer *dns.Server
|
2016-12-12 17:30:31 +00:00
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
type subCases struct {
|
|
|
|
host string
|
|
|
|
expectedCommonName string
|
|
|
|
expectedAlgorithm x509.PublicKeyAlgorithm
|
|
|
|
}
|
|
|
|
|
2018-07-03 10:44:04 +00:00
|
|
|
type acmeTestCase struct {
|
|
|
|
template templateModel
|
2017-06-19 11:22:41 +00:00
|
|
|
traefikConfFilePath string
|
2019-07-19 09:52:04 +00:00
|
|
|
subCases []subCases
|
2016-12-12 17:30:31 +00:00
|
|
|
}
|
|
|
|
|
2018-07-03 10:44:04 +00:00
|
|
|
type templateModel struct {
|
2022-09-13 18:34:08 +00:00
|
|
|
Domain types.Domain
|
2019-07-19 09:52:04 +00:00
|
|
|
Domains []types.Domain
|
2018-07-03 10:44:04 +00:00
|
|
|
PortHTTP string
|
|
|
|
PortHTTPS string
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme map[string]static.CertificateResolver
|
2018-07-03 10:44:04 +00:00
|
|
|
}
|
|
|
|
|
2017-06-27 12:42:12 +00:00
|
|
|
const (
|
|
|
|
// Domain to check
|
|
|
|
acmeDomain = "traefik.acme.wtf"
|
2017-06-19 11:22:41 +00:00
|
|
|
|
2017-06-27 12:42:12 +00:00
|
|
|
// Wildcard domain to check
|
|
|
|
wildcardDomain = "*.acme.wtf"
|
|
|
|
)
|
2017-06-19 11:22:41 +00:00
|
|
|
|
2018-06-27 13:08:05 +00:00
|
|
|
func (s *AcmeSuite) getAcmeURL() string {
|
2021-11-25 10:10:06 +00:00
|
|
|
return fmt.Sprintf("https://%s/dir",
|
|
|
|
net.JoinHostPort(s.pebbleIP, "14000"))
|
2018-07-03 10:44:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func setupPebbleRootCA() (*http.Transport, error) {
|
|
|
|
path, err := filepath.Abs("fixtures/acme/ssl/pebble.minica.pem")
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
os.Setenv("LEGO_CA_CERTIFICATES", path)
|
|
|
|
os.Setenv("LEGO_CA_SERVER_NAME", "pebble")
|
|
|
|
|
2021-03-04 19:08:03 +00:00
|
|
|
customCAs, err := os.ReadFile(path)
|
2018-07-03 10:44:04 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
certPool := x509.NewCertPool()
|
|
|
|
if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
|
2020-05-11 10:06:07 +00:00
|
|
|
return nil, fmt.Errorf("error creating x509 cert pool from %q: %w", path, err)
|
2018-07-03 10:44:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return &http.Transport{
|
|
|
|
TLSClientConfig: &tls.Config{
|
|
|
|
ServerName: "pebble",
|
|
|
|
RootCAs: certPool,
|
|
|
|
},
|
|
|
|
}, nil
|
2018-06-27 13:08:05 +00:00
|
|
|
}
|
|
|
|
|
2016-12-12 17:30:31 +00:00
|
|
|
func (s *AcmeSuite) SetUpSuite(c *check.C) {
|
2018-08-01 14:56:04 +00:00
|
|
|
s.createComposeProject(c, "pebble")
|
2021-11-25 10:10:06 +00:00
|
|
|
s.composeUp(c)
|
2016-12-12 17:30:31 +00:00
|
|
|
|
2021-11-25 10:10:06 +00:00
|
|
|
s.fakeDNSServer = startFakeDNSServer(s.getContainerIP(c, "traefik"))
|
|
|
|
s.pebbleIP = s.getComposeServiceIP(c, "pebble")
|
2018-07-03 10:44:04 +00:00
|
|
|
|
|
|
|
pebbleTransport, err := setupPebbleRootCA()
|
|
|
|
if err != nil {
|
|
|
|
c.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2018-08-01 14:56:04 +00:00
|
|
|
// wait for pebble
|
2018-07-03 10:44:04 +00:00
|
|
|
req := testhelpers.MustNewRequest(http.MethodGet, s.getAcmeURL(), nil)
|
|
|
|
|
|
|
|
client := &http.Client{
|
|
|
|
Transport: pebbleTransport,
|
|
|
|
}
|
2016-12-12 17:30:31 +00:00
|
|
|
|
2018-07-03 10:44:04 +00:00
|
|
|
err = try.Do(5*time.Second, func() error {
|
|
|
|
resp, errGet := client.Do(req)
|
|
|
|
if errGet != nil {
|
|
|
|
return errGet
|
|
|
|
}
|
|
|
|
return try.StatusCodeIs(http.StatusOK)(resp)
|
|
|
|
})
|
2016-12-12 17:30:31 +00:00
|
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AcmeSuite) TearDownSuite(c *check.C) {
|
2021-11-25 10:10:06 +00:00
|
|
|
if s.fakeDNSServer != nil {
|
|
|
|
err := s.fakeDNSServer.Shutdown()
|
|
|
|
if err != nil {
|
|
|
|
c.Log(err)
|
|
|
|
}
|
2018-07-03 10:44:04 +00:00
|
|
|
}
|
|
|
|
|
2021-11-25 10:10:06 +00:00
|
|
|
s.composeDown(c)
|
2016-12-12 17:30:31 +00:00
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
func (s *AcmeSuite) TestHTTP01Domains(c *check.C) {
|
2018-07-03 10:44:04 +00:00
|
|
|
testCase := acmeTestCase{
|
2019-07-19 09:52:04 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
|
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Domains: []types.Domain{{
|
|
|
|
Main: "traefik.acme.wtf",
|
|
|
|
}},
|
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
2018-07-03 10:44:04 +00:00
|
|
|
}},
|
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
2017-06-19 11:22:41 +00:00
|
|
|
}
|
|
|
|
|
2022-09-13 18:34:08 +00:00
|
|
|
func (s *AcmeSuite) TestHTTP01StoreDomains(c *check.C) {
|
|
|
|
testCase := acmeTestCase{
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_store_domains.toml",
|
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
|
|
|
template: templateModel{
|
|
|
|
Domain: types.Domain{
|
|
|
|
Main: "traefik.acme.wtf",
|
|
|
|
},
|
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
|
|
|
}},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
func (s *AcmeSuite) TestHTTP01DomainsInSAN(c *check.C) {
|
2018-07-03 10:44:04 +00:00
|
|
|
testCase := acmeTestCase{
|
2019-07-19 09:52:04 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
|
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: "acme.wtf",
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Domains: []types.Domain{{
|
|
|
|
Main: "acme.wtf",
|
|
|
|
SANs: []string{"traefik.acme.wtf"},
|
|
|
|
}},
|
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
2018-07-03 10:44:04 +00:00
|
|
|
}},
|
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2018-03-05 19:54:04 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2018-07-03 10:44:04 +00:00
|
|
|
func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
|
|
|
|
testCase := acmeTestCase{
|
2018-07-12 17:10:03 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
2019-07-19 09:52:04 +00:00
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
|
|
|
}},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AcmeSuite) TestMultipleResolver(c *check.C) {
|
|
|
|
testCase := acmeTestCase{
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_multiple_resolvers.toml",
|
|
|
|
subCases: []subCases{
|
|
|
|
{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
host: "tchouk.acme.wtf",
|
|
|
|
expectedCommonName: "tchouk.acme.wtf",
|
|
|
|
expectedAlgorithm: x509.ECDSA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
template: templateModel{
|
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
|
|
|
}},
|
|
|
|
"tchouk": {ACME: &acme.Configuration{
|
|
|
|
TLSChallenge: &acme.TLSChallenge{},
|
|
|
|
KeyType: "EC256",
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2018-05-16 09:44:03 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2018-07-03 10:44:04 +00:00
|
|
|
func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
|
|
|
|
testCase := acmeTestCase{
|
2018-07-12 17:10:03 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
2019-07-19 09:52:04 +00:00
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.ECDSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
|
|
|
KeyType: "EC384",
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2018-05-16 09:44:03 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2018-07-03 10:44:04 +00:00
|
|
|
func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo(c *check.C) {
|
|
|
|
testCase := acmeTestCase{
|
2018-07-12 17:10:03 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
2019-07-19 09:52:04 +00:00
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
|
|
|
KeyType: "INVALID",
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
2017-06-19 11:22:41 +00:00
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard(c *check.C) {
|
2018-07-03 10:44:04 +00:00
|
|
|
testCase := acmeTestCase{
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_tls.toml",
|
2019-07-19 09:52:04 +00:00
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: wildcardDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2018-01-15 15:04:05 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2018-07-03 10:44:04 +00:00
|
|
|
func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard(c *check.C) {
|
|
|
|
testCase := acmeTestCase{
|
|
|
|
traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
|
2019-07-19 09:52:04 +00:00
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: wildcardDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2018-01-15 15:04:05 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
func (s *AcmeSuite) TestTLSALPN01OnHostRuleTCP(c *check.C) {
|
2018-07-03 10:44:04 +00:00
|
|
|
testCase := acmeTestCase{
|
2019-07-19 09:52:04 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_tcp.toml",
|
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
TLSChallenge: &acme.TLSChallenge{},
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2017-11-09 11:16:03 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
func (s *AcmeSuite) TestTLSALPN01OnHostRule(c *check.C) {
|
2018-07-03 10:44:04 +00:00
|
|
|
testCase := acmeTestCase{
|
2018-07-12 17:10:03 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
2019-07-19 09:52:04 +00:00
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
TLSChallenge: &acme.TLSChallenge{},
|
2018-07-03 10:44:04 +00:00
|
|
|
}},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
func (s *AcmeSuite) TestTLSALPN01Domains(c *check.C) {
|
2018-07-03 10:44:04 +00:00
|
|
|
testCase := acmeTestCase{
|
2019-07-19 09:52:04 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
|
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: acmeDomain,
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Domains: []types.Domain{{
|
|
|
|
Main: "traefik.acme.wtf",
|
|
|
|
}},
|
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
TLSChallenge: &acme.TLSChallenge{},
|
2018-07-03 10:44:04 +00:00
|
|
|
}},
|
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
|
|
|
}
|
2017-11-09 11:16:03 +00:00
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
2017-06-19 11:22:41 +00:00
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
func (s *AcmeSuite) TestTLSALPN01DomainsInSAN(c *check.C) {
|
2018-07-12 17:10:03 +00:00
|
|
|
testCase := acmeTestCase{
|
2019-07-19 09:52:04 +00:00
|
|
|
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
|
|
|
|
subCases: []subCases{{
|
|
|
|
host: acmeDomain,
|
|
|
|
expectedCommonName: "acme.wtf",
|
|
|
|
expectedAlgorithm: x509.RSA,
|
|
|
|
}},
|
2018-07-12 17:10:03 +00:00
|
|
|
template: templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Domains: []types.Domain{{
|
|
|
|
Main: "acme.wtf",
|
|
|
|
SANs: []string{"traefik.acme.wtf"},
|
|
|
|
}},
|
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
TLSChallenge: &acme.TLSChallenge{},
|
2018-07-12 17:10:03 +00:00
|
|
|
}},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
s.retrieveAcmeCertificate(c, testCase)
|
|
|
|
}
|
|
|
|
|
2020-05-11 10:06:07 +00:00
|
|
|
// Test Let's encrypt down.
|
2018-02-05 17:20:04 +00:00
|
|
|
func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
|
2018-07-12 17:10:03 +00:00
|
|
|
file := s.adaptFile(c, "fixtures/acme/acme_base.toml", templateModel{
|
2019-07-19 09:52:04 +00:00
|
|
|
Acme: map[string]static.CertificateResolver{
|
|
|
|
"default": {ACME: &acme.Configuration{
|
|
|
|
CAServer: "http://wrongurl:4001/directory",
|
|
|
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
|
|
|
}},
|
2018-07-03 10:44:04 +00:00
|
|
|
},
|
2018-06-27 13:08:05 +00:00
|
|
|
})
|
|
|
|
defer os.Remove(file)
|
|
|
|
|
|
|
|
cmd, display := s.traefikCmd(withConfigFile(file))
|
2018-02-05 17:20:04 +00:00
|
|
|
defer display(c)
|
|
|
|
err := cmd.Start()
|
|
|
|
c.Assert(err, checker.IsNil)
|
2020-10-09 07:32:03 +00:00
|
|
|
defer s.killCmd(cmd)
|
2018-02-05 17:20:04 +00:00
|
|
|
|
|
|
|
// Expected traefik works
|
2019-05-16 08:58:06 +00:00
|
|
|
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.StatusCodeIs(http.StatusOK))
|
2018-02-05 17:20:04 +00:00
|
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
}
|
2017-06-19 11:22:41 +00:00
|
|
|
|
2020-05-11 10:06:07 +00:00
|
|
|
// Doing an HTTPS request and test the response certificate.
|
2018-07-03 10:44:04 +00:00
|
|
|
func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase acmeTestCase) {
|
|
|
|
if len(testCase.template.PortHTTP) == 0 {
|
|
|
|
testCase.template.PortHTTP = ":5002"
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(testCase.template.PortHTTPS) == 0 {
|
|
|
|
testCase.template.PortHTTPS = ":5001"
|
|
|
|
}
|
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
for _, value := range testCase.template.Acme {
|
|
|
|
if len(value.ACME.CAServer) == 0 {
|
|
|
|
value.ACME.CAServer = s.getAcmeURL()
|
|
|
|
}
|
2018-07-03 10:44:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
file := s.adaptFile(c, testCase.traefikConfFilePath, testCase.template)
|
2017-09-13 08:34:04 +00:00
|
|
|
defer os.Remove(file)
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2017-09-13 08:34:04 +00:00
|
|
|
cmd, display := s.traefikCmd(withConfigFile(file))
|
|
|
|
defer display(c)
|
2016-12-12 17:30:31 +00:00
|
|
|
err := cmd.Start()
|
|
|
|
c.Assert(err, checker.IsNil)
|
2020-10-09 07:32:03 +00:00
|
|
|
defer s.killCmd(cmd)
|
2018-04-10 08:52:04 +00:00
|
|
|
// A real file is needed to have the right mode on acme.json file
|
|
|
|
defer os.Remove("/tmp/acme.json")
|
2016-12-12 17:30:31 +00:00
|
|
|
|
2020-07-17 13:38:04 +00:00
|
|
|
backend := startTestServer("9010", http.StatusOK, "")
|
2016-12-12 17:30:31 +00:00
|
|
|
defer backend.Close()
|
|
|
|
|
2022-02-07 10:58:04 +00:00
|
|
|
client := &http.Client{
|
|
|
|
Transport: &http.Transport{
|
|
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
|
|
},
|
|
|
|
}
|
2016-12-12 17:30:31 +00:00
|
|
|
|
2022-02-07 10:58:04 +00:00
|
|
|
// wait for traefik (generating acme account take some seconds)
|
|
|
|
err = try.Do(60*time.Second, func() error {
|
|
|
|
_, errGet := client.Get("https://127.0.0.1:5001")
|
|
|
|
return errGet
|
|
|
|
})
|
|
|
|
c.Assert(err, checker.IsNil)
|
2019-07-19 09:52:04 +00:00
|
|
|
|
2022-02-07 10:58:04 +00:00
|
|
|
for _, sub := range testCase.subCases {
|
2019-07-19 09:52:04 +00:00
|
|
|
client = &http.Client{
|
|
|
|
Transport: &http.Transport{
|
|
|
|
TLSClientConfig: &tls.Config{
|
|
|
|
InsecureSkipVerify: true,
|
|
|
|
ServerName: sub.host,
|
|
|
|
},
|
2022-02-07 10:58:04 +00:00
|
|
|
// Needed so that each subcase redoes the SSL handshake
|
|
|
|
DisableKeepAlives: true,
|
2018-06-27 13:08:05 +00:00
|
|
|
},
|
2019-07-19 09:52:04 +00:00
|
|
|
}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
|
|
|
|
req.Host = sub.host
|
|
|
|
req.Header.Set("Host", sub.host)
|
|
|
|
req.Header.Set("Accept", "*/*")
|
2017-06-19 11:22:41 +00:00
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
var resp *http.Response
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
// Retry to send a Request which uses the LE generated certificate
|
|
|
|
err = try.Do(60*time.Second, func() error {
|
|
|
|
resp, err = client.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
|
|
|
|
if cn != sub.expectedCommonName {
|
|
|
|
return fmt.Errorf("domain %s found instead of %s", cn, sub.expectedCommonName)
|
|
|
|
}
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
return nil
|
|
|
|
})
|
2017-06-27 12:42:12 +00:00
|
|
|
|
2019-07-19 09:52:04 +00:00
|
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
|
|
|
|
// Check Domain into response certificate
|
|
|
|
c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, sub.expectedCommonName)
|
|
|
|
c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, sub.expectedAlgorithm)
|
|
|
|
}
|
2016-12-12 17:30:31 +00:00
|
|
|
}
|