From 1992a9c1ec829a5b84dae0bf42a23f86a9f2b5ec Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 14 May 2019 08:13:02 +1000 Subject: [PATCH] letsencrypt: use a fake CA for self-signed testing certs Production letsencrypt certificate generation creates an intermediate chain file (ca.cer); to simulate this during the self-signed tests generate a fake CA certifcate, and use that to sign the generated server certificate. Tests updated to look for all these files Change-Id: I3990529bca7ff3c6413ed0066f9c4feaf5464b1c --- .../files/driver.sh | 11 ++++- testinfra/test_letsencrypt.py | 48 +++++++++++++++++++ 2 files changed, 57 insertions(+), 2 deletions(-) diff --git a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh index e6b74f515d..99b0e15869 100644 --- a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh +++ b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh @@ -64,10 +64,17 @@ elif [[ ${1} == "selfsign" ]]; then mkdir -p ${CERT_HOME}/${domain} cd ${CERT_HOME}/${domain} echo "Creating certs in ${CERT_HOME}/${domain}" + # Generate a fake CA key + openssl genrsa -out ca.key 2048 + # Create fake CA root certificate + openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -subj "/C=US/ST=CA/O=opendev" -out ca.cer + # Create key for localhost openssl genrsa -out ${domain}.key 2048 - openssl rsa -in ${domain}.key -out ${domain}.key + # Create localhost certificate signing request openssl req -sha256 -new -key ${domain}.key -out ${domain}.csr -subj '/CN=localhost' - openssl x509 -req -sha256 -days 365 -in ${domain}.csr -signkey ${domain}.key -out ${domain}.cer + # Create localhost certificate signed by fake CA + openssl x509 -req -CA ca.cer -CAkey ca.key -CAcreateserial \ + -sha256 -days 365 -in ${domain}.csr -out ${domain}.cer cp ${domain}.cer fullchain.cer } | tee -a ${LOG_FILE} done diff --git a/testinfra/test_letsencrypt.py b/testinfra/test_letsencrypt.py index 6e1e28a7ee..a7415c419f 100644 --- a/testinfra/test_letsencrypt.py +++ b/testinfra/test_letsencrypt.py @@ -49,6 +49,22 @@ def test_certs_created(host): assert domain_one.group == "letsencrypt" assert domain_one.mode == 0o640 + cert_one = host.file( + '/etc/letsencrypt-certs/' + 'letsencrypt01.opendev.org/letsencrypt01.opendev.org.cer') + assert cert_one.exists + assert cert_one.user == "root" + assert cert_one.group == "letsencrypt" + assert cert_one.mode == 0o640 + + ca_one = host.file( + '/etc/letsencrypt-certs/' + 'letsencrypt01.opendev.org/ca.cer') + assert ca_one.exists + assert ca_one.user == "root" + assert ca_one.group == "letsencrypt" + assert ca_one.mode == 0o640 + domain_two = host.file( '/etc/letsencrypt-certs/' 'someotherservice.opendev.org/someotherservice.opendev.org.key') @@ -57,6 +73,22 @@ def test_certs_created(host): assert domain_two.group == "letsencrypt" assert domain_two.mode == 0o640 + cert_two = host.file( + '/etc/letsencrypt-certs/' + 'someotherservice.opendev.org/someotherservice.opendev.org.cer') + assert cert_two.exists + assert cert_two.user == "root" + assert cert_two.group == "letsencrypt" + assert cert_two.mode == 0o640 + + ca_two = host.file( + '/etc/letsencrypt-certs/' + 'someotherservice.opendev.org/ca.cer') + assert ca_one.exists + assert ca_one.user == "root" + assert ca_one.group == "letsencrypt" + assert ca_one.mode == 0o640 + elif host.backend.get_hostname() == 'letsencrypt02.opendev.org': domain_one = host.file( '/etc/letsencrypt-certs/' @@ -66,6 +98,22 @@ def test_certs_created(host): assert domain_one.group == "letsencrypt" assert domain_one.mode == 0o640 + cert_one = host.file( + '/etc/letsencrypt-certs/' + 'letsencrypt02.opendev.org/letsencrypt02.opendev.org.cer') + assert cert_one.exists + assert cert_one.user == "root" + assert cert_one.group == "letsencrypt" + assert cert_one.mode == 0o640 + + ca_one = host.file( + '/etc/letsencrypt-certs/' + 'letsencrypt02.opendev.org/ca.cer') + assert ca_one.exists + assert ca_one.user == "root" + assert ca_one.group == "letsencrypt" + assert ca_one.mode == 0o640 + else: pytest.skip()