opendev
/
system-config
Code Issues Proposed changes

letsencrypt: use a fake CA for self-signed testing certs 

Production letsencrypt certificate generation creates an intermediate
chain file (ca.cer); to simulate this during the self-signed tests
generate a fake CA certifcate, and use that to sign the generated
server certificate.

Tests updated to look for all these files

Change-Id: I3990529bca7ff3c6413ed0066f9c4feaf5464b1c
This commit is contained in:
Ian Wienand 2019-05-14 08:13:02 +10:00
parent 733122f0df
commit 1992a9c1ec
2 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
View File

@ -64,10 +64,17 @@ elif [[ ${1} == "selfsign" ]]; then
mkdir -p ${CERT_HOME}/${domain}
cd ${CERT_HOME}/${domain}
echo "Creating certs in ${CERT_HOME}/${domain}"
# Generate a fake CA key
openssl genrsa -out ca.key 2048
# Create fake CA root certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -subj "/C=US/ST=CA/O=opendev" -out ca.cer
# Create key for localhost
openssl genrsa -out ${domain}.key 2048
openssl rsa -in ${domain}.key -out ${domain}.key
# Create localhost certificate signing request
openssl req -sha256 -new -key ${domain}.key -out ${domain}.csr -subj '/CN=localhost'
openssl x509 -req -sha256 -days 365 -in ${domain}.csr -signkey ${domain}.key -out ${domain}.cer
# Create localhost certificate signed by fake CA
openssl x509 -req -CA ca.cer -CAkey ca.key -CAcreateserial \
-sha256 -days 365 -in ${domain}.csr -out ${domain}.cer
cp ${domain}.cer fullchain.cer
} | tee -a ${LOG_FILE}
done

48
testinfra/test_letsencrypt.py
View File

@ -49,6 +49,22 @@ def test_certs_created(host):
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
cert_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.cer')
assert cert_one.exists
assert cert_one.user == "root"
assert cert_one.group == "letsencrypt"
assert cert_one.mode == 0o640
ca_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
domain_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.key')
@ -57,6 +73,22 @@ def test_certs_created(host):
assert domain_two.group == "letsencrypt"
assert domain_two.mode == 0o640
cert_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.cer')
assert cert_two.exists
assert cert_two.user == "root"
assert cert_two.group == "letsencrypt"
assert cert_two.mode == 0o640
ca_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
domain_one = host.file(
'/etc/letsencrypt-certs/'
@ -66,6 +98,22 @@ def test_certs_created(host):
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
cert_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.cer')
assert cert_one.exists
assert cert_one.user == "root"
assert cert_one.group == "letsencrypt"
assert cert_one.mode == 0o640
ca_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
else:
pytest.skip()