opendev/system-config
Code Issues Proposed changes

Merge "letsencrypt: use a fake CA for self-signed testing certs"

Browse Source
This commit is contained in:
Zuul 2019-05-16 23:51:19 +00:00 committed by Gerrit Code Review
commit 8ff026ee33
2 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
View File

@ -64,10 +64,17 @@ elif [[ ${1} == "selfsign" ]]; then
mkdir -p ${CERT_HOME}/${domain}
cd ${CERT_HOME}/${domain}
echo "Creating certs in ${CERT_HOME}/${domain}"
# Generate a fake CA key
openssl genrsa -out ca.key 2048
# Create fake CA root certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -subj "/C=US/ST=CA/O=opendev" -out ca.cer
# Create key for localhost
openssl genrsa -out ${domain}.key 2048
openssl rsa -in ${domain}.key -out ${domain}.key
# Create localhost certificate signing request
openssl req -sha256 -new -key ${domain}.key -out ${domain}.csr -subj '/CN=localhost'
openssl x509 -req -sha256 -days 365 -in ${domain}.csr -signkey ${domain}.key -out ${domain}.cer
# Create localhost certificate signed by fake CA
openssl x509 -req -CA ca.cer -CAkey ca.key -CAcreateserial \
-sha256 -days 365 -in ${domain}.csr -out ${domain}.cer
cp ${domain}.cer fullchain.cer
} | tee -a ${LOG_FILE}
done

48
testinfra/test_letsencrypt.py
View File

@ -49,6 +49,22 @@ def test_certs_created(host):
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
cert_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.cer')
assert cert_one.exists
assert cert_one.user == "root"
assert cert_one.group == "letsencrypt"
assert cert_one.mode == 0o640
ca_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
domain_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.key')
@ -57,6 +73,22 @@ def test_certs_created(host):
assert domain_two.group == "letsencrypt"
assert domain_two.mode == 0o640
cert_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.cer')
assert cert_two.exists
assert cert_two.user == "root"
assert cert_two.group == "letsencrypt"
assert cert_two.mode == 0o640
ca_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
domain_one = host.file(
'/etc/letsencrypt-certs/'
@ -66,6 +98,22 @@ def test_certs_created(host):
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
cert_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.cer')
assert cert_one.exists
assert cert_one.user == "root"
assert cert_one.group == "letsencrypt"
assert cert_one.mode == 0o640
ca_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
else:
pytest.skip()