certbot/letstest/scripts/test_apache2.sh

#!/bin/bash -ex

# $OS_TYPE $PUBLIC_IP $PRIVATE_IP $PUBLIC_HOSTNAME $BOULDER_URL
# are dynamically set at execution

if [ "$OS_TYPE" = "ubuntu" ]
then
    CONFFILE=/etc/apache2/sites-available/000-default.conf
    sudo apt-get update
    sudo DEBIAN_FRONTEND=noninteractive apt-get -y --no-upgrade install apache2 curl
    # For apache 2.4, set up ServerName
    sudo sed -i '/ServerName/ s/#ServerName/ServerName/' $CONFFILE
    sudo sed -i '/ServerName/ s/www.example.com/'$PUBLIC_HOSTNAME'/' $CONFFILE
elif [ "$OS_TYPE" = "centos" ]
then
    CONFFILE=/etc/httpd/conf/httpd.conf
    sudo setenforce 0 || true #disable selinux
    sudo yum -y install httpd mod_ssl
    sudo service httpd start
    sudo mkdir -p /var/www/$PUBLIC_HOSTNAME/public_html
    sudo chmod -R oug+rwx /var/www
    sudo chmod -R oug+rw /etc/httpd
    sudo echo '<html><head><title>foo</title></head><body>bar</body></html>' > /var/www/$PUBLIC_HOSTNAME/public_html/index.html
    sudo mkdir /etc/httpd/sites-available #certbot requires this...
    sudo mkdir /etc/httpd/sites-enabled #certbot requires this...
    #sudo echo "IncludeOptional sites-enabled/*.conf" >> /etc/httpd/conf/httpd.conf
    sudo echo """
<VirtualHost *:80>
    ServerName $PUBLIC_HOSTNAME
    DocumentRoot /var/www/$PUBLIC_HOSTNAME/public_html
    ErrorLog /var/www/$PUBLIC_HOSTNAME/error.log
    CustomLog /var/www/$PUBLIC_HOSTNAME/requests.log combined
</VirtualHost>""" >> /etc/httpd/conf.d/$PUBLIC_HOSTNAME.conf
    #sudo cp /etc/httpd/sites-available/$PUBLIC_HOSTNAME.conf /etc/httpd/sites-enabled/
fi

# Run certbot-apache2.
cd letsencrypt

echo "Bootstrapping dependencies..."
sudo letstest/scripts/bootstrap_os_packages.sh

# Install pyenv
curl https://pyenv.run | bash
export PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init --path)"
eval "$(pyenv init -)"

# Install and configure Python
pyenv install 3.10
pyenv shell 3.10

tools/venv.py -e acme -e certbot -e certbot-apache -e certbot-ci tox
PEBBLE_LOGS="acme_server.log"
PEBBLE_URL="https://localhost:14000/dir"
# We configure Pebble to use port 80 for http-01 validation rather than an
# alternate port because:
#   1) It allows us to test with Apache configurations that are more realistic
#   and closer to the default configuration on various OSes.
#   2) As of writing this, Certbot's Apache plugin requires there to be an
#   existing virtual host for the port used for http-01 validation.
venv/bin/run_acme_server --http-01-port 80 > "${PEBBLE_LOGS}" 2>&1 &

DumpPebbleLogsOnFailure() {
    exit_status="$?"
    if [ "$exit_status" != 0 ] && [ -f "${PEBBLE_LOGS}" ] ; then
        echo "Pebble's logs were:"
        cat "${PEBBLE_LOGS}"
    fi
    exit "$exit_status"
}
trap DumpPebbleLogsOnFailure EXIT

for n in $(seq 1 150) ; do
    if curl --insecure "${PEBBLE_URL}" 2>/dev/null; then
        break
    else
        echo "waiting for pebble"
        sleep 1
    fi
done
if ! curl --insecure "${PEBBLE_URL}" 2>/dev/null; then
  echo "timed out waiting for pebble to start"
  DumpPebbleLogs
  exit 1
fi

sudo "venv/bin/certbot" -v --debug --text --agree-tos --no-verify-ssl \
                   --renew-by-default --redirect --register-unsafely-without-email \
                   --domain "${PUBLIC_HOSTNAME}" --server "${PEBBLE_URL}"

if ! grep -q SSLSessionTickets /etc/letsencrypt/options-ssl-apache.conf; then
    echo "modern TLS options were not used"
    exit 1
fi

if [ "$OS_TYPE" = "ubuntu" ] ; then
    export SERVER="${PEBBLE_URL}"
    "venv/bin/tox" -e apacheconftest
else
    echo Not running hackish apache tests on $OS_TYPE
fi
Cleanup scripts and switch to pyenv (#9214) I think test_apache2.sh still has value as it allows us to test our Apache plugin with the Apache layouts found on different OSes. Unfortunately, many of the OSes we're currently testing against don't have Python 3.7+ packaged yet we still support these OSes through things like snap where we bundle our own version of Python. To allow us to continue testing on these OSes, I switched to installing Python through pyenv. I also took the opportunity to clean up the scripts, removing a lot of code, failing more quickly, and simplifying failure logic in test_apache2.sh. 2022-02-24 15:06:23 -05:00			`#!/bin/bash -ex`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`# $OS_TYPE $PUBLIC_IP $PRIVATE_IP $PUBLIC_HOSTNAME $BOULDER_URL`
			`# are dynamically set at execution`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`if [ "$OS_TYPE" = "ubuntu" ]`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`then`
			`CONFFILE=/etc/apache2/sites-available/000-default.conf`
			`sudo apt-get update`
add another DEBIAN_FRONTEND=noninteractive (#9212) 2022-02-22 17:22:10 -05:00			`sudo DEBIAN_FRONTEND=noninteractive apt-get -y --no-upgrade install apache2 curl`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`# For apache 2.4, set up ServerName`
			`sudo sed -i '/ServerName/ s/#ServerName/ServerName/' $CONFFILE`
			`sudo sed -i '/ServerName/ s/www.example.com/'$PUBLIC_HOSTNAME'/' $CONFFILE`
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`elif [ "$OS_TYPE" = "centos" ]`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`then`
			`CONFFILE=/etc/httpd/conf/httpd.conf`
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`sudo setenforce 0 \|\| true #disable selinux`
update farm tests (#9687) * letstest: -ubuntu18.04 +centos9stream +debian11 * letstest: username for centos 9 stream is ec2-user This is mentioned on https://centos.org/download/aws-images/ * ensure mod_ssl is installed in centos 9 stream, apache has to be restarted after mod_ssl is installed, or the snakeoil certificates will not be present and apache won't start. this also removes nghttp2 being installed as the relevant bug is long fixed. 2023-05-08 17:37:14 -04:00			`sudo yum -y install httpd mod_ssl`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`sudo service httpd start`
			`sudo mkdir -p /var/www/$PUBLIC_HOSTNAME/public_html`
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`sudo chmod -R oug+rwx /var/www`
			`sudo chmod -R oug+rw /etc/httpd`
			`sudo echo '<html><head><title>foo</title></head><body>bar</body></html>' > /var/www/$PUBLIC_HOSTNAME/public_html/index.html`
rename letstest stuff 2016-04-14 20:10:27 -04:00			`sudo mkdir /etc/httpd/sites-available #certbot requires this...`
			`sudo mkdir /etc/httpd/sites-enabled #certbot requires this...`
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`#sudo echo "IncludeOptional sites-enabled/*.conf" >> /etc/httpd/conf/httpd.conf`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`sudo echo """`
			`<VirtualHost *:80>`
			`ServerName $PUBLIC_HOSTNAME`
			`DocumentRoot /var/www/$PUBLIC_HOSTNAME/public_html`
			`ErrorLog /var/www/$PUBLIC_HOSTNAME/error.log`
			`CustomLog /var/www/$PUBLIC_HOSTNAME/requests.log combined`
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`</VirtualHost>""" >> /etc/httpd/conf.d/$PUBLIC_HOSTNAME.conf`
			`#sudo cp /etc/httpd/sites-available/$PUBLIC_HOSTNAME.conf /etc/httpd/sites-enabled/`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`fi`

rename letstest stuff 2016-04-14 20:10:27 -04:00			`# Run certbot-apache2.`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`cd letsencrypt`
When testing apache2, don't use letsencrypt-auto 2015-12-22 19:57:08 -05:00
Make the new letsencrypt-auto script the main one. Remove the old bootstrap scripts, which have been subsumed into letsencrypt-auto-source/pieces/bootstrappers. They no longer need to be dispatched among manually: everyone can just run letsencrypt-auto --os-packages-only, regardless of OS. Make the root-level le-auto a symlink to the canonical version. It should thus still work for people running le-auto from a git checkout. 2016-02-05 15:26:08 -05:00			`echo "Bootstrapping dependencies..."`
Make a test farm tests package (#8821) Fixes https://github.com/certbot/certbot/issues/8781. This PR makes our test farm tests into a normal package so it and its dependencies can be tracked and installed like our other packages. Other noteworthy changes in this PR: * Rather than continuing to place logs in your CWD, they're placed in a temporary directory that is printed to the terminal. * `tests/letstest/auto_targets.yaml` was deleted rather than renamed because the file is no longer used. * make a letstest package * remove deleted deps * fix letstest install * add __init__.py * call main * Explicitly mention activating venv * rerename file * fix version.py path * clarify "this" * Use >= instead of caret requirement 2021-05-03 20:42:30 -04:00			`sudo letstest/scripts/bootstrap_os_packages.sh`
Cleanup scripts and switch to pyenv (#9214) I think test_apache2.sh still has value as it allows us to test our Apache plugin with the Apache layouts found on different OSes. Unfortunately, many of the OSes we're currently testing against don't have Python 3.7+ packaged yet we still support these OSes through things like snap where we bundle our own version of Python. To allow us to continue testing on these OSes, I switched to installing Python through pyenv. I also took the opportunity to clean up the scripts, removing a lot of code, failing more quickly, and simplifying failure logic in test_apache2.sh. 2022-02-24 15:06:23 -05:00
			`# Install pyenv`
			`curl https://pyenv.run \| bash`
			`export PYENV_ROOT="$HOME/.pyenv"`
			`export PATH="$PYENV_ROOT/bin:$PATH"`
			`eval "$(pyenv init --path)"`
			`eval "$(pyenv init -)"`

			`# Install and configure Python`
remove python 3.9 support (#10406) Fixes https://github.com/certbot/certbot/issues/10389. you can compare this to the PR that did this for python 3.8 at https://github.com/certbot/certbot/pull/10077 additional changes: - linux-py310 test is removed from extended tests, since it's now run in standard tests. additionally, openssl will never be < 1.1.1 now, due to https://peps.python.org/pep-0644/. - `letstest/scripts/test_openssl_version.py` was testing functionality that was removed in https://github.com/certbot/certbot/pull/10373 so it was deleted --------- Co-authored-by: Brad Warren <bmw@users.noreply.github.com> 2025-08-12 13:49:02 -04:00			`pyenv install 3.10`
			`pyenv shell 3.10`
When testing apache2, don't use letsencrypt-auto 2015-12-22 19:57:08 -05:00
Split out testing extras (#8893) * split out test extras * update extras and regenerate pinnings * pin back mypy 2021-06-11 16:17:50 -04:00			`tools/venv.py -e acme -e certbot -e certbot-apache -e certbot-ci tox`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`PEBBLE_LOGS="acme_server.log"`
			`PEBBLE_URL="https://localhost:14000/dir"`
			`# We configure Pebble to use port 80 for http-01 validation rather than an`
			`# alternate port because:`
			`# 1) It allows us to test with Apache configurations that are more realistic`
			`# and closer to the default configuration on various OSes.`
			`# 2) As of writing this, Certbot's Apache plugin requires there to be an`
			`# existing virtual host for the port used for http-01 validation.`
Cleanup venv scripts (#8629) Fixes https://github.com/certbot/certbot/issues/8387. * update _venv_common.py * delete venv.py scripts * rename venv script * update relevant venv3 references * remove set_python_envvars 2021-02-03 15:03:09 -05:00			`venv/bin/run_acme_server --http-01-port 80 > "${PEBBLE_LOGS}" 2>&1 &`
Update Fedora AMI (#7102) Fixes #6955. This updates the Fedora version used in our test farm tests to Fedora 30. The AMI ID comes from https://alt.fedoraproject.org/cloud/ where it is listed as their standard HVM AMI for the region we use us-east-1 (US East (N. Virginia)). Unfortunately, there were a lot of small changes required for this. The big reason for this is on Fedora, there isn't a Python 2 executable installed. In fact, there's not even an executable named python. It's just python3. Rather than installing another Python in each test, I wrote a script that the test scripts can share to figure out the different paths and names that should be used in their script. (This isn't used in test_sdists.sh because the logic is a little different.) Other changes here worth flagging are: I changed the name of the variable RUN_PYTHON3_TESTS in test_leauto_upgrades.sh to RUN_RHEL6_TESTS. The tests that are run when this variable is set test the upgrade from Python 2 to Python 3 on RHEL 6. I think this new name is much better now that we also have Fedora running Python 3. I made tools/simple_http_server.py work on Python 3. You can see tests passing with these changes at https://travis-ci.com/certbot/certbot/builds/113821476. I also ran test_tests.sh and they passed. * Update to Fedora 30 in test farm tests. Fedora 28 is likely to reach its EOL soon. * Add set_python_envvars.sh. * Fix test_apache2.sh on python3 only distros. * Fix test_leauto_upgrades.sh on python3 systems. * Fix certonly_standalone tests with python3 only * Fix test_sdists.sh on python3 only distros. * Make simple_http_server.py work on Python 3. * add comments 2019-05-31 21:08:52 -04:00
Cleanup scripts and switch to pyenv (#9214) I think test_apache2.sh still has value as it allows us to test our Apache plugin with the Apache layouts found on different OSes. Unfortunately, many of the OSes we're currently testing against don't have Python 3.7+ packaged yet we still support these OSes through things like snap where we bundle our own version of Python. To allow us to continue testing on these OSes, I switched to installing Python through pyenv. I also took the opportunity to clean up the scripts, removing a lot of code, failing more quickly, and simplifying failure logic in test_apache2.sh. 2022-02-24 15:06:23 -05:00			`DumpPebbleLogsOnFailure() {`
			`exit_status="$?"`
			`if [ "$exit_status" != 0 ] && [ -f "${PEBBLE_LOGS}" ] ; then`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`echo "Pebble's logs were:"`
			`cat "${PEBBLE_LOGS}"`
			`fi`
Cleanup scripts and switch to pyenv (#9214) I think test_apache2.sh still has value as it allows us to test our Apache plugin with the Apache layouts found on different OSes. Unfortunately, many of the OSes we're currently testing against don't have Python 3.7+ packaged yet we still support these OSes through things like snap where we bundle our own version of Python. To allow us to continue testing on these OSes, I switched to installing Python through pyenv. I also took the opportunity to clean up the scripts, removing a lot of code, failing more quickly, and simplifying failure logic in test_apache2.sh. 2022-02-24 15:06:23 -05:00			`exit "$exit_status"`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`}`
Cleanup scripts and switch to pyenv (#9214) I think test_apache2.sh still has value as it allows us to test our Apache plugin with the Apache layouts found on different OSes. Unfortunately, many of the OSes we're currently testing against don't have Python 3.7+ packaged yet we still support these OSes through things like snap where we bundle our own version of Python. To allow us to continue testing on these OSes, I switched to installing Python through pyenv. I also took the opportunity to clean up the scripts, removing a lot of code, failing more quickly, and simplifying failure logic in test_apache2.sh. 2022-02-24 15:06:23 -05:00			`trap DumpPebbleLogsOnFailure EXIT`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00
			`for n in $(seq 1 150) ; do`
			`if curl --insecure "${PEBBLE_URL}" 2>/dev/null; then`
			`break`
			`else`
			`echo "waiting for pebble"`
			`sleep 1`
			`fi`
			`done`
			`if ! curl --insecure "${PEBBLE_URL}" 2>/dev/null; then`
			`echo "timed out waiting for pebble to start"`
			`DumpPebbleLogs`
			`exit 1`
			`fi`

Cleanup venv scripts (#8629) Fixes https://github.com/certbot/certbot/issues/8387. * update _venv_common.py * delete venv.py scripts * rename venv script * update relevant venv3 references * remove set_python_envvars 2021-02-03 15:03:09 -05:00			`sudo "venv/bin/certbot" -v --debug --text --agree-tos --no-verify-ssl \`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`--renew-by-default --redirect --register-unsafely-without-email \`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`--domain "${PUBLIC_HOSTNAME}" --server "${PEBBLE_URL}"`
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00
remove python 3.9 support (#10406) Fixes https://github.com/certbot/certbot/issues/10389. you can compare this to the PR that did this for python 3.8 at https://github.com/certbot/certbot/pull/10077 additional changes: - linux-py310 test is removed from extended tests, since it's now run in standard tests. additionally, openssl will never be < 1.1.1 now, due to https://peps.python.org/pep-0644/. - `letstest/scripts/test_openssl_version.py` was testing functionality that was removed in https://github.com/certbot/certbot/pull/10373 so it was deleted --------- Co-authored-by: Brad Warren <bmw@users.noreply.github.com> 2025-08-12 13:49:02 -04:00			`if ! grep -q SSLSessionTickets /etc/letsencrypt/options-ssl-apache.conf; then`
			`echo "modern TLS options were not used"`
			`exit 1`
Disable TLS session tickets in Apache (#7771) Fixes #7350. This PR changes the parsed modules from a `set` to a `dict`, with the filepath argument as the value. Accordingly, after calling `enable_mod` to enable `ssl_module`, modules now need to be re-parsed, so call `reset_modules`. * Add mechanism for selecting apache config file, based on work done in #7191. * Check OpenSSL version * Remove os imports * debian override still needs os * Reformat remaining apache tests with modules dict syntax * Clean up more apache tests * Switch from property to method for openssl and add tests for coverage. * Sometimes the dict location will be None in which case we should in fact return None * warn thoroughly and consistently in openssl_version function * update tests for new warnings * read file as bytes, and factor out the open for testing * normalize ssl_module_location path to account for being relative to server root * Use byte literals in a python 2 and 3 compatible way * string does need to be a literal * patch builtins open * add debug, remove space * Add test to check if OpenSSL detection is working on different systems * fix relative test location for cwd * put </IfModule> on its own line in test case * Revert test file to status in master. * Call augeas load before reparsing modules to pick up the changes * fix grep, tail, and mod_ssl location on centos * strip the trailing whitespace from fedora * just use LooseVersion in test * call apache2ctl on debian systems * Use sudo for apache2ctl command * add check to make sure we're getting a version * Add boolean so we don't warn on debian/ubuntu before trying to enable mod_ssl * Reduce warnings while testing by setting mock _openssl_version. * Make sure we're not throwing away any unwritten changes to the config * test last warning case for coverage * text changes for clarity 2020-03-23 19:49:52 -04:00			`fi`

Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`if [ "$OS_TYPE" = "ubuntu" ] ; then`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`export SERVER="${PEBBLE_URL}"`
Cleanup venv scripts (#8629) Fixes https://github.com/certbot/certbot/issues/8387. * update _venv_common.py * delete venv.py scripts * rename venv script * update relevant venv3 references * remove set_python_envvars 2021-02-03 15:03:09 -05:00			`"venv/bin/tox" -e apacheconftest`
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`else`
			`echo Not running hackish apache tests on $OS_TYPE`
			`fi`