From b7a19486ed216db097fcf7829d4f4be74f178730 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 08:14:00 +0000 Subject: [PATCH 01/10] Plugins disco: catch PluginError in prepare(), debug log exceptions. --- letsencrypt/plugins/disco.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/letsencrypt/plugins/disco.py b/letsencrypt/plugins/disco.py index 059913e3b..e2e2d4c54 100644 --- a/letsencrypt/plugins/disco.py +++ b/letsencrypt/plugins/disco.py @@ -75,7 +75,7 @@ class PluginEntryPoint(object): if iface.implementedBy(self.plugin_cls): logger.debug( "%s implements %s but object does not verify: %s", - self.plugin_cls, iface.__name__, error) + self.plugin_cls, iface.__name__, error, exc_info=True) return False return True @@ -93,10 +93,14 @@ class PluginEntryPoint(object): try: self._initialized.prepare() except errors.MisconfigurationError as error: - logger.debug("Misconfigured %r: %s", self, error) + logger.debug("Misconfigured %r: %s", self, error, exc_info=True) self._prepared = error except errors.NoInstallationError as error: - logger.debug("No installation (%r): %s", self, error) + logger.debug( + "No installation (%r): %s", self, error, exc_info=True) + self._prepared = error + except errors.PluginError as error: + logger.debug("Other error:(%r): %s", self, error, exc_info=True) self._prepared = error else: self._prepared = True From be889d379437be18ce1c0518b2cfec15f6b8dd6a Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 08:19:16 +0000 Subject: [PATCH 02/10] letsencrypt_nginx: generate snakeoil cert/key (fixes #481). --- letsencrypt_nginx/configurator.py | 20 ++++++++++++++++---- letsencrypt_nginx/tests/configurator_test.py | 14 ++++++++++++++ 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/letsencrypt_nginx/configurator.py b/letsencrypt_nginx/configurator.py index b1dfdca31..852ff82ac 100644 --- a/letsencrypt_nginx/configurator.py +++ b/letsencrypt_nginx/configurator.py @@ -13,6 +13,7 @@ from acme import challenges from letsencrypt import achallenges from letsencrypt import constants as core_constants +from letsencrypt import crypto_util from letsencrypt import errors from letsencrypt import interfaces from letsencrypt import le_util @@ -263,6 +264,18 @@ class NginxConfigurator(common.Plugin): return all_names + def _get_snakeoil_paths(self): + # TODO: generate only once + tmp_dir = os.path.join(self.config.work_dir, "snakeoil") + key = crypto_util.init_save_key( + key_size=1024, key_dir=tmp_dir, keyname="key.pem") + cert_pem = crypto_util.make_ss_cert( + key.pem, domains=[socket.gethostname()]) + cert = os.path.join(tmp_dir, "cert.pem") + with open(cert, 'w') as cert_file: + cert_file.write(cert_pem) + return cert, key.file + def _make_server_ssl(self, vhost): """Makes a server SSL based on server_name and filename by adding a 'listen 443 ssl' directive to the server block. @@ -274,11 +287,10 @@ class NginxConfigurator(common.Plugin): :type vhost: :class:`~letsencrypt_nginx.obj.VirtualHost` """ + snakeoil_cert, snakeoil_key = self._get_snakeoil_paths() ssl_block = [['listen', '443 ssl'], - ['ssl_certificate', - '/etc/ssl/certs/ssl-cert-snakeoil.pem'], - ['ssl_certificate_key', - '/etc/ssl/private/ssl-cert-snakeoil.key'], + ['ssl_certificate', snakeoil_cert], + ['ssl_certificate_key', snakeoil_key], ['include', self.parser.loc["ssl_options"]]] self.parser.add_server_directives( vhost.filep, vhost.names, ssl_block) diff --git a/letsencrypt_nginx/tests/configurator_test.py b/letsencrypt_nginx/tests/configurator_test.py index 83085cc9f..48d71e27d 100644 --- a/letsencrypt_nginx/tests/configurator_test.py +++ b/letsencrypt_nginx/tests/configurator_test.py @@ -1,8 +1,10 @@ """Test for letsencrypt_nginx.configurator.""" +import os import shutil import unittest import mock +import OpenSSL from acme import challenges from acme import messages @@ -266,6 +268,18 @@ class NginxConfiguratorTest(util.NginxTest): mocked.returncode = 0 self.assertTrue(self.config.config_test()) + def test_get_snakeoil_paths(self): + # pylint: disable=protected-access + cert, key = self.config._get_snakeoil_paths() + self.assertTrue(os.path.exists(cert)) + self.assertTrue(os.path.exists(key)) + with open(cert) as cert_file: + OpenSSL.crypto.load_certificate( + OpenSSL.crypto.FILETYPE_PEM, cert_file.read()) + with open(key) as key_file: + OpenSSL.crypto.load_privatekey( + OpenSSL.crypto.FILETYPE_PEM, key_file.read()) + if __name__ == "__main__": unittest.main() # pragma: no cover From 30dfb6a1a97fa8f3c4dceefa76b6bb01daab2293 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 08:37:29 +0000 Subject: [PATCH 03/10] letsencrypt_nginx: respect IConfig.dvsni_port (partially fixes #479). --- letsencrypt_nginx/configurator.py | 4 ++-- letsencrypt_nginx/dvsni.py | 3 ++- letsencrypt_nginx/tests/configurator_test.py | 12 ++++++------ letsencrypt_nginx/tests/util.py | 1 + 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/letsencrypt_nginx/configurator.py b/letsencrypt_nginx/configurator.py index 852ff82ac..3e7de7322 100644 --- a/letsencrypt_nginx/configurator.py +++ b/letsencrypt_nginx/configurator.py @@ -288,7 +288,7 @@ class NginxConfigurator(common.Plugin): """ snakeoil_cert, snakeoil_key = self._get_snakeoil_paths() - ssl_block = [['listen', '443 ssl'], + ssl_block = [['listen', '{0} ssl'.format(self.config.dvsni_port)], ['ssl_certificate', snakeoil_cert], ['ssl_certificate_key', snakeoil_key], ['include', self.parser.loc["ssl_options"]]] @@ -296,7 +296,7 @@ class NginxConfigurator(common.Plugin): vhost.filep, vhost.names, ssl_block) vhost.ssl = True vhost.raw.extend(ssl_block) - vhost.addrs.add(obj.Addr('', '443', True, False)) + vhost.addrs.add(obj.Addr('', str(self.config.dvsni_port), True, False)) def get_all_certs_keys(self): """Find all existing keys, certs from configuration. diff --git a/letsencrypt_nginx/dvsni.py b/letsencrypt_nginx/dvsni.py index 53221614f..756783217 100644 --- a/letsencrypt_nginx/dvsni.py +++ b/letsencrypt_nginx/dvsni.py @@ -47,7 +47,8 @@ class NginxDvsni(common.Dvsni): self.configurator.save() addresses = [] - default_addr = "443 default_server ssl" + default_addr = "{0} default_server ssl".format( + self.configurator.config.dvsni_port) for achall in self.achalls: vhost = self.configurator.choose_vhost(achall.domain) diff --git a/letsencrypt_nginx/tests/configurator_test.py b/letsencrypt_nginx/tests/configurator_test.py index 48d71e27d..b2c1fc7f6 100644 --- a/letsencrypt_nginx/tests/configurator_test.py +++ b/letsencrypt_nginx/tests/configurator_test.py @@ -57,7 +57,7 @@ class NginxConfiguratorTest(util.NginxTest): filep = self.config.parser.abs_path('sites-enabled/example.com') self.config.parser.add_server_directives( filep, set(['.example.com', 'example.*']), - [['listen', '443 ssl']]) + [['listen', '5001 ssl']]) self.config.save() # pylint: disable=protected-access @@ -66,7 +66,7 @@ class NginxConfiguratorTest(util.NginxTest): ['listen', '127.0.0.1'], ['server_name', '.example.com'], ['server_name', 'example.*'], - ['listen', '443 ssl']]]], + ['listen', '5001 ssl']]]], parsed[0]) def test_choose_vhost(self): @@ -100,7 +100,7 @@ class NginxConfiguratorTest(util.NginxTest): nginx_conf = self.config.parser.abs_path('nginx.conf') example_conf = self.config.parser.abs_path('sites-enabled/example.com') - # Get the default 443 vhost + # Get the default SSL vhost self.config.deploy_cert( "www.example.com", "example/cert.pem", "example/key.pem") @@ -116,7 +116,7 @@ class NginxConfiguratorTest(util.NginxTest): ['listen', '127.0.0.1'], ['server_name', '.example.com'], ['server_name', 'example.*'], - ['listen', '443 ssl'], + ['listen', '5001 ssl'], ['ssl_certificate', 'example/cert.pem'], ['ssl_certificate_key', 'example/key.pem'], ['include', @@ -131,7 +131,7 @@ class NginxConfiguratorTest(util.NginxTest): [['location', '/'], [['root', 'html'], ['index', 'index.html index.htm']]], - ['listen', '443 ssl'], + ['listen', '5001 ssl'], ['ssl_certificate', '/etc/nginx/cert.pem'], ['ssl_certificate_key', '/etc/nginx/key.pem'], ['include', @@ -142,7 +142,7 @@ class NginxConfiguratorTest(util.NginxTest): nginx_conf = self.config.parser.abs_path('nginx.conf') example_conf = self.config.parser.abs_path('sites-enabled/example.com') - # Get the default 443 vhost + # Get the default SSL vhost self.config.deploy_cert( "www.example.com", "example/cert.pem", "example/key.pem") diff --git a/letsencrypt_nginx/tests/util.py b/letsencrypt_nginx/tests/util.py index 77c2ea198..414a2f315 100644 --- a/letsencrypt_nginx/tests/util.py +++ b/letsencrypt_nginx/tests/util.py @@ -53,6 +53,7 @@ def get_nginx_configurator( backup_dir=backups, temp_checkpoint_dir=os.path.join(work_dir, "temp_checkpoints"), in_progress_dir=os.path.join(backups, "IN_PROGRESS"), + dvsni_port=5001, ), name="nginx", version=version) From c459102a047792eb001332c2f6911a54c3cb2255 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 08:39:59 +0000 Subject: [PATCH 04/10] letsencrypt_nginx: call "nginx -c server_root/nginx.conf ..." --- letsencrypt_nginx/configurator.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/letsencrypt_nginx/configurator.py b/letsencrypt_nginx/configurator.py index 3e7de7322..ce101c04e 100644 --- a/letsencrypt_nginx/configurator.py +++ b/letsencrypt_nginx/configurator.py @@ -64,6 +64,11 @@ class NginxConfigurator(common.Plugin): "'nginx' binary, used for 'configtest' and retrieving nginx " "version number.") + @property + def nginx_conf(self): + """Nginx config file path.""" + return os.path.join(self.conf("server_root"), "nginx.conf") + def __init__(self, *args, **kwargs): """Initialize an Nginx Configurator. @@ -347,7 +352,7 @@ class NginxConfigurator(common.Plugin): :rtype: bool """ - return nginx_restart(self.conf('ctl')) + return nginx_restart(self.conf('ctl'), self.nginx_conf) def config_test(self): # pylint: disable=no-self-use """Check the configuration of Nginx for errors. @@ -358,7 +363,7 @@ class NginxConfigurator(common.Plugin): """ try: proc = subprocess.Popen( - [self.conf('ctl'), "-t"], + [self.conf('ctl'), "-c", self.nginx_conf, "-t"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = proc.communicate() @@ -403,11 +408,12 @@ class NginxConfigurator(common.Plugin): """ try: proc = subprocess.Popen( - [self.conf('ctl'), "-V"], + [self.conf('ctl'), "-c", self.nginx_conf, "-V"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) text = proc.communicate()[1] # nginx prints output to stderr - except (OSError, ValueError): + except (OSError, ValueError) as error: + logging.debug(error, exc_info=True) raise errors.PluginError( "Unable to run %s -V" % self.conf('ctl')) @@ -556,7 +562,7 @@ class NginxConfigurator(common.Plugin): self.restart() -def nginx_restart(nginx_ctl): +def nginx_restart(nginx_ctl, nginx_conf="/etc/nginx.conf"): """Restarts the Nginx Server. .. todo:: Nginx restart is fatal if the configuration references @@ -567,14 +573,14 @@ def nginx_restart(nginx_ctl): """ try: - proc = subprocess.Popen([nginx_ctl, "-s", "reload"], + proc = subprocess.Popen([nginx_ctl, "-c", nginx_conf, "-s", "reload"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = proc.communicate() if proc.returncode != 0: # Maybe Nginx isn't running - nginx_proc = subprocess.Popen([nginx_ctl], + nginx_proc = subprocess.Popen([nginx_ctl, "-c", nginx_conf], stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = nginx_proc.communicate() From 9652656e14647be83dba450cc91887e09788f0c1 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 08:41:19 +0000 Subject: [PATCH 05/10] Integration tests for nginx plugin (without root). --- letsencrypt_nginx/configurator.py | 9 ++- letsencrypt_nginx/dvsni.py | 6 ++ letsencrypt_nginx/tests/configurator_test.py | 6 ++ tests/boulder-integration-nginx.sh | 50 +++++++++++++++ tests/nginx.conf.sh | 67 ++++++++++++++++++++ 5 files changed, 136 insertions(+), 2 deletions(-) create mode 100755 tests/boulder-integration-nginx.sh create mode 100755 tests/nginx.conf.sh diff --git a/letsencrypt_nginx/configurator.py b/letsencrypt_nginx/configurator.py index ce101c04e..6613962c6 100644 --- a/letsencrypt_nginx/configurator.py +++ b/letsencrypt_nginx/configurator.py @@ -80,8 +80,7 @@ class NginxConfigurator(common.Plugin): super(NginxConfigurator, self).__init__(*args, **kwargs) # Verify that all directories and files exist with proper permissions - if os.geteuid() == 0: - self._verify_setup() + self._verify_setup() # Files to save self.save_notes = "" @@ -294,6 +293,12 @@ class NginxConfigurator(common.Plugin): """ snakeoil_cert, snakeoil_key = self._get_snakeoil_paths() ssl_block = [['listen', '{0} ssl'.format(self.config.dvsni_port)], + # access and error logs necessary for integration + # testing (non-root) + ['access_log', os.path.join( + self.config.work_dir, 'access.log')], + ['error_log', os.path.join( + self.config.work_dir, 'error.log')], ['ssl_certificate', snakeoil_cert], ['ssl_certificate_key', snakeoil_key], ['include', self.parser.loc["ssl_options"]]] diff --git a/letsencrypt_nginx/dvsni.py b/letsencrypt_nginx/dvsni.py index 756783217..9e79a90c2 100644 --- a/letsencrypt_nginx/dvsni.py +++ b/letsencrypt_nginx/dvsni.py @@ -134,6 +134,12 @@ class NginxDvsni(common.Dvsni): block.extend([['server_name', achall.nonce_domain], ['include', self.configurator.parser.loc["ssl_options"]], + # access and error logs necessary for + # integration testing (non-root) + ['access_log', os.path.join( + self.configurator.config.work_dir, 'access.log')], + ['error_log', os.path.join( + self.configurator.config.work_dir, 'error.log')], ['ssl_certificate', self.get_cert_file(achall)], ['ssl_certificate_key', achall.key.file], [['location', '/'], [['root', document_root]]]]) diff --git a/letsencrypt_nginx/tests/configurator_test.py b/letsencrypt_nginx/tests/configurator_test.py index b2c1fc7f6..bd700f144 100644 --- a/letsencrypt_nginx/tests/configurator_test.py +++ b/letsencrypt_nginx/tests/configurator_test.py @@ -111,12 +111,16 @@ class NginxConfiguratorTest(util.NginxTest): self.config.parser.load() + access_log = os.path.join(self.work_dir, "access.log") + error_log = os.path.join(self.work_dir, "error.log") self.assertEqual([[['server'], [['listen', '69.50.225.155:9000'], ['listen', '127.0.0.1'], ['server_name', '.example.com'], ['server_name', 'example.*'], ['listen', '5001 ssl'], + ['access_log', access_log], + ['error_log', error_log], ['ssl_certificate', 'example/cert.pem'], ['ssl_certificate_key', 'example/key.pem'], ['include', @@ -132,6 +136,8 @@ class NginxConfiguratorTest(util.NginxTest): [['root', 'html'], ['index', 'index.html index.htm']]], ['listen', '5001 ssl'], + ['access_log', access_log], + ['error_log', error_log], ['ssl_certificate', '/etc/nginx/cert.pem'], ['ssl_certificate_key', '/etc/nginx/key.pem'], ['include', diff --git a/tests/boulder-integration-nginx.sh b/tests/boulder-integration-nginx.sh new file mode 100755 index 000000000..da0dab21e --- /dev/null +++ b/tests/boulder-integration-nginx.sh @@ -0,0 +1,50 @@ +#!/bin/sh -xe + +# prerequisite: apt-get install --no-install-recommends nginx-light openssl + +if [ "xxx$root" = "xxx" ]; +then + root="$(mktemp -d)" +fi +export root + +export PATH="/usr/sbin:$PATH" # /usr/sbin/nginx + +echo "\nRoot integration tests directory: $root" +store_flags="--config-dir $root/conf --work-dir $root/work" +store_flags="$store_flags --logs-dir $root/logs" + +nginx_root="$root/nginx" +mkdir $nginx_root +root="$nginx_root" ./tests/nginx.conf.sh > $nginx_root/nginx.conf + +killall nginx || true +nginx -c $nginx_root/nginx.conf + +common() { + # first three flags required, rest is handy defaults + letsencrypt \ + --server "${SERVER:-http://localhost:4000/acme/new-reg}" \ + --no-verify-ssl \ + --dvsni-port 5001 \ + $store_flags \ + --text \ + --agree-eula \ + --email "" \ + -vvvvvvv "$@" +} + +test_nginx() { + common --configurator nginx \ + --nginx-server-root $nginx_root \ + "$@" +} + +test_nginx --domains nginx.wtf run +echo | openssl s_client -connect localhost:5001 \ + | openssl x509 -out $root/nginx.pem +diff -q $root/nginx.pem $root/conf/live/nginx.wtf/cert.pem + +# note: not reached if anything above fails, hence "killall" at the +# top +nginx -c $nginx_root/nginx.conf -s stop diff --git a/tests/nginx.conf.sh b/tests/nginx.conf.sh new file mode 100755 index 000000000..15fba922e --- /dev/null +++ b/tests/nginx.conf.sh @@ -0,0 +1,67 @@ +# Based on +# https://www.exratione.com/2014/03/running-nginx-as-a-non-root-user/ +# https://github.com/exratione/non-root-nginx/blob/9a77f62e5d5cb9c9026fd62eece76b9514011019/nginx.conf + +cat < Date: Sat, 27 Jun 2015 08:41:45 +0000 Subject: [PATCH 06/10] Travis CI: test nginx plugin. --- .travis.yml | 4 +++- tests/boulder-integration.sh | 9 +++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 6e29702ef..59a0ac8ad 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,9 @@ language: python # http://docs.travis-ci.com/user/ci-environment/#CI-environment-OS -before_install: travis_retry sudo ./bootstrap/ubuntu.sh +before_install: + - travis_retry sudo ./bootstrap/ubuntu.sh + - apt-get install --no-install-recommends nginx-light openssl # using separate envs with different TOXENVs creates 4x1 Travis build # matrix, which allows us to clearly distinguish which component under diff --git a/tests/boulder-integration.sh b/tests/boulder-integration.sh index cbd3e9690..ba2c160e0 100755 --- a/tests/boulder-integration.sh +++ b/tests/boulder-integration.sh @@ -15,6 +15,9 @@ echo "\nRoot integration tests directory: $root" store_flags="--config-dir $root/conf --work-dir $root/work" store_flags="$store_flags --logs-dir $root/logs" +export PATH="/usr/sbin:$PATH" # /usr/sbin/nginx + + common() { # first three flags required, rest is handy defaults letsencrypt \ @@ -60,3 +63,9 @@ do live="$(readlink -f "$root/conf/live/le1.wtf/${x}.pem")" [ "${dir}/${latest}" = "$live" ] # renewer fails this test done + + +if type nginx; +then + . ./tests/boulder-integration-nginx.sh +fi From c96fc7e33af2314fb4815cced9bdda64c81fa0fe Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 09:43:33 +0000 Subject: [PATCH 07/10] travis_retry sudo apt-get ... --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 59a0ac8ad..a7b03d20a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,7 @@ language: python # http://docs.travis-ci.com/user/ci-environment/#CI-environment-OS before_install: - travis_retry sudo ./bootstrap/ubuntu.sh - - apt-get install --no-install-recommends nginx-light openssl + - travis_retry sudo apt-get install --no-install-recommends nginx-light openssl # using separate envs with different TOXENVs creates 4x1 Travis build # matrix, which allows us to clearly distinguish which component under From 98844a196c1a92e64b717e55d40ca45941cd0a10 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 10:02:02 +0000 Subject: [PATCH 08/10] Add test for PluginError catching in disco --- letsencrypt/plugins/disco_test.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/letsencrypt/plugins/disco_test.py b/letsencrypt/plugins/disco_test.py index 1cd74385e..56808c7da 100644 --- a/letsencrypt/plugins/disco_test.py +++ b/letsencrypt/plugins/disco_test.py @@ -144,6 +144,16 @@ class PluginEntryPointTest(unittest.TestCase): self.assertFalse(self.plugin_ep.misconfigured) self.assertFalse(self.plugin_ep.available) + def test_prepare_generic_plugin_error(self): + plugin = mock.MagicMock() + plugin.prepare.side_effect = errors.PluginError + # pylint: disable=protected-access + self.plugin_ep._initialized = plugin + self.assertTrue(isinstance(self.plugin_ep.prepare(), errors.PluginError)) + self.assertTrue(self.plugin_ep.prepared) + self.assertFalse(self.plugin_ep.misconfigured) + self.assertFalse(self.plugin_ep.available) + def test_repr(self): self.assertEqual("PluginEntryPoint#sa", repr(self.plugin_ep)) From 096920b8b36e1d0cc5b33836f7c7a79808fcccf4 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 13:34:23 +0000 Subject: [PATCH 09/10] Refactor integration scripts, use --debug. --- tests/boulder-integration-nginx.sh | 50 --------------------------- tests/boulder-integration.sh | 20 +++-------- tests/integration/_common.sh | 25 ++++++++++++++ tests/{ => integration}/nginx.conf.sh | 0 tests/integration/nginx.sh | 28 +++++++++++++++ 5 files changed, 57 insertions(+), 66 deletions(-) delete mode 100755 tests/boulder-integration-nginx.sh create mode 100755 tests/integration/_common.sh rename tests/{ => integration}/nginx.conf.sh (100%) create mode 100755 tests/integration/nginx.sh diff --git a/tests/boulder-integration-nginx.sh b/tests/boulder-integration-nginx.sh deleted file mode 100755 index da0dab21e..000000000 --- a/tests/boulder-integration-nginx.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/sh -xe - -# prerequisite: apt-get install --no-install-recommends nginx-light openssl - -if [ "xxx$root" = "xxx" ]; -then - root="$(mktemp -d)" -fi -export root - -export PATH="/usr/sbin:$PATH" # /usr/sbin/nginx - -echo "\nRoot integration tests directory: $root" -store_flags="--config-dir $root/conf --work-dir $root/work" -store_flags="$store_flags --logs-dir $root/logs" - -nginx_root="$root/nginx" -mkdir $nginx_root -root="$nginx_root" ./tests/nginx.conf.sh > $nginx_root/nginx.conf - -killall nginx || true -nginx -c $nginx_root/nginx.conf - -common() { - # first three flags required, rest is handy defaults - letsencrypt \ - --server "${SERVER:-http://localhost:4000/acme/new-reg}" \ - --no-verify-ssl \ - --dvsni-port 5001 \ - $store_flags \ - --text \ - --agree-eula \ - --email "" \ - -vvvvvvv "$@" -} - -test_nginx() { - common --configurator nginx \ - --nginx-server-root $nginx_root \ - "$@" -} - -test_nginx --domains nginx.wtf run -echo | openssl s_client -connect localhost:5001 \ - | openssl x509 -out $root/nginx.pem -diff -q $root/nginx.pem $root/conf/live/nginx.wtf/cert.pem - -# note: not reached if anything above fails, hence "killall" at the -# top -nginx -c $nginx_root/nginx.conf -s stop diff --git a/tests/boulder-integration.sh b/tests/boulder-integration.sh index ba2c160e0..06a1d8aa9 100755 --- a/tests/boulder-integration.sh +++ b/tests/boulder-integration.sh @@ -10,27 +10,15 @@ # # Note: this script is called by Boulder integration test suite! -root="$(mktemp -d)" -echo "\nRoot integration tests directory: $root" -store_flags="--config-dir $root/conf --work-dir $root/work" -store_flags="$store_flags --logs-dir $root/logs" - +. ./tests/integration/_common.sh export PATH="/usr/sbin:$PATH" # /usr/sbin/nginx common() { - # first three flags required, rest is handy defaults - letsencrypt \ - --server "${SERVER:-http://localhost:4000/acme/new-reg}" \ - --no-verify-ssl \ - --dvsni-port 5001 \ - $store_flags \ - --text \ - --agree-eula \ - --email "" \ + letsencrypt_test \ --authenticator standalone \ --installer null \ - -vvvvvvv "$@" + "$@" } common --domains le1.wtf auth @@ -67,5 +55,5 @@ done if type nginx; then - . ./tests/boulder-integration-nginx.sh + . ./tests/integration/nginx.sh fi diff --git a/tests/integration/_common.sh b/tests/integration/_common.sh new file mode 100755 index 000000000..0f26d3815 --- /dev/null +++ b/tests/integration/_common.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +if [ "xxx$root" = "xxx" ]; +then + root="$(mktemp -d)" + echo "Root integration tests directory: $root" +fi +store_flags="--config-dir $root/conf --work-dir $root/work" +store_flags="$store_flags --logs-dir $root/logs" +export root store_flags + +letsencrypt_test () { + # first three flags required, rest is handy defaults + letsencrypt \ + --server "${SERVER:-http://localhost:4000/acme/new-reg}" \ + --no-verify-ssl \ + --dvsni-port 5001 \ + $store_flags \ + --text \ + --agree-eula \ + --email "" \ + --debug \ + -vvvvvvv \ + "$@" +} diff --git a/tests/nginx.conf.sh b/tests/integration/nginx.conf.sh similarity index 100% rename from tests/nginx.conf.sh rename to tests/integration/nginx.conf.sh diff --git a/tests/integration/nginx.sh b/tests/integration/nginx.sh new file mode 100755 index 000000000..856615ad5 --- /dev/null +++ b/tests/integration/nginx.sh @@ -0,0 +1,28 @@ +#!/bin/sh -xe +# prerequisite: apt-get install --no-install-recommends nginx-light openssl + +. ./tests/integration/_common.sh + +export PATH="/usr/sbin:$PATH" # /usr/sbin/nginx +nginx_root="$root/nginx" +mkdir $nginx_root +root="$nginx_root" ./tests/integration/nginx.conf.sh > $nginx_root/nginx.conf + +killall nginx || true +nginx -c $nginx_root/nginx.conf + +letsencrypt_test_nginx () { + letsencrypt_test \ + --configurator nginx \ + --nginx-server-root $nginx_root \ + "$@" +} + +letsencrypt_test_nginx --domains nginx.wtf run +echo | openssl s_client -connect localhost:5001 \ + | openssl x509 -out $root/nginx.pem +diff -q $root/nginx.pem $root/conf/live/nginx.wtf/cert.pem + +# note: not reached if anything above fails, hence "killall" at the +# top +nginx -c $nginx_root/nginx.conf -s stop From 4fbb5cb80f782ca30785f7171b3b95d6e95eaec6 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 27 Jun 2015 16:51:58 +0000 Subject: [PATCH 10/10] Address review comments --- letsencrypt_nginx/configurator.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/letsencrypt_nginx/configurator.py b/letsencrypt_nginx/configurator.py index 6613962c6..6a492428d 100644 --- a/letsencrypt_nginx/configurator.py +++ b/letsencrypt_nginx/configurator.py @@ -281,8 +281,10 @@ class NginxConfigurator(common.Plugin): return cert, key.file def _make_server_ssl(self, vhost): - """Makes a server SSL based on server_name and filename by adding - a 'listen 443 ssl' directive to the server block. + """Make a server SSL. + + Make a server SSL based on server_name and filename by adding a + ``listen IConfig.dvsni_port ssl`` directive to the server block. .. todo:: Maybe this should create a new block instead of modifying the existing one?