Merge pull request #916 from kuba/rm-simplehttp-tls

Remove SimpleHTTP TLS from core

letsencrypt/cli.py

@@ -702,8 +702,6 @@ def create_parser(plugins, args):
         help=config_help("dvsni_port"))
     helpful.add("testing", "--simple-http-port", type=int,
                 help=config_help("simple_http_port"))
-    helpful.add("testing", "--no-simple-http-tls", action="store_true",
-                help=config_help("no_simple_http_tls"))
 
     helpful.add_group(
         "security", description="Security parameters & server settings")

letsencrypt/interfaces.py

@@ -223,8 +223,6 @@ class IConfig(zope.interface.Interface):
         "Port number to perform DVSNI challenge. "
         "Boulder in testing mode defaults to 5001.")
 
-    no_simple_http_tls = zope.interface.Attribute(
-        "Do not use TLS when solving SimpleHTTP challenges.")
     simple_http_port = zope.interface.Attribute(
         "Port used in the SimpleHttp challenge.")
 

letsencrypt/plugins/manual.py

@@ -53,7 +53,7 @@ command on the target server (as root):
     # served and makes it more obvious that Python command will serve
     # anything recursively under the cwd
 
-    HTTP_TEMPLATE = """\
+    CMD_TEMPLATE = """\
 mkdir -p {root}/public_html/{response.URI_ROOT_PATH}
 cd {root}/public_html
 echo -n {validation} > {response.URI_ROOT_PATH}/{encoded_token}
@@ -63,33 +63,10 @@ $(command -v python2 || command -v python2.7 || command -v python2.6) -c \\
 SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map = {{'': '{ct}'}}; \\
 s = BaseHTTPServer.HTTPServer(('', {port}), SimpleHTTPServer.SimpleHTTPRequestHandler); \\
 s.serve_forever()" """
-    """Non-TLS command template."""
-
-    # https://www.piware.de/2011/01/creating-an-https-server-in-python/
-    HTTPS_TEMPLATE = """\
-mkdir -p {root}/public_html/{response.URI_ROOT_PATH}
-cd {root}/public_html
-echo -n {validation} > {response.URI_ROOT_PATH}/{encoded_token}
-# run only once per server:
-openssl req -new -newkey rsa:4096 -subj "/" -days 1 -nodes -x509 -keyout ../key.pem -out ../cert.pem
-$(command -v python2 || command -v python2.7 || command -v python2.6) -c \\
-"import BaseHTTPServer, SimpleHTTPServer, ssl; \\
-SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map = {{'': '{ct}'}}; \\
-s = BaseHTTPServer.HTTPServer(('', {port}), SimpleHTTPServer.SimpleHTTPRequestHandler); \\
-s.socket = ssl.wrap_socket(s.socket, keyfile='../key.pem', certfile='../cert.pem'); \\
-s.serve_forever()" """
-    """TLS command template.
-
-    According to the ACME specification, "the ACME server MUST ignore
-    the certificate provided by the HTTPS server", so the first command
-    generates temporary self-signed certificate.
-
-    """
+    """Command template."""
 
     def __init__(self, *args, **kwargs):
         super(Authenticator, self).__init__(*args, **kwargs)
-        self.template = (self.HTTP_TEMPLATE if self.config.no_simple_http_tls
-                         else self.HTTPS_TEMPLATE)
         self._root = (tempfile.mkdtemp() if self.conf("test-mode")
                       else "/tmp/letsencrypt")
         self._httpd = None
@@ -97,8 +74,7 @@ s.serve_forever()" """
     @classmethod
     def add_parser_arguments(cls, add):
         add("test-mode", action="store_true",
-            help="Test mode. Executes the manual command in subprocess. "
-            "Requires openssl to be installed unless --no-simple-http-tls.")
+            help="Test mode. Executes the manual command in subprocess.")
 
     def prepare(self):  # pylint: disable=missing-docstring,no-self-use
         pass  # pragma: no cover
@@ -142,11 +118,11 @@ binary for temporary key/certificate generation.""".replace("\n", "")
         # users, but will not work if multiple domains point at the
         # same server: default command doesn't support virtual hosts
         response, validation = achall.gen_response_and_validation(
-            tls=(not self.config.no_simple_http_tls))
+            tls=False)  # SimpleHTTP TLS is dead: ietf-wg-acme/acme#7
 
         port = (response.port if self.config.simple_http_port is None
                 else int(self.config.simple_http_port))
-        command = self.template.format(
+        command = self.CMD_TEMPLATE.format(
             root=self._root, achall=achall, response=response,
             validation=pipes.quote(validation.json_dumps()),
             encoded_token=achall.chall.encode("token"),

letsencrypt/plugins/manual_test.py

@@ -23,15 +23,13 @@ class AuthenticatorTest(unittest.TestCase):
     def setUp(self):
         from letsencrypt.plugins.manual import Authenticator
         self.config = mock.MagicMock(
-            no_simple_http_tls=True, simple_http_port=4430,
-            manual_test_mode=False)
+            simple_http_port=8080, manual_test_mode=False)
         self.auth = Authenticator(config=self.config, name="manual")
         self.achalls = [achallenges.SimpleHTTP(
             challb=acme_util.SIMPLE_HTTP_P, domain="foo.com", account_key=KEY)]
 
         config_test_mode = mock.MagicMock(
-            no_simple_http_tls=True, simple_http_port=4430,
-            manual_test_mode=True)
+            simple_http_port=8080, manual_test_mode=True)
         self.auth_test_mode = Authenticator(
             config=config_test_mode, name="manual")
 
@@ -55,7 +53,7 @@ class AuthenticatorTest(unittest.TestCase):
         self.assertEqual([resp], self.auth.perform(self.achalls))
         self.assertEqual(1, mock_raw_input.call_count)
         mock_verify.assert_called_with(
-            self.achalls[0].challb.chall, "foo.com", KEY.public_key(), 4430)
+            self.achalls[0].challb.chall, "foo.com", KEY.public_key(), 8080)
 
         message = mock_stdout.write.mock_calls[0][1][0]
         self.assertTrue(self.achalls[0].chall.encode("token") in message)

tests/boulder-integration.sh

@@ -24,7 +24,6 @@ common() {
 common --domains le1.wtf auth
 common --domains le2.wtf run
 common -a manual -d le.wtf auth
-common -a manual -d le.wtf --no-simple-http-tls auth
 
 export CSR_PATH="${root}/csr.der" KEY_PATH="${root}/key.pem" \
        OPENSSL_CNF=examples/openssl.cnf