certbot/letstest/scripts/test_apache2.sh

#!/bin/bash -x

# $OS_TYPE $PUBLIC_IP $PRIVATE_IP $PUBLIC_HOSTNAME $BOULDER_URL
# are dynamically set at execution

if [ "$OS_TYPE" = "ubuntu" ]
then
    CONFFILE=/etc/apache2/sites-available/000-default.conf
    sudo apt-get update
    sudo apt-get -y --no-upgrade install apache2 curl
    sudo apt-get -y install realpath # needed for test-apache-conf
    # For apache 2.4, set up ServerName
    sudo sed -i '/ServerName/ s/#ServerName/ServerName/' $CONFFILE
    sudo sed -i '/ServerName/ s/www.example.com/'$PUBLIC_HOSTNAME'/' $CONFFILE
elif [ "$OS_TYPE" = "centos" ]
then
    CONFFILE=/etc/httpd/conf/httpd.conf
    sudo setenforce 0 || true #disable selinux
    sudo yum -y install httpd
    sudo yum -y install nghttp2 || echo this is probably ok but see https://bugzilla.redhat.com/show_bug.cgi?id=1358875
    sudo service httpd start
    sudo mkdir -p /var/www/$PUBLIC_HOSTNAME/public_html
    sudo chmod -R oug+rwx /var/www
    sudo chmod -R oug+rw /etc/httpd
    sudo echo '<html><head><title>foo</title></head><body>bar</body></html>' > /var/www/$PUBLIC_HOSTNAME/public_html/index.html
    sudo mkdir /etc/httpd/sites-available #certbot requires this...
    sudo mkdir /etc/httpd/sites-enabled #certbot requires this...
    #sudo echo "IncludeOptional sites-enabled/*.conf" >> /etc/httpd/conf/httpd.conf
    sudo echo """
<VirtualHost *:80>
    ServerName $PUBLIC_HOSTNAME
    DocumentRoot /var/www/$PUBLIC_HOSTNAME/public_html
    ErrorLog /var/www/$PUBLIC_HOSTNAME/error.log
    CustomLog /var/www/$PUBLIC_HOSTNAME/requests.log combined
</VirtualHost>""" >> /etc/httpd/conf.d/$PUBLIC_HOSTNAME.conf
    #sudo cp /etc/httpd/sites-available/$PUBLIC_HOSTNAME.conf /etc/httpd/sites-enabled/
fi

# Run certbot-apache2.
cd letsencrypt

echo "Bootstrapping dependencies..."
sudo letstest/scripts/bootstrap_os_packages.sh
if [ $? -ne 0 ] ; then
    exit 1
fi

tools/venv.py -e acme -e certbot -e certbot-apache -e certbot-ci tox
PEBBLE_LOGS="acme_server.log"
PEBBLE_URL="https://localhost:14000/dir"
# We configure Pebble to use port 80 for http-01 validation rather than an
# alternate port because:
#   1) It allows us to test with Apache configurations that are more realistic
#   and closer to the default configuration on various OSes.
#   2) As of writing this, Certbot's Apache plugin requires there to be an
#   existing virtual host for the port used for http-01 validation.
venv/bin/run_acme_server --http-01-port 80 > "${PEBBLE_LOGS}" 2>&1 &

DumpPebbleLogs() {
    if [ -f "${PEBBLE_LOGS}" ] ; then
        echo "Pebble's logs were:"
        cat "${PEBBLE_LOGS}"
    fi
}

for n in $(seq 1 150) ; do
    if curl --insecure "${PEBBLE_URL}" 2>/dev/null; then
        break
    else
        echo "waiting for pebble"
        sleep 1
    fi
done
if ! curl --insecure "${PEBBLE_URL}" 2>/dev/null; then
  echo "timed out waiting for pebble to start"
  DumpPebbleLogs
  exit 1
fi

sudo "venv/bin/certbot" -v --debug --text --agree-tos --no-verify-ssl \
                   --renew-by-default --redirect --register-unsafely-without-email \
                   --domain "${PUBLIC_HOSTNAME}" --server "${PEBBLE_URL}"
if [ $? -ne 0 ] ; then
    FAIL=1
fi

# Check that ssl_module detection is working on various systems
if [ "$OS_TYPE" = "ubuntu" ] ; then
    MOD_SSL_LOCATION="/usr/lib/apache2/modules/mod_ssl.so"
    APACHE_NAME=apache2ctl
elif [ "$OS_TYPE" = "centos" ]; then
    MOD_SSL_LOCATION="/etc/httpd/modules/mod_ssl.so"
    APACHE_NAME=httpd
fi
OPENSSL_VERSION=$(strings "$MOD_SSL_LOCATION" | egrep -o -m1 '^OpenSSL ([0-9]\.[^ ]+) ' | tail -c +9)
APACHE_VERSION=$(sudo $APACHE_NAME -v | egrep -o 'Apache/([0-9]\.[^ ]+)' | tail -c +8)
"venv/bin/python" letstest/scripts/test_openssl_version.py "$OPENSSL_VERSION" "$APACHE_VERSION"
if [ $? -ne 0 ] ; then
    FAIL=1
fi


if [ "$OS_TYPE" = "ubuntu" ] ; then
    export SERVER="${PEBBLE_URL}"
    "venv/bin/tox" -e apacheconftest
else
    echo Not running hackish apache tests on $OS_TYPE
fi

if [ $? -ne 0 ] ; then
    FAIL=1
fi

# return error if any of the subtests failed
if [ "$FAIL" = 1 ] ; then
    DumpPebbleLogs
    exit 1
fi
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`#!/bin/bash -x`

fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`# $OS_TYPE $PUBLIC_IP $PRIVATE_IP $PUBLIC_HOSTNAME $BOULDER_URL`
			`# are dynamically set at execution`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`if [ "$OS_TYPE" = "ubuntu" ]`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`then`
			`CONFFILE=/etc/apache2/sites-available/000-default.conf`
			`sudo apt-get update`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`sudo apt-get -y --no-upgrade install apache2 curl`
Make sure we install realpath (some systems don't have it :/) 2015-12-23 17:42:26 -05:00			`sudo apt-get -y install realpath # needed for test-apache-conf`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`# For apache 2.4, set up ServerName`
			`sudo sed -i '/ServerName/ s/#ServerName/ServerName/' $CONFFILE`
			`sudo sed -i '/ServerName/ s/www.example.com/'$PUBLIC_HOSTNAME'/' $CONFFILE`
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`elif [ "$OS_TYPE" = "centos" ]`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`then`
			`CONFFILE=/etc/httpd/conf/httpd.conf`
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`sudo setenforce 0 \|\| true #disable selinux`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`sudo yum -y install httpd`
Test farm test fixes (#3582) 2016-10-04 19:45:24 -04:00			`sudo yum -y install nghttp2 \|\| echo this is probably ok but see https://bugzilla.redhat.com/show_bug.cgi?id=1358875`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`sudo service httpd start`
			`sudo mkdir -p /var/www/$PUBLIC_HOSTNAME/public_html`
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`sudo chmod -R oug+rwx /var/www`
			`sudo chmod -R oug+rw /etc/httpd`
			`sudo echo '<html><head><title>foo</title></head><body>bar</body></html>' > /var/www/$PUBLIC_HOSTNAME/public_html/index.html`
rename letstest stuff 2016-04-14 20:10:27 -04:00			`sudo mkdir /etc/httpd/sites-available #certbot requires this...`
			`sudo mkdir /etc/httpd/sites-enabled #certbot requires this...`
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`#sudo echo "IncludeOptional sites-enabled/*.conf" >> /etc/httpd/conf/httpd.conf`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`sudo echo """`
			`<VirtualHost *:80>`
			`ServerName $PUBLIC_HOSTNAME`
			`DocumentRoot /var/www/$PUBLIC_HOSTNAME/public_html`
			`ErrorLog /var/www/$PUBLIC_HOSTNAME/error.log`
			`CustomLog /var/www/$PUBLIC_HOSTNAME/requests.log combined`
fixed apache2 script, tested on centos7 2015-12-10 09:19:32 -05:00			`</VirtualHost>""" >> /etc/httpd/conf.d/$PUBLIC_HOSTNAME.conf`
			`#sudo cp /etc/httpd/sites-available/$PUBLIC_HOSTNAME.conf /etc/httpd/sites-enabled/`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`fi`

rename letstest stuff 2016-04-14 20:10:27 -04:00			`# Run certbot-apache2.`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`cd letsencrypt`
When testing apache2, don't use letsencrypt-auto 2015-12-22 19:57:08 -05:00
Make the new letsencrypt-auto script the main one. Remove the old bootstrap scripts, which have been subsumed into letsencrypt-auto-source/pieces/bootstrappers. They no longer need to be dispatched among manually: everyone can just run letsencrypt-auto --os-packages-only, regardless of OS. Make the root-level le-auto a symlink to the canonical version. It should thus still work for people running le-auto from a git checkout. 2016-02-05 15:26:08 -05:00			`echo "Bootstrapping dependencies..."`
Make a test farm tests package (#8821) Fixes https://github.com/certbot/certbot/issues/8781. This PR makes our test farm tests into a normal package so it and its dependencies can be tracked and installed like our other packages. Other noteworthy changes in this PR: * Rather than continuing to place logs in your CWD, they're placed in a temporary directory that is printed to the terminal. * `tests/letstest/auto_targets.yaml` was deleted rather than renamed because the file is no longer used. * make a letstest package * remove deleted deps * fix letstest install * add __init__.py * call main * Explicitly mention activating venv * rerename file * fix version.py path * clarify "this" * Use >= instead of caret requirement 2021-05-03 20:42:30 -04:00			`sudo letstest/scripts/bootstrap_os_packages.sh`
Make the new letsencrypt-auto script the main one. Remove the old bootstrap scripts, which have been subsumed into letsencrypt-auto-source/pieces/bootstrappers. They no longer need to be dispatched among manually: everyone can just run letsencrypt-auto --os-packages-only, regardless of OS. Make the root-level le-auto a symlink to the canonical version. It should thus still work for people running le-auto from a git checkout. 2016-02-05 15:26:08 -05:00			`if [ $? -ne 0 ] ; then`
			`exit 1`
When testing apache2, don't use letsencrypt-auto 2015-12-22 19:57:08 -05:00			`fi`

Split out testing extras (#8893) * split out test extras * update extras and regenerate pinnings * pin back mypy 2021-06-11 16:17:50 -04:00			`tools/venv.py -e acme -e certbot -e certbot-apache -e certbot-ci tox`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`PEBBLE_LOGS="acme_server.log"`
			`PEBBLE_URL="https://localhost:14000/dir"`
			`# We configure Pebble to use port 80 for http-01 validation rather than an`
			`# alternate port because:`
			`# 1) It allows us to test with Apache configurations that are more realistic`
			`# and closer to the default configuration on various OSes.`
			`# 2) As of writing this, Certbot's Apache plugin requires there to be an`
			`# existing virtual host for the port used for http-01 validation.`
Cleanup venv scripts (#8629) Fixes https://github.com/certbot/certbot/issues/8387. * update _venv_common.py * delete venv.py scripts * rename venv script * update relevant venv3 references * remove set_python_envvars 2021-02-03 15:03:09 -05:00			`venv/bin/run_acme_server --http-01-port 80 > "${PEBBLE_LOGS}" 2>&1 &`
Update Fedora AMI (#7102) Fixes #6955. This updates the Fedora version used in our test farm tests to Fedora 30. The AMI ID comes from https://alt.fedoraproject.org/cloud/ where it is listed as their standard HVM AMI for the region we use us-east-1 (US East (N. Virginia)). Unfortunately, there were a lot of small changes required for this. The big reason for this is on Fedora, there isn't a Python 2 executable installed. In fact, there's not even an executable named python. It's just python3. Rather than installing another Python in each test, I wrote a script that the test scripts can share to figure out the different paths and names that should be used in their script. (This isn't used in test_sdists.sh because the logic is a little different.) Other changes here worth flagging are: I changed the name of the variable RUN_PYTHON3_TESTS in test_leauto_upgrades.sh to RUN_RHEL6_TESTS. The tests that are run when this variable is set test the upgrade from Python 2 to Python 3 on RHEL 6. I think this new name is much better now that we also have Fedora running Python 3. I made tools/simple_http_server.py work on Python 3. You can see tests passing with these changes at https://travis-ci.com/certbot/certbot/builds/113821476. I also ran test_tests.sh and they passed. * Update to Fedora 30 in test farm tests. Fedora 28 is likely to reach its EOL soon. * Add set_python_envvars.sh. * Fix test_apache2.sh on python3 only distros. * Fix test_leauto_upgrades.sh on python3 systems. * Fix certonly_standalone tests with python3 only * Fix test_sdists.sh on python3 only distros. * Make simple_http_server.py work on Python 3. * add comments 2019-05-31 21:08:52 -04:00
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`DumpPebbleLogs() {`
			`if [ -f "${PEBBLE_LOGS}" ] ; then`
			`echo "Pebble's logs were:"`
			`cat "${PEBBLE_LOGS}"`
			`fi`
			`}`

			`for n in $(seq 1 150) ; do`
			`if curl --insecure "${PEBBLE_URL}" 2>/dev/null; then`
			`break`
			`else`
			`echo "waiting for pebble"`
			`sleep 1`
			`fi`
			`done`
			`if ! curl --insecure "${PEBBLE_URL}" 2>/dev/null; then`
			`echo "timed out waiting for pebble to start"`
			`DumpPebbleLogs`
			`exit 1`
			`fi`

Cleanup venv scripts (#8629) Fixes https://github.com/certbot/certbot/issues/8387. * update _venv_common.py * delete venv.py scripts * rename venv script * update relevant venv3 references * remove set_python_envvars 2021-02-03 15:03:09 -05:00			`sudo "venv/bin/certbot" -v --debug --text --agree-tos --no-verify-ssl \`
current nonworking progress at scripting install of httpd on centos-like systems 2015-12-09 19:52:02 -05:00			`--renew-by-default --redirect --register-unsafely-without-email \`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`--domain "${PUBLIC_HOSTNAME}" --server "${PEBBLE_URL}"`
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`if [ $? -ne 0 ] ; then`
			`FAIL=1`
			`fi`

Disable TLS session tickets in Apache (#7771) Fixes #7350. This PR changes the parsed modules from a `set` to a `dict`, with the filepath argument as the value. Accordingly, after calling `enable_mod` to enable `ssl_module`, modules now need to be re-parsed, so call `reset_modules`. * Add mechanism for selecting apache config file, based on work done in #7191. * Check OpenSSL version * Remove os imports * debian override still needs os * Reformat remaining apache tests with modules dict syntax * Clean up more apache tests * Switch from property to method for openssl and add tests for coverage. * Sometimes the dict location will be None in which case we should in fact return None * warn thoroughly and consistently in openssl_version function * update tests for new warnings * read file as bytes, and factor out the open for testing * normalize ssl_module_location path to account for being relative to server root * Use byte literals in a python 2 and 3 compatible way * string does need to be a literal * patch builtins open * add debug, remove space * Add test to check if OpenSSL detection is working on different systems * fix relative test location for cwd * put </IfModule> on its own line in test case * Revert test file to status in master. * Call augeas load before reparsing modules to pick up the changes * fix grep, tail, and mod_ssl location on centos * strip the trailing whitespace from fedora * just use LooseVersion in test * call apache2ctl on debian systems * Use sudo for apache2ctl command * add check to make sure we're getting a version * Add boolean so we don't warn on debian/ubuntu before trying to enable mod_ssl * Reduce warnings while testing by setting mock _openssl_version. * Make sure we're not throwing away any unwritten changes to the config * test last warning case for coverage * text changes for clarity 2020-03-23 19:49:52 -04:00			`# Check that ssl_module detection is working on various systems`
			`if [ "$OS_TYPE" = "ubuntu" ] ; then`
			`MOD_SSL_LOCATION="/usr/lib/apache2/modules/mod_ssl.so"`
			`APACHE_NAME=apache2ctl`
			`elif [ "$OS_TYPE" = "centos" ]; then`
			`MOD_SSL_LOCATION="/etc/httpd/modules/mod_ssl.so"`
			`APACHE_NAME=httpd`
			`fi`
			`OPENSSL_VERSION=$(strings "$MOD_SSL_LOCATION" \| egrep -o -m1 '^OpenSSL ([0-9]\.[^ ]+) ' \| tail -c +9)`
			`APACHE_VERSION=$(sudo $APACHE_NAME -v \| egrep -o 'Apache/([0-9]\.[^ ]+)' \| tail -c +8)`
Make a test farm tests package (#8821) Fixes https://github.com/certbot/certbot/issues/8781. This PR makes our test farm tests into a normal package so it and its dependencies can be tracked and installed like our other packages. Other noteworthy changes in this PR: * Rather than continuing to place logs in your CWD, they're placed in a temporary directory that is printed to the terminal. * `tests/letstest/auto_targets.yaml` was deleted rather than renamed because the file is no longer used. * make a letstest package * remove deleted deps * fix letstest install * add __init__.py * call main * Explicitly mention activating venv * rerename file * fix version.py path * clarify "this" * Use >= instead of caret requirement 2021-05-03 20:42:30 -04:00			`"venv/bin/python" letstest/scripts/test_openssl_version.py "$OPENSSL_VERSION" "$APACHE_VERSION"`
Disable TLS session tickets in Apache (#7771) Fixes #7350. This PR changes the parsed modules from a `set` to a `dict`, with the filepath argument as the value. Accordingly, after calling `enable_mod` to enable `ssl_module`, modules now need to be re-parsed, so call `reset_modules`. * Add mechanism for selecting apache config file, based on work done in #7191. * Check OpenSSL version * Remove os imports * debian override still needs os * Reformat remaining apache tests with modules dict syntax * Clean up more apache tests * Switch from property to method for openssl and add tests for coverage. * Sometimes the dict location will be None in which case we should in fact return None * warn thoroughly and consistently in openssl_version function * update tests for new warnings * read file as bytes, and factor out the open for testing * normalize ssl_module_location path to account for being relative to server root * Use byte literals in a python 2 and 3 compatible way * string does need to be a literal * patch builtins open * add debug, remove space * Add test to check if OpenSSL detection is working on different systems * fix relative test location for cwd * put </IfModule> on its own line in test case * Revert test file to status in master. * Call augeas load before reparsing modules to pick up the changes * fix grep, tail, and mod_ssl location on centos * strip the trailing whitespace from fedora * just use LooseVersion in test * call apache2ctl on debian systems * Use sudo for apache2ctl command * add check to make sure we're getting a version * Add boolean so we don't warn on debian/ubuntu before trying to enable mod_ssl * Reduce warnings while testing by setting mock _openssl_version. * Make sure we're not throwing away any unwritten changes to the config * test last warning case for coverage * text changes for clarity 2020-03-23 19:49:52 -04:00			`if [ $? -ne 0 ] ; then`
			`FAIL=1`
			`fi`


Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`if [ "$OS_TYPE" = "ubuntu" ] ; then`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`export SERVER="${PEBBLE_URL}"`
Cleanup venv scripts (#8629) Fixes https://github.com/certbot/certbot/issues/8387. * update _venv_common.py * delete venv.py scripts * rename venv script * update relevant venv3 references * remove set_python_envvars 2021-02-03 15:03:09 -05:00			`"venv/bin/tox" -e apacheconftest`
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`else`
			`echo Not running hackish apache tests on $OS_TYPE`
			`fi`

			`if [ $? -ne 0 ] ; then`
			`FAIL=1`
			`fi`

			`# return error if any of the subtests failed`
			`if [ "$FAIL" = 1 ] ; then`
Fix test farm tests by using a local Pebble instance (#8561) [As discussed in Mattermost](https://opensource.eff.org/eff-open-source/pl/yhtp4qu4zpfczm5wxmzxhndrto), our Apache test farm tests are failing because the CA certificate in the old version of boulder we have pinned expired over the weekend. This PR fixes that by running a local Pebble instance instead of an external boulder instance. * switch from external boulder to local pebble * add --http-01-port to run_acme_server 2020-12-22 13:24:20 -05:00			`DumpPebbleLogs`
Do things in the correct and new-fashioned way 2015-12-22 20:09:45 -05:00			`exit 1`
Add hackish-apache-tests to test_apache2.sh 2015-12-16 23:49:55 -05:00			`fi`