2017-07-06 16:28:13 +02:00
package integration
2016-12-12 18:30:31 +01:00
import (
"crypto/tls"
2018-05-16 11:44:03 +02:00
"crypto/x509"
2017-06-27 14:42:12 +02:00
"fmt"
2018-07-03 12:44:04 +02:00
"io/ioutil"
2016-12-12 18:30:31 +01:00
"net/http"
2017-09-13 10:34:04 +02:00
"os"
2018-07-03 12:44:04 +02:00
"path/filepath"
2016-12-12 18:30:31 +01:00
"time"
"github.com/go-check/check"
2018-07-03 12:44:04 +02:00
"github.com/miekg/dns"
2020-09-16 15:46:04 +02:00
"github.com/traefik/traefik/v2/integration/try"
"github.com/traefik/traefik/v2/pkg/config/static"
"github.com/traefik/traefik/v2/pkg/provider/acme"
"github.com/traefik/traefik/v2/pkg/testhelpers"
"github.com/traefik/traefik/v2/pkg/types"
2016-12-12 18:30:31 +01:00
checker "github.com/vdemeester/shakers"
)
2020-05-11 12:06:07 +02:00
// ACME test suites (using libcompose).
2016-12-12 18:30:31 +01:00
type AcmeSuite struct {
BaseSuite
2018-07-03 12:44:04 +02:00
pebbleIP string
fakeDNSServer * dns . Server
2016-12-12 18:30:31 +01:00
}
2019-07-19 11:52:04 +02:00
type subCases struct {
host string
expectedCommonName string
expectedAlgorithm x509 . PublicKeyAlgorithm
}
2018-07-03 12:44:04 +02:00
type acmeTestCase struct {
template templateModel
2017-06-19 13:22:41 +02:00
traefikConfFilePath string
2019-07-19 11:52:04 +02:00
subCases [ ] subCases
2016-12-12 18:30:31 +01:00
}
2018-07-03 12:44:04 +02:00
type templateModel struct {
2019-07-19 11:52:04 +02:00
Domains [ ] types . Domain
2018-07-03 12:44:04 +02:00
PortHTTP string
PortHTTPS string
2019-07-19 11:52:04 +02:00
Acme map [ string ] static . CertificateResolver
2018-07-03 12:44:04 +02:00
}
2017-06-27 14:42:12 +02:00
const (
// Domain to check
acmeDomain = "traefik.acme.wtf"
2017-06-19 13:22:41 +02:00
2017-06-27 14:42:12 +02:00
// Wildcard domain to check
wildcardDomain = "*.acme.wtf"
)
2017-06-19 13:22:41 +02:00
2018-06-27 15:08:05 +02:00
func ( s * AcmeSuite ) getAcmeURL ( ) string {
2018-07-03 12:44:04 +02:00
return fmt . Sprintf ( "https://%s:14000/dir" , s . pebbleIP )
}
func setupPebbleRootCA ( ) ( * http . Transport , error ) {
path , err := filepath . Abs ( "fixtures/acme/ssl/pebble.minica.pem" )
if err != nil {
return nil , err
}
os . Setenv ( "LEGO_CA_CERTIFICATES" , path )
os . Setenv ( "LEGO_CA_SERVER_NAME" , "pebble" )
customCAs , err := ioutil . ReadFile ( path )
if err != nil {
return nil , err
}
certPool := x509 . NewCertPool ( )
if ok := certPool . AppendCertsFromPEM ( customCAs ) ; ! ok {
2020-05-11 12:06:07 +02:00
return nil , fmt . Errorf ( "error creating x509 cert pool from %q: %w" , path , err )
2018-07-03 12:44:04 +02:00
}
return & http . Transport {
TLSClientConfig : & tls . Config {
ServerName : "pebble" ,
RootCAs : certPool ,
} ,
} , nil
2018-06-27 15:08:05 +02:00
}
2016-12-12 18:30:31 +01:00
func ( s * AcmeSuite ) SetUpSuite ( c * check . C ) {
2018-08-01 16:56:04 +02:00
s . createComposeProject ( c , "pebble" )
2016-12-12 18:30:31 +01:00
s . composeProject . Start ( c )
2018-07-03 12:44:04 +02:00
s . fakeDNSServer = startFakeDNSServer ( )
s . pebbleIP = s . composeProject . Container ( c , "pebble" ) . NetworkSettings . IPAddress
pebbleTransport , err := setupPebbleRootCA ( )
if err != nil {
c . Fatal ( err )
}
2018-08-01 16:56:04 +02:00
// wait for pebble
2018-07-03 12:44:04 +02:00
req := testhelpers . MustNewRequest ( http . MethodGet , s . getAcmeURL ( ) , nil )
client := & http . Client {
Transport : pebbleTransport ,
}
2016-12-12 18:30:31 +01:00
2018-07-03 12:44:04 +02:00
err = try . Do ( 5 * time . Second , func ( ) error {
resp , errGet := client . Do ( req )
if errGet != nil {
return errGet
}
return try . StatusCodeIs ( http . StatusOK ) ( resp )
} )
2016-12-12 18:30:31 +01:00
c . Assert ( err , checker . IsNil )
}
func ( s * AcmeSuite ) TearDownSuite ( c * check . C ) {
2018-07-03 12:44:04 +02:00
err := s . fakeDNSServer . Shutdown ( )
if err != nil {
c . Log ( err )
}
2016-12-12 18:30:31 +01:00
// shutdown and delete compose project
if s . composeProject != nil {
s . composeProject . Stop ( c )
}
}
2019-07-19 11:52:04 +02:00
func ( s * AcmeSuite ) TestHTTP01Domains ( c * check . C ) {
2018-07-03 12:44:04 +02:00
testCase := acmeTestCase {
2019-07-19 11:52:04 +02:00
traefikConfFilePath : "fixtures/acme/acme_domains.toml" ,
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Domains : [ ] types . Domain { {
Main : "traefik.acme.wtf" ,
} } ,
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
2018-07-03 12:44:04 +02:00
} } ,
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2017-06-27 14:42:12 +02:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 13:22:41 +02:00
}
2019-07-19 11:52:04 +02:00
func ( s * AcmeSuite ) TestHTTP01DomainsInSAN ( c * check . C ) {
2018-07-03 12:44:04 +02:00
testCase := acmeTestCase {
2019-07-19 11:52:04 +02:00
traefikConfFilePath : "fixtures/acme/acme_domains.toml" ,
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : "acme.wtf" ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Domains : [ ] types . Domain { {
Main : "acme.wtf" ,
SANs : [ ] string { "traefik.acme.wtf" } ,
} } ,
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
2018-07-03 12:44:04 +02:00
} } ,
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2018-03-05 20:54:04 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRule ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2019-07-19 11:52:04 +02:00
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
} } ,
} ,
} ,
}
s . retrieveAcmeCertificate ( c , testCase )
}
func ( s * AcmeSuite ) TestMultipleResolver ( c * check . C ) {
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_multiple_resolvers.toml" ,
subCases : [ ] subCases {
{
host : acmeDomain ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
} ,
{
host : "tchouk.acme.wtf" ,
expectedCommonName : "tchouk.acme.wtf" ,
expectedAlgorithm : x509 . ECDSA ,
} ,
} ,
template : templateModel {
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
} } ,
"tchouk" : { ACME : & acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
KeyType : "EC256" ,
} } ,
2018-07-03 12:44:04 +02:00
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2018-05-16 11:44:03 +02:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleECDSA ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2019-07-19 11:52:04 +02:00
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . ECDSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
KeyType : "EC384" ,
} } ,
2018-07-03 12:44:04 +02:00
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2018-05-16 11:44:03 +02:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleInvalidAlgo ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2019-07-19 11:52:04 +02:00
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
KeyType : "INVALID" ,
} } ,
2018-07-03 12:44:04 +02:00
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2017-06-27 14:42:12 +02:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 13:22:41 +02:00
}
2019-07-19 11:52:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard ( c * check . C ) {
2018-07-03 12:44:04 +02:00
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_tls.toml" ,
2019-07-19 11:52:04 +02:00
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : wildcardDomain ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
} } ,
2018-07-03 12:44:04 +02:00
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2018-01-15 16:04:05 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard ( c * check . C ) {
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_tls_dynamic.toml" ,
2019-07-19 11:52:04 +02:00
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : wildcardDomain ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
} } ,
2018-07-03 12:44:04 +02:00
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2018-01-15 16:04:05 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2019-07-19 11:52:04 +02:00
func ( s * AcmeSuite ) TestTLSALPN01OnHostRuleTCP ( c * check . C ) {
2018-07-03 12:44:04 +02:00
testCase := acmeTestCase {
2019-07-19 11:52:04 +02:00
traefikConfFilePath : "fixtures/acme/acme_tcp.toml" ,
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
} } ,
2018-07-03 12:44:04 +02:00
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2017-11-09 12:16:03 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2019-07-19 11:52:04 +02:00
func ( s * AcmeSuite ) TestTLSALPN01OnHostRule ( c * check . C ) {
2018-07-03 12:44:04 +02:00
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2019-07-19 11:52:04 +02:00
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
2018-07-03 12:44:04 +02:00
} } ,
} ,
} ,
}
s . retrieveAcmeCertificate ( c , testCase )
}
2019-07-19 11:52:04 +02:00
func ( s * AcmeSuite ) TestTLSALPN01Domains ( c * check . C ) {
2018-07-03 12:44:04 +02:00
testCase := acmeTestCase {
2019-07-19 11:52:04 +02:00
traefikConfFilePath : "fixtures/acme/acme_domains.toml" ,
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-03 12:44:04 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Domains : [ ] types . Domain { {
Main : "traefik.acme.wtf" ,
} } ,
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
2018-07-03 12:44:04 +02:00
} } ,
} ,
2018-06-27 15:08:05 +02:00
} ,
}
2017-11-09 12:16:03 +01:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 13:22:41 +02:00
}
2019-07-19 11:52:04 +02:00
func ( s * AcmeSuite ) TestTLSALPN01DomainsInSAN ( c * check . C ) {
2018-07-12 19:10:03 +02:00
testCase := acmeTestCase {
2019-07-19 11:52:04 +02:00
traefikConfFilePath : "fixtures/acme/acme_domains.toml" ,
subCases : [ ] subCases { {
host : acmeDomain ,
expectedCommonName : "acme.wtf" ,
expectedAlgorithm : x509 . RSA ,
} } ,
2018-07-12 19:10:03 +02:00
template : templateModel {
2019-07-19 11:52:04 +02:00
Domains : [ ] types . Domain { {
Main : "acme.wtf" ,
SANs : [ ] string { "traefik.acme.wtf" } ,
} } ,
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
2018-07-12 19:10:03 +02:00
} } ,
} ,
} ,
}
s . retrieveAcmeCertificate ( c , testCase )
}
2020-05-11 12:06:07 +02:00
// Test Let's encrypt down.
2018-02-05 18:20:04 +01:00
func ( s * AcmeSuite ) TestNoValidLetsEncryptServer ( c * check . C ) {
2018-07-12 19:10:03 +02:00
file := s . adaptFile ( c , "fixtures/acme/acme_base.toml" , templateModel {
2019-07-19 11:52:04 +02:00
Acme : map [ string ] static . CertificateResolver {
"default" : { ACME : & acme . Configuration {
CAServer : "http://wrongurl:4001/directory" ,
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "web" } ,
} } ,
2018-07-03 12:44:04 +02:00
} ,
2018-06-27 15:08:05 +02:00
} )
defer os . Remove ( file )
cmd , display := s . traefikCmd ( withConfigFile ( file ) )
2018-02-05 18:20:04 +01:00
defer display ( c )
err := cmd . Start ( )
c . Assert ( err , checker . IsNil )
2020-10-09 09:32:03 +02:00
defer s . killCmd ( cmd )
2018-02-05 18:20:04 +01:00
// Expected traefik works
2019-05-16 10:58:06 +02:00
err = try . GetRequest ( "http://127.0.0.1:8080/api/rawdata" , 10 * time . Second , try . StatusCodeIs ( http . StatusOK ) )
2018-02-05 18:20:04 +01:00
c . Assert ( err , checker . IsNil )
}
2017-06-19 13:22:41 +02:00
2020-05-11 12:06:07 +02:00
// Doing an HTTPS request and test the response certificate.
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) retrieveAcmeCertificate ( c * check . C , testCase acmeTestCase ) {
if len ( testCase . template . PortHTTP ) == 0 {
testCase . template . PortHTTP = ":5002"
}
if len ( testCase . template . PortHTTPS ) == 0 {
testCase . template . PortHTTPS = ":5001"
}
2019-07-19 11:52:04 +02:00
for _ , value := range testCase . template . Acme {
if len ( value . ACME . CAServer ) == 0 {
value . ACME . CAServer = s . getAcmeURL ( )
}
2018-07-03 12:44:04 +02:00
}
file := s . adaptFile ( c , testCase . traefikConfFilePath , testCase . template )
2017-09-13 10:34:04 +02:00
defer os . Remove ( file )
2017-06-27 14:42:12 +02:00
2017-09-13 10:34:04 +02:00
cmd , display := s . traefikCmd ( withConfigFile ( file ) )
defer display ( c )
2016-12-12 18:30:31 +01:00
err := cmd . Start ( )
c . Assert ( err , checker . IsNil )
2020-10-09 09:32:03 +02:00
defer s . killCmd ( cmd )
2018-04-10 10:52:04 +02:00
// A real file is needed to have the right mode on acme.json file
defer os . Remove ( "/tmp/acme.json" )
2016-12-12 18:30:31 +01:00
2020-07-17 15:38:04 +02:00
backend := startTestServer ( "9010" , http . StatusOK , "" )
2016-12-12 18:30:31 +01:00
defer backend . Close ( )
2019-07-19 11:52:04 +02:00
for _ , sub := range testCase . subCases {
client := & http . Client {
Transport : & http . Transport {
TLSClientConfig : & tls . Config { InsecureSkipVerify : true } ,
} ,
}
2016-12-12 18:30:31 +01:00
2019-07-19 11:52:04 +02:00
// wait for traefik (generating acme account take some seconds)
err = try . Do ( 60 * time . Second , func ( ) error {
_ , errGet := client . Get ( "https://127.0.0.1:5001" )
return errGet
} )
c . Assert ( err , checker . IsNil )
client = & http . Client {
Transport : & http . Transport {
TLSClientConfig : & tls . Config {
InsecureSkipVerify : true ,
ServerName : sub . host ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2019-07-19 11:52:04 +02:00
}
2017-06-27 14:42:12 +02:00
2019-07-19 11:52:04 +02:00
req := testhelpers . MustNewRequest ( http . MethodGet , "https://127.0.0.1:5001/" , nil )
req . Host = sub . host
req . Header . Set ( "Host" , sub . host )
req . Header . Set ( "Accept" , "*/*" )
2017-06-19 13:22:41 +02:00
2019-07-19 11:52:04 +02:00
var resp * http . Response
2017-06-27 14:42:12 +02:00
2019-07-19 11:52:04 +02:00
// Retry to send a Request which uses the LE generated certificate
err = try . Do ( 60 * time . Second , func ( ) error {
resp , err = client . Do ( req )
2017-06-27 14:42:12 +02:00
2019-07-19 11:52:04 +02:00
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
req . Close = true
2017-06-27 14:42:12 +02:00
2019-07-19 11:52:04 +02:00
if err != nil {
return err
}
2017-06-27 14:42:12 +02:00
2019-07-19 11:52:04 +02:00
cn := resp . TLS . PeerCertificates [ 0 ] . Subject . CommonName
if cn != sub . expectedCommonName {
return fmt . Errorf ( "domain %s found instead of %s" , cn , sub . expectedCommonName )
}
2017-06-27 14:42:12 +02:00
2019-07-19 11:52:04 +02:00
return nil
} )
2017-06-27 14:42:12 +02:00
2019-07-19 11:52:04 +02:00
c . Assert ( err , checker . IsNil )
c . Assert ( resp . StatusCode , checker . Equals , http . StatusOK )
// Check Domain into response certificate
c . Assert ( resp . TLS . PeerCertificates [ 0 ] . Subject . CommonName , checker . Equals , sub . expectedCommonName )
c . Assert ( resp . TLS . PeerCertificates [ 0 ] . PublicKeyAlgorithm , checker . Equals , sub . expectedAlgorithm )
}
2016-12-12 18:30:31 +01:00
}