URL: https://github.com/freeipa/freeipa/pull/5557 Author: mrizwan93 Title: #5557: ipatests: Test if ACME renews the issued cert with cerbot Action: opened
PR body: """ This test is to check if ACME certificate renews upon reaching expiry related: https://pagure.io/freeipa/issue/4751 Signed-off-by: Mohammad Rizwan <myu...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5557/head:pr5557 git checkout pr5557
From d3bc9ebeb023861f2a0e22260a95080439b106bc Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan <myu...@redhat.com> Date: Mon, 15 Feb 2021 14:00:13 +0530 Subject: [PATCH] ipatests: Test if ACME renews the issued cert with cerbot This test is to check if ACME certificate renews upon reaching expiry related: https://pagure.io/freeipa/issue/4751 Signed-off-by: Mohammad Rizwan <myu...@redhat.com> --- ipatests/test_integration/test_acme.py | 53 ++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py index 473e8c7907f..b34b181b89f 100644 --- a/ipatests/test_integration/test_acme.py +++ b/ipatests/test_integration/test_acme.py @@ -119,6 +119,24 @@ def prepare_acme_client(cls): if not skip_mod_md_tests: tasks.install_packages(cls.clients[0], ['mod_md']) + @pytest.fixture + def expire_acme_cert(self): + """Fixture to expire the ACME cert + + This method moves the system date on server and client + past the expiry of issued ACME cert and then oves back + the date. + """ + self.master.run_command(['systemctl', 'stop', 'chronyd']) + self.client.run_command(['systemctl', 'stop', 'chronyd']) + self.master.run_command(['date', '-s', '+3Months']) + self.client.run_command(['date', '-s', '+3Months']) + yield + self.master.run_command(['date', '-s', '-3Months']) + self.client.run_command(['date', '-s', '-3Months']) + self.master.run_command(['systemctl', 'start', 'chronyd']) + self.client.run_command(['systemctl', 'start', 'chronyd']) + @classmethod def install(cls, mh): super(TestACME, cls).install(mh) @@ -304,6 +322,41 @@ def test_certbot_dns(self): '--manual-cleanup-hook', CERTBOT_DNS_IPA_SCRIPT, ]) + def test_certbot_renew(self): + """Test if ACME renews the issued cert with cerbot + + This test is to check if ACME certificate renews upon + reaching expiry + """ + data = self.clients[0].get_file_contents( + f'/etc/letsencrypt/live/{self.clients[0].hostname}/cert.pem' + ) + cert = x509.load_pem_x509_certificate(data, backend=default_backend()) + initial_expiry = cert.not_valid_after + + # move system date to expire acme cert + self.clients[0].run_command(['systemctl', 'stop', 'chronyd']) + self.master.run_command(['systemctl', 'stop', 'chronyd']) + self.master.run_command(['date', '-s', '+90days']) + self.clients[0].run_command(['date', '-s', '+90days']) + + self.clients[0].run_command(['certbot', 'renew']) + time.sleep(10) + + data = self.clients[0].get_file_contents( + f'/etc/letsencrypt/live/{self.clients[0].hostname}/cert.pem' + ) + cert = x509.load_pem_x509_certificate(data, backend=default_backend()) + renewed_expiry = cert.not_valid_after + + assert initial_expiry != renewed_expiry + + # move back date + self.master.run_command(['date', '-s', '-90days']) + self.clients[0].run_command(['date', '-s', '-90days']) + self.clients[0].run_command(['systemctl', 'start', 'chronyd']) + self.master.run_command(['systemctl', 'start', 'chronyd']) + ############## # mod_md tests ##############
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
