2021-12-30 13:57:32 +00:00
|
|
|
#REGTEST_TYPE=bug
|
2022-01-07 09:46:15 +00:00
|
|
|
# Test if a certificate can be dynamically updated once a server which used it
|
2021-12-30 13:57:32 +00:00
|
|
|
# was removed.
|
|
|
|
#
|
|
|
|
varnishtest "Delete server via cli and update certificates"
|
|
|
|
|
|
|
|
feature ignore_unknown_macro
|
|
|
|
|
|
|
|
#REQUIRE_VERSION=2.4
|
|
|
|
#REQUIRE_OPTIONS=OPENSSL
|
|
|
|
feature cmd "command -v socat"
|
|
|
|
|
|
|
|
# static server
|
|
|
|
server s1 -repeat 3 {
|
|
|
|
rxreq
|
|
|
|
txresp \
|
|
|
|
-body "resp from s1"
|
|
|
|
} -start
|
|
|
|
|
|
|
|
haproxy h1 -conf {
|
|
|
|
global
|
|
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
|
|
|
|
defaults
|
|
|
|
mode http
|
2022-02-16 09:45:23 +00:00
|
|
|
option httpclose
|
2021-12-30 13:57:32 +00:00
|
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
|
|
|
|
frontend fe
|
|
|
|
bind "fd@${feS}"
|
|
|
|
default_backend test
|
|
|
|
|
|
|
|
backend test
|
|
|
|
server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
|
|
|
|
server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
|
|
|
|
server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
|
|
|
|
|
|
|
|
|
|
|
|
listen ssl-lst
|
|
|
|
bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem"
|
|
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
|
|
|
|
} -start
|
|
|
|
|
|
|
|
|
|
|
|
haproxy h1 -cli {
|
|
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
|
|
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
|
|
|
|
}
|
|
|
|
client c1 -connect ${h1_feS_sock} {
|
|
|
|
txreq
|
|
|
|
rxresp
|
|
|
|
expect resp.body == "resp from s1"
|
|
|
|
} -run
|
|
|
|
|
|
|
|
haproxy h1 -cli {
|
|
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
|
|
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
|
|
|
|
}
|
|
|
|
|
|
|
|
## delete the servers
|
|
|
|
haproxy h1 -cli {
|
|
|
|
send "disable server test/s1"
|
|
|
|
expect ~ ".*"
|
|
|
|
send "disable server test/s2"
|
|
|
|
expect ~ ".*"
|
|
|
|
send "disable server test/s3"
|
|
|
|
expect ~ ".*"
|
|
|
|
|
|
|
|
# valid command
|
2022-03-09 14:07:31 +00:00
|
|
|
send "del server test/s1"
|
2021-12-30 13:57:32 +00:00
|
|
|
expect ~ "Server deleted."
|
2022-03-09 14:07:31 +00:00
|
|
|
send "del server test/s2"
|
2021-12-30 13:57:32 +00:00
|
|
|
expect ~ "Server deleted."
|
2022-03-09 14:07:31 +00:00
|
|
|
send "del server test/s3"
|
2021-12-30 13:57:32 +00:00
|
|
|
expect ~ "Server deleted."
|
|
|
|
}
|
|
|
|
|
|
|
|
# Replace certificate with an expired one
|
|
|
|
shell {
|
|
|
|
printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
|
|
echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
|
|
|
|
}
|
|
|
|
|
|
|
|
haproxy h1 -cli {
|
|
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
|
|
expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
|
|
|
|
}
|
|
|
|
|
|
|
|
haproxy h1 -cli {
|
|
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
|
|
expect ~ ".*Status: Unused"
|
|
|
|
}
|
|
|
|
|
|
|
|
haproxy h1 -cli {
|
2022-03-09 14:07:31 +00:00
|
|
|
send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem"
|
2021-12-30 13:57:32 +00:00
|
|
|
expect ~ "New server registered."
|
|
|
|
send "enable server test/s1"
|
|
|
|
expect ~ ".*"
|
|
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
|
|
expect ~ ".*Status: Used"
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# check that servers are active
|
|
|
|
client c1 -connect ${h1_feS_sock} {
|
|
|
|
txreq
|
|
|
|
rxresp
|
|
|
|
expect resp.body == "resp from s1"
|
|
|
|
} -run
|
|
|
|
|