#REGTEST_TYPE=bug # Test if a certificate can be dynamically updated once a server which used it # was removed. # varnishtest "Delete server via cli and update certificates" feature ignore_unknown_macro #REQUIRE_VERSION=2.4 #REQUIRE_OPTIONS=OPENSSL feature cmd "command -v socat" # static server server s1 -repeat 3 { rxreq txresp \ -body "resp from s1" } -start haproxy h1 -conf { global stats socket "${tmpdir}/h1/stats" level admin defaults mode http option httpclose timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend fe bind "fd@${feS}" default_backend test backend test server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" listen ssl-lst bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem" server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { send "show ssl cert ${testdir}/client1.pem" expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" } client c1 -connect ${h1_feS_sock} { txreq rxresp expect resp.body == "resp from s1" } -run haproxy h1 -cli { send "show ssl cert ${testdir}/client1.pem" expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" } ## delete the servers haproxy h1 -cli { send "disable server test/s1" expect ~ ".*" send "disable server test/s2" expect ~ ".*" send "disable server test/s3" expect ~ ".*" # valid command send "experimental-mode on; del server test/s1" expect ~ "Server deleted." send "experimental-mode on; del server test/s2" expect ~ "Server deleted." send "experimental-mode on; del server test/s3" expect ~ "Server deleted." } # Replace certificate with an expired one shell { printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { send "show ssl cert ${testdir}/client1.pem" expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" } haproxy h1 -cli { send "show ssl cert ${testdir}/client1.pem" expect ~ ".*Status: Unused" } haproxy h1 -cli { send "experimental-mode on; add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem" expect ~ "New server registered." send "enable server test/s1" expect ~ ".*" send "show ssl cert ${testdir}/client1.pem" expect ~ ".*Status: Used" } # check that servers are active client c1 -connect ${h1_feS_sock} { txreq rxresp expect resp.body == "resp from s1" } -run