summaryrefslogtreecommitdiff
path: root/caddytest
diff options
context:
space:
mode:
authorKyle McCullough <kylemcc@gmail.com>2022-12-05 23:12:26 -0800
committerGitHub <noreply@github.com>2022-12-06 00:12:26 -0700
commitbfaf2a8201b83d7369772cb6f2439abe66d9342a (patch)
tree6be62eee5163d018dcf2214c77195abeda280ea9 /caddytest
parentfef9cb3e05ea071cdfd9ed1a6be5c8dcabf6603e (diff)
acme_server: Configurable default lifetime for issued certificates (#5232)
* acme_server: add certificate lifetime configuration option Signed-off-by: Kyle McCullough <kylemcc@gmail.com> * pki: allow intermediate cert lifetime to be configured Signed-off-by: Kyle McCullough <kylemcc@gmail.com> Signed-off-by: Kyle McCullough <kylemcc@gmail.com>
Diffstat (limited to 'caddytest')
-rw-r--r--caddytest/integration/caddyfile_adapt/acme_server_lifetime.txt108
-rw-r--r--caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt2
-rw-r--r--caddytest/integration/pki_test.go101
3 files changed, 210 insertions, 1 deletions
diff --git a/caddytest/integration/caddyfile_adapt/acme_server_lifetime.txt b/caddytest/integration/caddyfile_adapt/acme_server_lifetime.txt
new file mode 100644
index 0000000..6099440
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/acme_server_lifetime.txt
@@ -0,0 +1,108 @@
+{
+ pki {
+ ca internal {
+ name "Internal"
+ root_cn "Internal Root Cert"
+ intermediate_cn "Internal Intermediate Cert"
+ }
+ ca internal-long-lived {
+ name "Long-lived"
+ root_cn "Internal Root Cert 2"
+ intermediate_cn "Internal Intermediate Cert 2"
+ }
+ }
+}
+
+acme-internal.example.com {
+ acme_server {
+ ca internal
+ }
+}
+
+acme-long-lived.example.com {
+ acme_server {
+ ca internal-long-lived
+ lifetime 7d
+ }
+}
+----------
+{
+ "apps": {
+ "http": {
+ "servers": {
+ "srv0": {
+ "listen": [
+ ":443"
+ ],
+ "routes": [
+ {
+ "match": [
+ {
+ "host": [
+ "acme-long-lived.example.com"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "ca": "internal-long-lived",
+ "handler": "acme_server",
+ "lifetime": 604800000000000
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ },
+ {
+ "match": [
+ {
+ "host": [
+ "acme-internal.example.com"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "ca": "internal",
+ "handler": "acme_server"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ }
+ ]
+ }
+ }
+ },
+ "pki": {
+ "certificate_authorities": {
+ "internal": {
+ "name": "Internal",
+ "root_common_name": "Internal Root Cert",
+ "intermediate_common_name": "Internal Intermediate Cert"
+ },
+ "internal-long-lived": {
+ "name": "Long-lived",
+ "root_common_name": "Internal Root Cert 2",
+ "intermediate_common_name": "Internal Intermediate Cert 2"
+ }
+ }
+ }
+ }
+}
diff --git a/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt b/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt
index 8116a4b..3a175a0 100644
--- a/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt
+++ b/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt
@@ -165,4 +165,4 @@ acme-bar.example.com {
}
}
}
-} \ No newline at end of file
+}
diff --git a/caddytest/integration/pki_test.go b/caddytest/integration/pki_test.go
new file mode 100644
index 0000000..5e9928c
--- /dev/null
+++ b/caddytest/integration/pki_test.go
@@ -0,0 +1,101 @@
+package integration
+
+import (
+ "testing"
+
+ "github.com/caddyserver/caddy/v2/caddytest"
+)
+
+func TestLeafCertLifetimeLessThanIntermediate(t *testing.T) {
+ caddytest.AssertLoadError(t, `
+ {
+ "apps": {
+ "http": {
+ "servers": {
+ "srv0": {
+ "listen": [
+ ":443"
+ ],
+ "routes": [
+ {
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "ca": "internal",
+ "handler": "acme_server",
+ "lifetime": 604800000000000
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "pki": {
+ "certificate_authorities": {
+ "internal": {
+ "install_trust": false,
+ "intermediate_lifetime": 604800000000000,
+ "name": "Internal CA"
+ }
+ }
+ }
+ }
+ }
+ `, "json", "certificate lifetime (168h0m0s) should be less than intermediate certificate lifetime (168h0m0s)")
+}
+
+func TestIntermediateLifetimeLessThanRoot(t *testing.T) {
+ caddytest.AssertLoadError(t, `
+ {
+ "apps": {
+ "http": {
+ "servers": {
+ "srv0": {
+ "listen": [
+ ":443"
+ ],
+ "routes": [
+ {
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "ca": "internal",
+ "handler": "acme_server",
+ "lifetime": 2592000000000000
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "pki": {
+ "certificate_authorities": {
+ "internal": {
+ "install_trust": false,
+ "intermediate_lifetime": 311040000000000000,
+ "name": "Internal CA"
+ }
+ }
+ }
+ }
+ }
+ `, "json", "intermediate certificate lifetime must be less than root certificate lifetime (86400h0m0s)")
+}