| #REGTEST_TYPE=bug |
| # Test if a certificate can be dynamically updated once a server which used it |
| # was removed. |
| # |
| varnishtest "Delete server via cli and update certificates" |
| |
| feature ignore_unknown_macro |
| |
| #REQUIRE_VERSION=2.4 |
| #REQUIRE_OPTIONS=OPENSSL |
| feature cmd "command -v socat" |
| |
| # static server |
| server s1 -repeat 3 { |
| rxreq |
| txresp \ |
| -body "resp from s1" |
| } -start |
| |
| haproxy h1 -conf { |
| global |
| stats socket "${tmpdir}/h1/stats" level admin |
| |
| defaults |
| mode http |
| option httpclose |
| timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| |
| frontend fe |
| bind "fd@${feS}" |
| default_backend test |
| |
| backend test |
| server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" |
| server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" |
| server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" |
| |
| |
| listen ssl-lst |
| bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem" |
| server s1 ${s1_addr}:${s1_port} |
| |
| } -start |
| |
| |
| haproxy h1 -cli { |
| send "show ssl cert ${testdir}/client1.pem" |
| expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" |
| } |
| client c1 -connect ${h1_feS_sock} { |
| txreq |
| rxresp |
| expect resp.body == "resp from s1" |
| } -run |
| |
| haproxy h1 -cli { |
| send "show ssl cert ${testdir}/client1.pem" |
| expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" |
| } |
| |
| ## delete the servers |
| haproxy h1 -cli { |
| send "disable server test/s1" |
| expect ~ ".*" |
| send "disable server test/s2" |
| expect ~ ".*" |
| send "disable server test/s3" |
| expect ~ ".*" |
| |
| # valid command |
| send "experimental-mode on; del server test/s1" |
| expect ~ "Server deleted." |
| send "experimental-mode on; del server test/s2" |
| expect ~ "Server deleted." |
| send "experimental-mode on; del server test/s3" |
| expect ~ "Server deleted." |
| } |
| |
| # Replace certificate with an expired one |
| shell { |
| printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - |
| echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - |
| } |
| |
| haproxy h1 -cli { |
| send "show ssl cert ${testdir}/client1.pem" |
| expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" |
| } |
| |
| haproxy h1 -cli { |
| send "show ssl cert ${testdir}/client1.pem" |
| expect ~ ".*Status: Unused" |
| } |
| |
| haproxy h1 -cli { |
| send "experimental-mode on; add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem" |
| expect ~ "New server registered." |
| send "enable server test/s1" |
| expect ~ ".*" |
| send "show ssl cert ${testdir}/client1.pem" |
| expect ~ ".*Status: Used" |
| } |
| |
| |
| # check that servers are active |
| client c1 -connect ${h1_feS_sock} { |
| txreq |
| rxresp |
| expect resp.body == "resp from s1" |
| } -run |
| |