renewal_test.go 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191
  1. // Copyright 2016 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package autocert
  5. import (
  6. "context"
  7. "crypto/ecdsa"
  8. "crypto/elliptic"
  9. "crypto/rand"
  10. "crypto/tls"
  11. "crypto/x509"
  12. "encoding/base64"
  13. "fmt"
  14. "net/http"
  15. "net/http/httptest"
  16. "testing"
  17. "time"
  18. "golang.org/x/crypto/acme"
  19. )
  20. func TestRenewalNext(t *testing.T) {
  21. now := time.Now()
  22. timeNow = func() time.Time { return now }
  23. defer func() { timeNow = time.Now }()
  24. man := &Manager{RenewBefore: 7 * 24 * time.Hour}
  25. defer man.stopRenew()
  26. tt := []struct {
  27. expiry time.Time
  28. min, max time.Duration
  29. }{
  30. {now.Add(90 * 24 * time.Hour), 83*24*time.Hour - renewJitter, 83 * 24 * time.Hour},
  31. {now.Add(time.Hour), 0, 1},
  32. {now, 0, 1},
  33. {now.Add(-time.Hour), 0, 1},
  34. }
  35. dr := &domainRenewal{m: man}
  36. for i, test := range tt {
  37. next := dr.next(test.expiry)
  38. if next < test.min || test.max < next {
  39. t.Errorf("%d: next = %v; want between %v and %v", i, next, test.min, test.max)
  40. }
  41. }
  42. }
  43. func TestRenewFromCache(t *testing.T) {
  44. const domain = "example.org"
  45. // ACME CA server stub
  46. var ca *httptest.Server
  47. ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  48. w.Header().Set("replay-nonce", "nonce")
  49. if r.Method == "HEAD" {
  50. // a nonce request
  51. return
  52. }
  53. switch r.URL.Path {
  54. // discovery
  55. case "/":
  56. if err := discoTmpl.Execute(w, ca.URL); err != nil {
  57. t.Fatalf("discoTmpl: %v", err)
  58. }
  59. // client key registration
  60. case "/new-reg":
  61. w.Write([]byte("{}"))
  62. // domain authorization
  63. case "/new-authz":
  64. w.Header().Set("location", ca.URL+"/authz/1")
  65. w.WriteHeader(http.StatusCreated)
  66. w.Write([]byte(`{"status": "valid"}`))
  67. // cert request
  68. case "/new-cert":
  69. var req struct {
  70. CSR string `json:"csr"`
  71. }
  72. decodePayload(&req, r.Body)
  73. b, _ := base64.RawURLEncoding.DecodeString(req.CSR)
  74. csr, err := x509.ParseCertificateRequest(b)
  75. if err != nil {
  76. t.Fatalf("new-cert: CSR: %v", err)
  77. }
  78. der, err := dummyCert(csr.PublicKey, domain)
  79. if err != nil {
  80. t.Fatalf("new-cert: dummyCert: %v", err)
  81. }
  82. chainUp := fmt.Sprintf("<%s/ca-cert>; rel=up", ca.URL)
  83. w.Header().Set("link", chainUp)
  84. w.WriteHeader(http.StatusCreated)
  85. w.Write(der)
  86. // CA chain cert
  87. case "/ca-cert":
  88. der, err := dummyCert(nil, "ca")
  89. if err != nil {
  90. t.Fatalf("ca-cert: dummyCert: %v", err)
  91. }
  92. w.Write(der)
  93. default:
  94. t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
  95. }
  96. }))
  97. defer ca.Close()
  98. // use EC key to run faster on 386
  99. key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
  100. if err != nil {
  101. t.Fatal(err)
  102. }
  103. man := &Manager{
  104. Prompt: AcceptTOS,
  105. Cache: newMemCache(),
  106. RenewBefore: 24 * time.Hour,
  107. Client: &acme.Client{
  108. Key: key,
  109. DirectoryURL: ca.URL,
  110. },
  111. }
  112. defer man.stopRenew()
  113. // cache an almost expired cert
  114. now := time.Now()
  115. cert, err := dateDummyCert(key.Public(), now.Add(-2*time.Hour), now.Add(time.Minute), domain)
  116. if err != nil {
  117. t.Fatal(err)
  118. }
  119. tlscert := &tls.Certificate{PrivateKey: key, Certificate: [][]byte{cert}}
  120. if err := man.cachePut(context.Background(), domain, tlscert); err != nil {
  121. t.Fatal(err)
  122. }
  123. // veriy the renewal happened
  124. defer func() {
  125. testDidRenewLoop = func(next time.Duration, err error) {}
  126. }()
  127. done := make(chan struct{})
  128. testDidRenewLoop = func(next time.Duration, err error) {
  129. defer close(done)
  130. if err != nil {
  131. t.Errorf("testDidRenewLoop: %v", err)
  132. }
  133. // Next should be about 90 days:
  134. // dummyCert creates 90days expiry + account for man.RenewBefore.
  135. // Previous expiration was within 1 min.
  136. future := 88 * 24 * time.Hour
  137. if next < future {
  138. t.Errorf("testDidRenewLoop: next = %v; want >= %v", next, future)
  139. }
  140. // ensure the new cert is cached
  141. after := time.Now().Add(future)
  142. tlscert, err := man.cacheGet(context.Background(), domain)
  143. if err != nil {
  144. t.Fatalf("man.cacheGet: %v", err)
  145. }
  146. if !tlscert.Leaf.NotAfter.After(after) {
  147. t.Errorf("cache leaf.NotAfter = %v; want > %v", tlscert.Leaf.NotAfter, after)
  148. }
  149. // verify the old cert is also replaced in memory
  150. man.stateMu.Lock()
  151. defer man.stateMu.Unlock()
  152. s := man.state[domain]
  153. if s == nil {
  154. t.Fatalf("m.state[%q] is nil", domain)
  155. }
  156. tlscert, err = s.tlscert()
  157. if err != nil {
  158. t.Fatalf("s.tlscert: %v", err)
  159. }
  160. if !tlscert.Leaf.NotAfter.After(after) {
  161. t.Errorf("state leaf.NotAfter = %v; want > %v", tlscert.Leaf.NotAfter, after)
  162. }
  163. }
  164. // trigger renew
  165. hello := &tls.ClientHelloInfo{ServerName: domain}
  166. if _, err := man.GetCertificate(hello); err != nil {
  167. t.Fatal(err)
  168. }
  169. // wait for renew loop
  170. select {
  171. case <-time.After(10 * time.Second):
  172. t.Fatal("renew took too long to occur")
  173. case <-done:
  174. }
  175. }