From 7161e792e80d4b0ffa404199248334b2b34c0235 Mon Sep 17 00:00:00 2001
From: Adrien Ferrand <adferrand@users.noreply.github.com>
Date: Fri, 1 Mar 2019 22:54:09 +0100
Subject: [PATCH] Fix the Nginx configuration during integration tests (#6801)

If you execute `tests/lock_test.py` or `tox -e integration` on a fairly recent machine, you will get the following error during tests executing against a live Nginx instance:
```
no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: x.x.x.x, server: y:y:y:y:z
```

Indeed, having no defined ssl certificate for a ssl port would inevitably lead to an error during the handshake SSL process between a client and this mis-configured nginx instance.

However it was not a problem one year before, because the handshake was not occurring in practice: the test just need to have a nginx started, and then immediately proceed to modify the configuration with a correct SSL setup. And nginx was able to start with a mis-configuration on SSL.

But then this fix has been done: https://trac.nginx.org/nginx/ticket/178

Basically with this, validation of the configuration is done during nginx startup, that will refuse to start with invalid configuration on SSL. Consequently, all related tests are failing with a sufficiently up-to-date nginx. For now, it is not seen on Travis because Ubuntu Trusty is used, with an old Nginx.

The PR fixes that, by generating on the fly self-signed certificates in the two impacted tests, and pushing the right parameters in the Nginx configuration.

* Fix nginx configuration with self-signed certificates generated on the fly

* Fix lint/mypy

* Fix old cryptography

* Unattended openssl

* Update lock_test.py
---
 .../tests/boulder-integration.conf.sh         | 29 ++++++---
 certbot-nginx/tests/boulder-integration.sh    |  6 +-
 tests/lock_test.py                            | 62 +++++++++++++++++--
 3 files changed, 81 insertions(+), 16 deletions(-)

diff --git a/certbot-nginx/tests/boulder-integration.conf.sh b/certbot-nginx/tests/boulder-integration.conf.sh
index 470eab28e..80cca2682 100755
--- a/certbot-nginx/tests/boulder-integration.conf.sh
+++ b/certbot-nginx/tests/boulder-integration.conf.sh
@@ -3,16 +3,22 @@
 # https://www.exratione.com/2014/03/running-nginx-as-a-non-root-user/
 # https://github.com/exratione/non-root-nginx/blob/9a77f62e5d5cb9c9026fd62eece76b9514011019/nginx.conf
 
+# USAGE: ./boulder-integration.conf.sh /path/to/root cert.key cert.pem >> nginx.conf
+
+ROOT=$1
+CERT_KEY_PATH=$2
+CERT_PATH=$3
+
 cat <<EOF
 # This error log will be written regardless of server scope error_log
 # definitions, so we have to set this here in the main scope.
 #
 # Even doing this, Nginx will still try to create the default error file, and
 # log a non-fatal error when it fails. After that things will work, however.
-error_log $root/error.log;
+error_log $ROOT/error.log;
 
 # The pidfile will be written to /var/run unless this is set.
-pid $root/nginx.pid;
+pid $ROOT/nginx.pid;
 
 worker_processes 1;
 
@@ -23,12 +29,12 @@ events {
 http {
   # Set an array of temp, cache and log file options that will otherwise default to
   # restricted locations accessible only to root.
-  client_body_temp_path $root/client_body;
-  fastcgi_temp_path $root/fastcgi_temp;
-  proxy_temp_path $root/proxy_temp;
-  #scgi_temp_path $root/scgi_temp;
-  #uwsgi_temp_path $root/uwsgi_temp;
-  access_log $root/error.log;
+  client_body_temp_path $ROOT/client_body;
+  fastcgi_temp_path $ROOT/fastcgi_temp;
+  proxy_temp_path $ROOT/proxy_temp;
+  #scgi_temp_path $ROOT/scgi_temp;
+  #uwsgi_temp_path $ROOT/uwsgi_temp;
+  access_log $ROOT/error.log;
 
   # This should be turned off in a Virtualbox VM, as it can cause some
   # interesting issues with data corruption in delivered files.
@@ -55,7 +61,7 @@ http {
     listen [::]:5002 $default_server;
     server_name nginx.wtf nginx-tls.wtf nginx2.wtf;
 
-    root $root/webroot;
+    root $ROOT/webroot;
 
     location / {
       # First attempt to serve request as file, then as directory, then fall
@@ -69,7 +75,7 @@ http {
     listen [::]:5002;
     server_name nginx3.wtf;
 
-    root $root/webroot;
+    root $ROOT/webroot;
 
     location /.well-known/ {
       return 404;
@@ -93,6 +99,9 @@ http {
       return 301 https://\$host\$request_uri;
     }
     server_name nginx6.wtf nginx7.wtf;
+
+    ssl_certificate ${CERT_PATH};
+    ssl_certificate_key ${CERT_KEY_PATH};
   }
 }
 EOF
diff --git a/certbot-nginx/tests/boulder-integration.sh b/certbot-nginx/tests/boulder-integration.sh
index 03425734d..1312cd0e6 100755
--- a/certbot-nginx/tests/boulder-integration.sh
+++ b/certbot-nginx/tests/boulder-integration.sh
@@ -7,8 +7,12 @@ export PATH="/usr/sbin:$PATH"  # /usr/sbin/nginx
 nginx_root="$root/nginx"
 mkdir $nginx_root
 
+# Generate self-signed certificate for Nginx
+openssl req -new -newkey rsa:2048 -days 1 -nodes -x509 \
+    -keyout $nginx_root/cert.key -out $nginx_root/cert.pem -subj "/CN=nginx.wtf"
+
 reload_nginx () {
-    original=$(root="$nginx_root" ./certbot-nginx/tests/boulder-integration.conf.sh)
+    original=$(./certbot-nginx/tests/boulder-integration.conf.sh $nginx_root $nginx_root/cert.key $nginx_root/cert.pem)
     nginx_conf="$nginx_root/nginx.conf"
     echo "$original" > $nginx_conf
 
diff --git a/tests/lock_test.py b/tests/lock_test.py
index 0266cf029..aaa8ce2d9 100644
--- a/tests/lock_test.py
+++ b/tests/lock_test.py
@@ -2,6 +2,7 @@
 from __future__ import print_function
 
 import atexit
+import datetime
 import functools
 import logging
 import os
@@ -11,6 +12,13 @@ import subprocess
 import sys
 import tempfile
 
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+# TODO: once mypy has cryptography types bundled, type: ignore can be removed.
+# See https://github.com/python/typeshed/tree/master/third_party/2/cryptography
+from cryptography.hazmat.primitives import serialization, hashes  # type: ignore
+from cryptography.hazmat.primitives.asymmetric import rsa
+
 from certbot import lock
 from certbot import util
 
@@ -102,12 +110,11 @@ def set_up_nginx_dir(root_path):
     repo_root = check_call('git rev-parse --show-toplevel'.split()).strip()
     conf_script = os.path.join(
         repo_root, 'certbot-nginx', 'tests', 'boulder-integration.conf.sh')
-    # boulder-integration.conf.sh uses the root environment variable as
-    # the Nginx server root when writing paths
-    os.environ['root'] = root_path
+    # Prepare self-signed certificates for Nginx
+    key_path, cert_path = setup_certificate(root_path)
+    # Generate Nginx configuration
     with open(os.path.join(root_path, 'nginx.conf'), 'w') as f:
-        f.write(check_call(['/bin/sh', conf_script]))
-    del os.environ['root']
+        f.write(check_call(['/bin/sh', conf_script, root_path, key_path, cert_path]))
 
 
 def set_up_command(config_dir, logs_dir, work_dir, nginx_dir):
@@ -134,6 +141,51 @@ def set_up_command(config_dir, logs_dir, work_dir, nginx_dir):
             config_dir, logs_dir, work_dir, nginx_dir).split())
 
 
+def setup_certificate(workspace):
+    """Generate a self-signed certificate for nginx.
+    :param workspace: path of folder where to put the certificate
+    :return: tuple containing the key path and certificate path
+    :rtype: `tuple`
+    """
+    # Generate key
+    # See comment on cryptography import about type: ignore
+    private_key = rsa.generate_private_key(  # type: ignore
+        public_exponent=65537,
+        key_size=2048,
+        backend=default_backend()
+    )
+    subject = issuer = x509.Name([
+        x509.NameAttribute(x509.NameOID.COMMON_NAME, u'nginx.wtf')
+    ])
+    certificate = x509.CertificateBuilder().subject_name(
+        subject
+    ).issuer_name(
+        issuer
+    ).public_key(
+        private_key.public_key()
+    ).serial_number(
+        1
+    ).not_valid_before(
+        datetime.datetime.utcnow()
+    ).not_valid_after(
+        datetime.datetime.utcnow() + datetime.timedelta(days=1)
+    ).sign(private_key, hashes.SHA256(), default_backend())
+
+    key_path = os.path.join(workspace, 'cert.key')
+    with open(key_path, 'wb') as file_handle:
+        file_handle.write(private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption()
+        ))
+
+    cert_path = os.path.join(workspace, 'cert.pem')
+    with open(cert_path, 'wb') as file_handle:
+        file_handle.write(certificate.public_bytes(serialization.Encoding.PEM))
+
+    return key_path, cert_path
+
+
 def test_command(command, directories):
     """Assert Certbot acquires locks in a specific order.