diff --git a/.travis.yml b/.travis.yml index a20d354..17734ae 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ python: - 3.6 env: - - DOCKER_COMPOSE_VERSION=1.23.2 COMPOSE_FILE=docker-compose.yml:docker-compose.override.yml:docker-compose.test.yml + - DOCKER_COMPOSE_VERSION=1.23.2 COMPOSE_FILE=docker-compose.yml:docker-compose.override.yml:docker-compose.test.yml CERYX_DISABLE_LETS_ENCRYPT=true install: - pip install --upgrade --ignore-installed docker-compose==${DOCKER_COMPOSE_VERSION} diff --git a/ceryx/Dockerfile.test b/ceryx/Dockerfile.test index de92b34..1c38a6d 100644 --- a/ceryx/Dockerfile.test +++ b/ceryx/Dockerfile.test @@ -15,4 +15,7 @@ COPY . ./ ENV CERYX_DEBUG true ENV CERYX_DISABLE_LETS_ENCRYPT true +COPY --from=sourcelair/ceryx:latest /etc/ceryx/ssl/default.key /etc/ceryx/ssl/default.key +COPY --from=sourcelair/ceryx:latest /etc/ceryx/ssl/default.crt /etc/ceryx/ssl/default.crt + CMD ["pytest", "tests/"] \ No newline at end of file diff --git a/ceryx/nginx/conf/nginx.conf.tmpl b/ceryx/nginx/conf/nginx.conf.tmpl index 4b6164d..68d45e7 100644 --- a/ceryx/nginx/conf/nginx.conf.tmpl +++ b/ceryx/nginx/conf/nginx.conf.tmpl @@ -2,6 +2,7 @@ user www-data www-data; worker_processes 1; pid /run/nginx.pid; +env CERYX_DISABLE_LETS_ENCRYPT; env CERYX_REDIS_PREFIX; env CERYX_REDIS_HOST; env CERYX_REDIS_PASSWORD; diff --git a/ceryx/nginx/lualib/certificate.lua b/ceryx/nginx/lualib/certificate.lua index 7c34980..b8a9332 100644 --- a/ceryx/nginx/lualib/certificate.lua +++ b/ceryx/nginx/lualib/certificate.lua @@ -13,7 +13,7 @@ end local host_certificates = certificates.getCertificatesForHost(host) -if certificates ~= nil then +if host_certificates ~= nil then -- Convert data from PEM to DER local certificate_der, certificate_der_err = ssl.cert_pem_to_der(host_certificates["certificate"]) if not certificate_der or certificate_der_err then diff --git a/ceryx/nginx/lualib/ceryx/certificates.lua b/ceryx/nginx/lualib/ceryx/certificates.lua index 0e14895..0a2aaae 100644 --- a/ceryx/nginx/lualib/ceryx/certificates.lua +++ b/ceryx/nginx/lualib/ceryx/certificates.lua @@ -15,12 +15,12 @@ function getCertificatesForHost(host) local certificate_path, certificate_err = redisClient:hget(certificates_redis_key, "certificate_path") local key_path, key_err = redisClient:hget(certificates_redis_key, "key_path") - if certificate_path == nil then + if certificate_path == ngx.null then ngx.log(ngx.ERR, "Could not retrieve SSL certificate path for " .. host .. " from Redis: " .. (certificate_err or "N/A")) return nil end - if key_path == nil then + if key_path == ngx.null then ngx.log(ngx.ERR, "Could not retrieve SSL key path for " .. host .. " from Redis: " .. (key_err or "N/A")) return nil end diff --git a/ceryx/tests/client/adapters.py b/ceryx/tests/client/adapters.py index 2894f36..bb8f53f 100644 --- a/ceryx/tests/client/adapters.py +++ b/ceryx/tests/client/adapters.py @@ -15,4 +15,4 @@ def init_poolmanager( self.poolmanager = CeryxTestsPoolManager( num_pools=connections, maxsize=maxsize, block=block, strict=True, **pool_kwargs, - ) \ No newline at end of file + ) diff --git a/ceryx/tests/test_certificates.py b/ceryx/tests/test_certificates.py index 75fd2ff..6def069 100644 --- a/ceryx/tests/test_certificates.py +++ b/ceryx/tests/test_certificates.py @@ -17,3 +17,14 @@ def test_custom_certificate(self): self.redis.hset(self.redis_settings_key, "key_path", key_path) self.client.get(f"https://{self.host}/", verify=certificate_path) + + def test_fallback_certificate(self): + """ + Ensure that Ceryx uses the fallback certificate if a route gets accessed + via HTTPS with no configured certificate or automatic Let's Encrypt + certificates enabled. + """ + try: + response = self.client.get(f"https://ghost.ceryx.test/", verify="/etc/ceryx/ssl/default.crt") + except Exception as e: + assert "sni-support-required-for-valid-ssl" in str(e)