letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HTTP-01 gives misleading "could not connect" error (#2142) 

Fixes #2122
This commit is contained in:
Ben Irving 2016-08-29 11:45:32 -07:00 committed by Roland Bracewell Shoemaker
parent 344a312905
commit ce0016bc08
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
va/va.go
View File

@ -230,6 +230,7 @@ func (va *ValidationAuthorityImpl) fetchHTTP(ctx context.Context, identifier cor
req.Header["User-Agent"] = []string{va.userAgent} req.Header["User-Agent"] = []string{va.userAgent}
} }
urlHost = req.URL.Host
reqHost := req.URL.Host reqHost := req.URL.Host
var reqPort int var reqPort int
if h, p, err := net.SplitHostPort(reqHost); err == nil { if h, p, err := net.SplitHostPort(reqHost); err == nil {
@ -266,7 +267,7 @@ func (va *ValidationAuthorityImpl) fetchHTTP(ctx context.Context, identifier cor
if err != nil { if err != nil {
va.log.Info(fmt.Sprintf("HTTP request to %s failed. err=[%#v] errStr=[%s]", url, err, err)) va.log.Info(fmt.Sprintf("HTTP request to %s failed. err=[%#v] errStr=[%s]", url, err, err))
return nil, validationRecords, return nil, validationRecords,
parseHTTPConnError(fmt.Sprintf("Could not connect to %s", url), err) parseHTTPConnError(fmt.Sprintf("Could not connect to %s", urlHost), err)
} }
body, err := ioutil.ReadAll(&io.LimitedReader{R: httpResponse.Body, N: maxResponseSize}) body, err := ioutil.ReadAll(&io.LimitedReader{R: httpResponse.Body, N: maxResponseSize})

17
va/va_test.go
View File

@ -71,6 +71,7 @@ const expectedToken = "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
const expectedKeyAuthorization = "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0.9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI" const expectedKeyAuthorization = "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0.9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"
const pathWrongToken = "i6lNAC4lOOLYCl-A08VJt9z_tKYvVk63Dumo8icsBjQ" const pathWrongToken = "i6lNAC4lOOLYCl-A08VJt9z_tKYvVk63Dumo8icsBjQ"
const path404 = "404" const path404 = "404"
const path500 = "500"
const pathFound = "GBq8SwWq3JsbREFdCamk5IX3KLsxW5ULeGs98Ajl_UM" const pathFound = "GBq8SwWq3JsbREFdCamk5IX3KLsxW5ULeGs98Ajl_UM"
const pathMoved = "5J4FIMrWNfmvHZo-QpKZngmuhqZGwRm21-oEgUDstJM" const pathMoved = "5J4FIMrWNfmvHZo-QpKZngmuhqZGwRm21-oEgUDstJM"
const pathRedirectPort = "port-redirect" const pathRedirectPort = "port-redirect"
@ -78,6 +79,7 @@ const pathWait = "wait"
const pathWaitLong = "wait-long" const pathWaitLong = "wait-long"
const pathReLookup = "7e-P57coLM7D3woNTp_xbJrtlkDYy6PWf3mSSbLwCr4" const pathReLookup = "7e-P57coLM7D3woNTp_xbJrtlkDYy6PWf3mSSbLwCr4"
const pathReLookupInvalid = "re-lookup-invalid" const pathReLookupInvalid = "re-lookup-invalid"
const pathRedirectToFailingURL = "re-to-failing-url"
const pathLooper = "looper" const pathLooper = "looper"
const pathValid = "valid" const pathValid = "valid"
const rejectUserAgent = "rejectMe" const rejectUserAgent = "rejectMe"
@ -96,6 +98,9 @@ func httpSrv(t *testing.T, token string) *httptest.Server {
if strings.HasSuffix(r.URL.Path, path404) { if strings.HasSuffix(r.URL.Path, path404) {
t.Logf("HTTPSRV: Got a 404 req\n") t.Logf("HTTPSRV: Got a 404 req\n")
http.NotFound(w, r) http.NotFound(w, r)
} else if strings.HasSuffix(r.URL.Path, path500) {
t.Logf("HTTPSRV: Got a 500 req\n")
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
} else if strings.HasSuffix(r.URL.Path, pathMoved) { } else if strings.HasSuffix(r.URL.Path, pathMoved) {
t.Logf("HTTPSRV: Got a 301 redirect req\n") t.Logf("HTTPSRV: Got a 301 redirect req\n")
if currentToken == defaultToken { if currentToken == defaultToken {
@ -125,6 +130,9 @@ func httpSrv(t *testing.T, token string) *httptest.Server {
} else if strings.HasSuffix(r.URL.Path, pathReLookupInvalid) { } else if strings.HasSuffix(r.URL.Path, pathReLookupInvalid) {
t.Logf("HTTPSRV: Got a redirect req to an invalid hostname\n") t.Logf("HTTPSRV: Got a redirect req to an invalid hostname\n")
http.Redirect(w, r, "http://invalid.invalid/path", 302) http.Redirect(w, r, "http://invalid.invalid/path", 302)
} else if strings.HasSuffix(r.URL.Path, pathRedirectToFailingURL) {
t.Logf("HTTPSRV: Redirecting to a URL that will fail\n")
http.Redirect(w, r, fmt.Sprintf("http://other.valid/%s", path500), 301)
} else if strings.HasSuffix(r.URL.Path, pathLooper) { } else if strings.HasSuffix(r.URL.Path, pathLooper) {
t.Logf("HTTPSRV: Got a loop req\n") t.Logf("HTTPSRV: Got a loop req\n")
http.Redirect(w, r, r.URL.String(), 301) http.Redirect(w, r, r.URL.String(), 301)
@ -347,6 +355,15 @@ func TestHTTPRedirectLookup(t *testing.T) {
test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/port-redirect" to ".*other.valid:8080/path"`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/port-redirect" to ".*other.valid:8080/path"`)), 1)
test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1)
test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for other.valid \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for other.valid \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1)
// This case will redirect from a valid host to a host that is throwing
// HTTP 500 errors. The test case is ensuring that the connection error
// is referencing the redirected to host, instead of the original host.
log.Clear()
setChallengeToken(&chall, pathRedirectToFailingURL)
_, prob = va.validateHTTP01(ctx, ident, chall)
test.AssertNotNil(t, prob, "Problem Details should not be nil")
test.AssertEquals(t, prob.Detail, "Could not connect to other.valid")
} }
func TestHTTPRedirectLoop(t *testing.T) { func TestHTTPRedirectLoop(t *testing.T) {