Merge pull request #66 from sourcelair/fix-no-certificate

Fix Ceryx crash when no certificate settings exist
withlogicco · Apr 26, 2019 · a66f498 · a66f498
2 parents 3d7c6c4 + 3817680
commit a66f498
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 5 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -4,7 +4,7 @@ python:
   - 3.6
 
 env:
-  - DOCKER_COMPOSE_VERSION=1.23.2 COMPOSE_FILE=docker-compose.yml:docker-compose.override.yml:docker-compose.test.yml
+  - DOCKER_COMPOSE_VERSION=1.23.2 COMPOSE_FILE=docker-compose.yml:docker-compose.override.yml:docker-compose.test.yml CERYX_DISABLE_LETS_ENCRYPT=true
 
 install:
   - pip install --upgrade --ignore-installed docker-compose==${DOCKER_COMPOSE_VERSION}

diff --git a/ceryx/Dockerfile.test b/ceryx/Dockerfile.test
@@ -15,4 +15,7 @@ COPY . ./
 ENV CERYX_DEBUG true
 ENV CERYX_DISABLE_LETS_ENCRYPT true
 
+COPY --from=sourcelair/ceryx:latest /etc/ceryx/ssl/default.key /etc/ceryx/ssl/default.key
+COPY --from=sourcelair/ceryx:latest /etc/ceryx/ssl/default.crt /etc/ceryx/ssl/default.crt
+
 CMD ["pytest", "tests/"]
diff --git a/ceryx/nginx/conf/nginx.conf.tmpl b/ceryx/nginx/conf/nginx.conf.tmpl
@@ -2,6 +2,7 @@ user www-data www-data;
 worker_processes 1;
 pid /run/nginx.pid;
 
+env CERYX_DISABLE_LETS_ENCRYPT;
 env CERYX_REDIS_PREFIX;
 env CERYX_REDIS_HOST;
 env CERYX_REDIS_PASSWORD;

diff --git a/ceryx/nginx/lualib/certificate.lua b/ceryx/nginx/lualib/certificate.lua
@@ -13,7 +13,7 @@ end
 
 local host_certificates = certificates.getCertificatesForHost(host)
 
-if certificates ~= nil then
+if host_certificates ~= nil then
     -- Convert data from PEM to DER
     local certificate_der, certificate_der_err = ssl.cert_pem_to_der(host_certificates["certificate"])
     if not certificate_der or certificate_der_err then

diff --git a/ceryx/nginx/lualib/ceryx/certificates.lua b/ceryx/nginx/lualib/ceryx/certificates.lua
@@ -15,12 +15,12 @@ function getCertificatesForHost(host)
     local certificate_path, certificate_err = redisClient:hget(certificates_redis_key, "certificate_path")
     local key_path, key_err = redisClient:hget(certificates_redis_key, "key_path")
 
-    if certificate_path == nil then
+    if certificate_path == ngx.null then
         ngx.log(ngx.ERR, "Could not retrieve SSL certificate path for " .. host .. " from Redis: " .. (certificate_err or "N/A"))
         return nil
     end
 
-    if key_path == nil then
+    if key_path == ngx.null then
         ngx.log(ngx.ERR, "Could not retrieve SSL key path for " .. host .. " from Redis: " .. (key_err or "N/A"))
         return nil
     end

diff --git a/ceryx/tests/client/adapters.py b/ceryx/tests/client/adapters.py
@@ -15,4 +15,4 @@ def init_poolmanager(
         self.poolmanager = CeryxTestsPoolManager(
             num_pools=connections, maxsize=maxsize, block=block, strict=True,
             **pool_kwargs,
-        )
+        )
diff --git a/ceryx/tests/test_certificates.py b/ceryx/tests/test_certificates.py
@@ -17,3 +17,14 @@ def test_custom_certificate(self):
         self.redis.hset(self.redis_settings_key, "key_path", key_path)
 
         self.client.get(f"https://{self.host}/", verify=certificate_path)
+
+    def test_fallback_certificate(self):
+        """
+        Ensure that Ceryx uses the fallback certificate if a route gets accessed
+        via HTTPS with no configured certificate or automatic Let's Encrypt
+        certificates enabled.
+        """
+        try:
+            response = self.client.get(f"https://ghost.ceryx.test/", verify="/etc/ceryx/ssl/default.crt")
+        except Exception as e:
+            assert "sni-support-required-for-valid-ssl" in str(e)