1 files changed, 61 insertions, 9 deletions

diff --git a/tests/lock_test.py b/tests/lock_test.py
index 0266cf029..29a77ae17 100644
--- a/tests/lock_test.py
+++ b/tests/lock_test.py
@@ -2,6 +2,7 @@
 from __future__ import print_function
 
 import atexit
+import datetime
 import functools
 import logging
 import os
@@ -11,12 +12,19 @@ import subprocess
 import sys
 import tempfile
 
-from certbot import lock
-from certbot import util
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+# TODO: once mypy has cryptography types bundled, type: ignore can be removed.
+# See https://github.com/pyca/cryptography/issues/4275
+from cryptography.hazmat.primitives import hashes  # type: ignore
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
 
+from certbot import util
+from certbot._internal import lock
+from certbot.compat import filesystem
 from certbot.tests import util as test_util
 
-
 logger = logging.getLogger(__name__)
 
 
@@ -84,7 +92,7 @@ def set_up_dirs():
     nginx_dir = os.path.join(temp_dir, 'nginx')
 
     for directory in (config_dir, logs_dir, work_dir, nginx_dir,):
-        os.mkdir(directory)
+        filesystem.mkdir(directory)
 
     test_util.make_lineage(config_dir, 'sample-renewal.conf')
     set_up_nginx_dir(nginx_dir)
@@ -102,12 +110,11 @@ def set_up_nginx_dir(root_path):
     repo_root = check_call('git rev-parse --show-toplevel'.split()).strip()
     conf_script = os.path.join(
         repo_root, 'certbot-nginx', 'tests', 'boulder-integration.conf.sh')
-    # boulder-integration.conf.sh uses the root environment variable as
-    # the Nginx server root when writing paths
-    os.environ['root'] = root_path
+    # Prepare self-signed certificates for Nginx
+    key_path, cert_path = setup_certificate(root_path)
+    # Generate Nginx configuration
     with open(os.path.join(root_path, 'nginx.conf'), 'w') as f:
-        f.write(check_call(['/bin/sh', conf_script]))
-    del os.environ['root']
+        f.write(check_call(['/bin/sh', conf_script, root_path, key_path, cert_path]))
 
 
 def set_up_command(config_dir, logs_dir, work_dir, nginx_dir):
@@ -134,6 +141,51 @@ def set_up_command(config_dir, logs_dir, work_dir, nginx_dir):
             config_dir, logs_dir, work_dir, nginx_dir).split())
 
 
+def setup_certificate(workspace):
+    """Generate a self-signed certificate for nginx.
+    :param workspace: path of folder where to put the certificate
+    :return: tuple containing the key path and certificate path
+    :rtype: `tuple`
+    """
+    # Generate key
+    # See comment on cryptography import about type: ignore
+    private_key = rsa.generate_private_key(  # type: ignore
+        public_exponent=65537,
+        key_size=2048,
+        backend=default_backend()
+    )
+    subject = issuer = x509.Name([
+        x509.NameAttribute(x509.NameOID.COMMON_NAME, u'nginx.wtf')
+    ])
+    certificate = x509.CertificateBuilder().subject_name(
+        subject
+    ).issuer_name(
+        issuer
+    ).public_key(
+        private_key.public_key()
+    ).serial_number(
+        1
+    ).not_valid_before(
+        datetime.datetime.utcnow()
+    ).not_valid_after(
+        datetime.datetime.utcnow() + datetime.timedelta(days=1)
+    ).sign(private_key, hashes.SHA256(), default_backend())
+
+    key_path = os.path.join(workspace, 'cert.key')
+    with open(key_path, 'wb') as file_handle:
+        file_handle.write(private_key.private_bytes(  # type: ignore
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption()
+        ))
+
+    cert_path = os.path.join(workspace, 'cert.pem')
+    with open(cert_path, 'wb') as file_handle:
+        file_handle.write(certificate.public_bytes(serialization.Encoding.PEM))
+
+    return key_path, cert_path
+
+
 def test_command(command, directories):
     """Assert Certbot acquires locks in a specific order.