caddy-frontend/test: Switch to cryptography

33dc3032 · Łukasz Nowak · Łukasz Nowak · 5745daec · 33dc3032 · 5745daec
Commit 33dc3032 authored Nov 22, 2018 by Łukasz Nowak Committed by Łukasz Nowak Nov 27, 2018
18 changed files
--- a/software/caddy-frontend/TODO.rst
+++ b/software/caddy-frontend/TODO.rst
@@ -2,7 +2,6 @@ Generally things to be done with ``caddy-frontend``:
 * return warning on not implemented keys (from ``apache-frontend`` perspective) in master and slave request
 * tests: add assertion with results of promises in etc/promise for each partition
- * tests: swich to `cryptography <https://pypi.org/project/cryptography/>`_ for certificate management
 * README: cleanup the documentation, explain various specifics
 * check the whole frontend slave snippet with ``caddy -validate`` during buildout run, and reject if does not pass validation
 * ``apache-ca-certificate`` shall be merged with ``apache-certificate``

--- a/software/caddy-frontend/test/CA.wildcard.example.com.crt
+++ b/software/caddy-frontend/test/CA.wildcard.example.com.crt
-----BEGIN CERTIFICATE-----
-MIIDETCCAfkCCQDaYBkI56KXrjANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJY
-WDEOMAwGA1UECAwFU3RhdGUxGTAXBgNVBAoMEFdpbGRjYXJkIFJvb3QgQ0EwHhcN
-MTgxMTIxMTAwMzM4WhcNMjgxMTE4MTAwMzM4WjBdMQswCQYDVQQGEwJBVTETMBEG
-A1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
-THRkMRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEA1A+TzPOPC3qPLq3KfmFpoa6Iubh1OhNFfH7fvCJQ1czTcFLe
-npG4uTjXwcoHbPb6CWq5hfUSY/ucI6mW93gsoW5vsbPFmUFe96fA6uJV17j2IppM
-vNHhcNxNbKxpGnStNO5HTW7q1Qk2yvcx4cL/bPCEaNFwBK1O+NeNz0ZDW8dGifYU
-aVj+qpVlvTi//j8P4FOwSVYvXdMqGH5WaaTquJPVEGg+704tzUxDbCUXrbCVzFgM
-d69sQg0sJQ9MddrsWkQSgcE7cffdC1JdGHCJ/B87iO3pjH2VjFth8EFMcQCn8V8e
-Nz0OpkcsZXuFg3L/3EtMV3ZXSlT6GDxaEcNuvQIDAQABMA0GCSqGSIb3DQEBCwUA
-A4IBAQB4mIEwylSudRONRRMgHDkhMlb8/O2MERYrBmsqatg3eU6/LYZAk/okUI6p
-aBkQ3GnUmA+gQnkhk4hffRk7NqtMq3r5MEcWunu61i45sXnsQh9myHEAeGfDw3wz
-2rkdXAY2jNeQhTBEsErgwKuN86BTFML9cNg2gTKLBbNC1rSJjoMqcKHxrAcsUBip
-bXDQMmNIQkzsc3ml6+17/qfu8+mTZ7J5kEkSbbwRD690LiR6Ltua22GAvuddt53S
-ieyOVVxCDlItquuGfuQ3ay8zlyQjYmoPI5AXE5Wv9W4mF7agc+SYe3myL3xlRbC+
-RD/fQtvjbf/bt9lkgs9DQoITaYvc
-----END CERTIFICATE-----
--- a/software/caddy-frontend/test/CA.wildcard.example.com.key
+++ b/software/caddy-frontend/test/CA.wildcard.example.com.key
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA1A+TzPOPC3qPLq3KfmFpoa6Iubh1OhNFfH7fvCJQ1czTcFLe
-npG4uTjXwcoHbPb6CWq5hfUSY/ucI6mW93gsoW5vsbPFmUFe96fA6uJV17j2IppM
-vNHhcNxNbKxpGnStNO5HTW7q1Qk2yvcx4cL/bPCEaNFwBK1O+NeNz0ZDW8dGifYU
-aVj+qpVlvTi//j8P4FOwSVYvXdMqGH5WaaTquJPVEGg+704tzUxDbCUXrbCVzFgM
-d69sQg0sJQ9MddrsWkQSgcE7cffdC1JdGHCJ/B87iO3pjH2VjFth8EFMcQCn8V8e
-Nz0OpkcsZXuFg3L/3EtMV3ZXSlT6GDxaEcNuvQIDAQABAoIBAQCWdkcEUHvaRSd6
-k0ztxuhQE6pnO/3RKwNOhibxMdfxGtebBvF1yScsJKzRjysdoU9fhx4DchOOZWQv
-2ZCIHfhswhL2HvvA9aUQSzKSde06lr3tZ1WzU6eFkIpO5TXd05Nhzv9AbcapSVRb
-RnFaIiVhgnYweQnmB6HU5fx0aQI6BytP34t3rEZqdy+eYqtq1ZgYC7iXQJct08Sy
-0syR5boW2fKZZin78I+uOWfhD3uUDz7SnetwIEWuaJ/oYXv2YFqm+68XRSo4yi2G
-FlF3CgwecJCaHyEhxMQojlgM61EvEZ0v1FvoMyyQiNmWVSAtbd6BAD5YrdUzk1QO
-mzr3LuTxAoGBAPbnNp/0g25IYj857Q++hSjWsyjLLMfX6+hPsOv2ICL46+xU9P4s
-EeIe8PGgRvUkXiNZ7LRtipsFOB+qNYHknIRtLICyYXfumJH4+05XawHIPWdZNw1X
-762VsiLEHj1nx3tbEpiCApxYJTXat5/3skjibsNjkuV5JAfsiDHPHeOrAoGBANvf
-u1GI2mtUDZ1EJbxJUm3pCUg1aw8jL83OC9miTT36m3V/TiZvc6NEbWM5S8xprwJ1
-FG+MHchTgG3rZR6UhfK7OPb7jD0r1aVnA30NX3NS1zKfMEp2Ry83w9LJX70JbZsg
-ipo09UXSyE1EaeGGIEQ0xqCN/nRiy2KDh4h1gY83AoGAUH50ypU2vB+RGDfUV4uv
-ce79HdGPWd/FI0nHzkXBmGU61SOlc6/+bI/V0ZCFUap3nmLUzsXfqEZ9U6V0KFLV
-zD6jgZmmOSlqSDy6AYJyenRDwIvPbOQ8WYUyPC9gBHjvCgJY/6tzGnGKQBJ8RwTD
-9QsNPVobLADghEzS4ho6Dl0CgYBjCBxIlwk5ujv/j4gnjCbSVlnV6il0QfbwDVQN
-DCsaNVv7ygEbEqvU56cVP+NCCH/I7Y7sxwFLD0ETQSjkYyUJtQXtSFNb4fhybTmH
-A5TwTmma5VRM1YUuYUGUGRtD+5Egg8GpvxyR/GQ3WQ8PgufZkKO+APaQ2Uad8nwD
-HFnkdQKBgG0OlIKuVeLTVhPcQvOmiDEBeAVo1zc4zmA/JLk/euxesEVL9A8xuxsF
-ao0pLvpk/EWQGElxNLNJxbn7AB4uXlpsAvV3xBM88pQIuj2paix1CqSlgfR2F2jE
-t3470UVZV22ECV8vQK/of2byELrMscLExLgKW1lAIqqZ77BntFO9
-----END RSA PRIVATE KEY-----
--- a/software/caddy-frontend/test/CA.wildcard.example.com.root.crt
+++ b/software/caddy-frontend/test/CA.wildcard.example.com.root.crt
-----BEGIN CERTIFICATE-----
-MIIDQzCCAiugAwIBAgIJAOShMXfabB7nMA0GCSqGSIb3DQEBCwUAMDgxCzAJBgNV
-BAYTAlhYMQ4wDAYDVQQIDAVTdGF0ZTEZMBcGA1UECgwQV2lsZGNhcmQgUm9vdCBD
-QTAeFw0xODExMjExMDAxMjVaFw00NjEyMDQxMDAxMjVaMDgxCzAJBgNVBAYTAlhY
-MQ4wDAYDVQQIDAVTdGF0ZTEZMBcGA1UECgwQV2lsZGNhcmQgUm9vdCBDQTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKq/9H+MvMt5B0vIC2/uEz25jqxT
-Wv36v9/HldZLvEwzOiEd0n53ZZFqVlfOoYyCIoWw1+SPwaAc8Oad8ELfoPUasV65
-xWki9F/tesgPZpyTO7vgpQfX5JVWNw28s13BgRkOO95h4t2S2t1K6sckC0M/B0o3
-wDs/M+74i6wUTHNNXVRejeNPlj9ZSKyfe8rwvY4aNkvW/TKKbaY1yXpQhbeZfU8j
-bk4tv4VOpIIoK7wWnSOcFHMANPqrIhygazI1zdsyySEssQ2TAepUb/zgZgk2IQ61
-GT+h7NVIoYZJKcAYlLapsZJV1d3Ec9y57zTpyfbWsQhmKHCasZeZK5gYqXECAwEA
-AaNQME4wHQYDVR0OBBYEFLZTKR+QsKR9ivZi4uFssy6sB80XMB8GA1UdIwQYMBaA
-FLZTKR+QsKR9ivZi4uFssy6sB80XMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADggEBAI8O1u6LnmBkWw3rPOTp+9DD2l0+tU3e51KZfp98Fm3Lo8qF5spAB+Ue
-OiBax9uENzjcHm7T7KdJrQNK6Mmat0VsD1WTR0TK1eBr9+hOh9EE1H5mEmSL0LOs
-ABcCW8DlDv9axWMkFEaJjLfYRUQdvUkb3BwlXo2oq8ectk5ZqS1IF873htYStkvc
-SvrzFpaMhYUIr2e7bvFEJ8XTz9l4eymdOBg3j89gf9OkmPa3FE6Qf7etTkVyOr1t
-7DIuucv2JkWqHnABIWsLgj4bdLWWULASA7FkI0lHxp5/9/OBb7kVlcgQg6c9Wed7
-VA9NaSB3jnBubpEbijnekHqPYO0Bf38=
-----END CERTIFICATE-----
--- a/software/caddy-frontend/test/CA.wildcard.example.com.root.key
+++ b/software/caddy-frontend/test/CA.wildcard.example.com.root.key
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAqr/0f4y8y3kHS8gLb+4TPbmOrFNa/fq/38eV1ku8TDM6IR3S
-fndlkWpWV86hjIIihbDX5I/BoBzw5p3wQt+g9RqxXrnFaSL0X+16yA9mnJM7u+Cl
-B9fklVY3DbyzXcGBGQ473mHi3ZLa3UrqxyQLQz8HSjfAOz8z7viLrBRMc01dVF6N
-40+WP1lIrJ97yvC9jho2S9b9MoptpjXJelCFt5l9TyNuTi2/hU6kgigrvBadI5wU
-cwA0+qsiHKBrMjXN2zLJISyxDZMB6lRv/OBmCTYhDrUZP6Hs1UihhkkpwBiUtqmx
-klXV3cRz3LnvNOnJ9taxCGYocJqxl5krmBipcQIDAQABAoIBAHOAnbeaUCujlxfg
-Hjx8428hki1nxWmAsUKDFAx99sXk8TFtpvH9eis/r2B+WjFd5lRhJ+lohSX17c9S
-jy/tbkfe4pSdPbi8+Gnbju693D+WKRYSBBCmLe4G//6+4uZM+zMjucPYm0ofCQYg
-o2hKLYQzoo7F37c0LcE9R94DbSOg2tY6HkKNhXoo0KBY424nIlZ82ZvsS7Q+dduB
-txbFvzj0cnrYAJv8QIzcedaFGPN7tkLMZ+PS2rXPG/CkPevKgGwjOx+YyKgQk8GU
-O+YvMQ9/zhOz4ak76UOZF+a21DrVqsKj0BK90SEq10MUnd1riQJ2z2jD8SSChgb6
-rRc4+AECgYEA1NTSkhfxwfgWIjucnWPrtzNLyVqg5Ss+X/XZfN0LNvMje+AZ4wfz
-pLAf8cxnewgNqpR1PeUrjoUwcKrHX7M/MhfEhPKo2LyYDsNtNDcRk3JP047FrDnL
-beVc7lIfsCzuuQHgnUFhBE+8qP69VsHWBq1iQF2NUdW8HLjxTSuAQFECgYEAzWIR
-U/r5QijUE6fcev4FvPBCCF3+c64UEuXV/W4ZURWzOEAcKh9TAHiTKSQ3MDQK7IQY
-YtRbgePnA8Tc0Xj0jSxMtWTX1FanxftosRNgsZD1VKnBViwImuOeZHZYq83qPGT9
-FNUvGMAEAHevNdSdI2k9RSzrB2Lhei6wEYHJryECgYEAoAOWgYKBID2enoRFHsw2
-N5nYe/2ohEQ79DfKGaezO9AXuJXnwJqE4ygMDGaK0qReagaOE0gOtGuM3Nh5Z4lD
-lSzrcq1ipvk8NbVWkHBqxXmnbL6l/fPB79EHSqLx8ioGHZC8yF6US4KLrF9CCU1Y
-1dJb0VrE2mcgtFOUEFoJZdECgYAsGxVRjaIdvRreJbxJhWfCDW6A0X6lZQrWjBkK
-VayGJzzXpZzmxtdSUJJ50VcwuNxnsm5yOtxz5ndj7dDmAy2xa4QFqGRZK0rYT4dK
-D7lCKLkmt1XXpZkreho3xNqB+rSEx8M5yBZXIFU7rHgp/UDJq/4GbwECExAM5x3U
-hKTFQQKBgQCPGglKFvkRkvYonwDmLRiCjBPnpK5YeL/AYJxeD3V9b8V5Arc9ce9y
-PgFgk93RjGlEfLSN0Xbqc6GPIGwg6f5qyHvQ1BpCwupr3lhdsTxwIKbGpAH4Zvmz
-4COcrvkF9gAHaIiH97nLy/9h2EawKqKgJv3R0wfdKvRw4iW/4j4aPw==
-----END RSA PRIVATE KEY-----
--- a/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.crt
+++ b/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.crt
-----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIJAOzw6rzXAd+jMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQxLTArBgNVBAMMJGN1c3RvbWRvbWFpbnNzbGNydHNzbGtl
-eS5leGFtcGxlLmNvbTAeFw0xODA1MTgxMzA2NThaFw0yODA1MTUxMzA2NThaMHQx
-CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
-cm5ldCBXaWRnaXRzIFB0eSBMdGQxLTArBgNVBAMMJGN1c3RvbWRvbWFpbnNzbGNy
-dHNzbGtleS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAOQe3WLRuVBPPufClmlOk6Euc3nmycvCkzcwMUD6+zdyAGH0qhHoIHJmiXi6
-GcKYgqqa3eaIxvvke2EEphDwYkj6neOVyuX3KukL8ggEUakJ17TEQkS7hIk4dmDT
-wjFAMgLz8uN11jqLooo9w/ptD+LUWmm6K9zk49iqqdKuG9Z5v3dm0KMUvsmYGWqN
-g31tQWU1Cm2kNu+2iP2FPnx2PWkDq4KTn64U7iJP9DdDEvzNfYcvz8upjR15B+dI
-K0ihwDXV5BtfZXDvck+ctCdfS1QxM+x+PboEJKUNoefz/+Q/9T3mlc+KchFG9asL
-Q/kbHtdgZzsDGTDEtdDtIrLLQ3MCAwEAAaNQME4wHQYDVR0OBBYEFG6I5Y0feayi
-UPznSzRJIMS1blcNMB8GA1UdIwQYMBaAFG6I5Y0feayiUPznSzRJIMS1blcNMAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKmK75LcaROfjdxQLBFqiP/I
-6WB8pBNbAN6nL+dgxeQJNEx7VQXSU/3KF0nIMC35pzf93ZySMq6ujCjxksNA0Pa0
-XEH0pmTqOO7Af5wsjIniLqGTRvFCqGbWKEcYDBwKq0svTGfYyPOaBj8z7lt9LURs
-WRC1tCrn8T8NkAY/jdGRQZRtLlgk+x2SaeDfQ8F1MtMT8jYSLo4R+c4f+iuDgMWi
-JPM5SvYeDEXndWctKGxmP4p2HIp8gJuqYHmP4oxO7Rn/QPti1p68WfNQsRquHYJ4
-dR9krkpVeteQ7w8cQA9OkG/m3neiIfFKkosJSGEHctRvRQ0GtbQO6A6nZqk0n6I=
-----END CERTIFICATE-----
--- a/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.key
+++ b/software/caddy-frontend/test/customdomainsslcrtsslkey.example.com.key
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkHt1i0blQTz7n
-wpZpTpOhLnN55snLwpM3MDFA+vs3cgBh9KoR6CByZol4uhnCmIKqmt3miMb75Hth
-BKYQ8GJI+p3jlcrl9yrpC/IIBFGpCde0xEJEu4SJOHZg08IxQDIC8/LjddY6i6KK
-PcP6bQ/i1Fppuivc5OPYqqnSrhvWeb93ZtCjFL7JmBlqjYN9bUFlNQptpDbvtoj9
-hT58dj1pA6uCk5+uFO4iT/Q3QxL8zX2HL8/LqY0deQfnSCtIocA11eQbX2Vw73JP
-nLQnX0tUMTPsfj26BCSlDaHn8//kP/U95pXPinIRRvWrC0P5Gx7XYGc7AxkwxLXQ
-7SKyy0NzAgMBAAECggEBAOLv5ZPCSdWgEFdlWFbIycrmOBDETGo9VlDny4f2ZuZg
-rgrE6E/KGkVUxlvo32mcaRkp2ajW1wWN5kO86Swex9gMIfhfcyrVecW/kXbyPP6q
-AQIe4EIaPh54oiNvZleyok4Xu8EW4Bj8AqX+DjHaP5yLXqqhf7NPrW9FUI57kMwK
-DqeHBilgWUxzcjc4LLiEu6UTuB8c2Slj3Ps0K/mVzvPbQ7Xx+RYXzfX+SqjyvDEe
-GpaRLoiRJ0KZSoGUgBQSIqgfzR7g6ipKNDvlzsawMpG641vsQ8tSI+l4U5f6MbYZ
-pFT+mxL4+N+PQbWN5w3qYWK6Ilh77+0rKfGVrLH7s7kCgYEA/2SXFnUgJUnKpuE0
-4buUtPCMw8j+qZsJZ8nmf2BbwIGgp+CFGlO6aG4sfzYulpQuZOsnKRIu5qoE3xQp
-MzuqWPZ8eygAubBdddaym3kPRiMAxTXPr+vBFyvti+oFflxaTsTXAfCXD2wM8yKm
-Od16xg9co3NED2zt62mtSM6NOiUCgYEA5Kmt1JqL4ymMe9gBZ07Ar7GCfmmqepSb
-w9XqgkHDk0ZYizNeQupPQrypfdeLFlKVnlp4DycEA4XzGdFgp1+PkAMSIVDUZZp5
-KxWJdQkdScENe1eYAz0vALCWSnUahyMGuNW9Xe/z2mtNLKRYcNDQ2LROJTQjShvw
-XSfVQXS597cCgYEAgXG5hn9tAJlLJpQk2njZ4W++2QkJ0msrNDjIJC1xs7u/8vbA
-X9yqMX4N/Zg3ush2T15EpfN6ZB0uhObSDw6hw5+C7mUTIQq8BBsCwfx0+maJYGtq
-zc6fOqBgMTc2+5nRh/UKyQfpeL6aPa2FNPUF4lcs7AdjKrJaUKRqWOmf+SUCgYAd
-ksRkpshIzOraaYlk7w6EqpSR/OCLkgTDQztdNVwyA/sXpcEfLmap3vScze+zJ2Mq
-Y9D7RLSEMCLMyAOUIgvTOFJz9JxDt8LMC7EHbfJXw5wWw7FpWdRmZnBJmPOhXqpT
-5XDkYVBMg2wrxeWaUadxH4Cr1x5pS0u/AJPYL1yN6QKBgApwfVmCWXS0S1++6KiM
-WN+jyvqmF4FS6Ib5TII1/diChY0PCO/UnmVPYg1AIqsdT5ghVreZs7wuHi1LsXQ4
-41nBmUnhdaiKCz9qVybXJwvicn/2MlsIi5C4Ox97OHJyCR1iKxf5A2ypfYEuh25V
-NZZ4n9p5PhcLev6x3QhuWosT
-----END PRIVATE KEY-----
--- a/software/caddy-frontend/test/setup.py
+++ b/software/caddy-frontend/test/setup.py
@@ -44,6 +44,7 @@ setup(name=name,
        'forcediphttpsadapter',
        'requests-toolbelt',
        'supervisor',
+        'cryptography',
      ],
      zip_safe=True,
      test_suite='test',

--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -25,14 +25,6 @@
 #
 ##############################################################################
-# Note for SSL
-#  This test comes with certificates and keys. There is even root Certificate
-#  Authority, for the backends
-#  Please follow https://datacenteroverlords.com/2012/03/01/\
-#     creating-your-own-ssl-certificate-authority/
-#  in order to add more certificates for backend.
-#  Frontend still uses self-signed certificates.
 import glob
 import os
 import requests
@@ -47,10 +39,20 @@ from BaseHTTPServer import HTTPServer
 from BaseHTTPServer import BaseHTTPRequestHandler
 from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter
 import time
+import tempfile
 from utils import SlapOSInstanceTestCase
 from utils import findFreeTCPPort
+import datetime
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
 LOCAL_IPV4 = os.environ['LOCAL_IPV4']
 GLOBAL_IPV6 = os.environ['GLOBAL_IPV6']
@@ -73,13 +75,98 @@ if os.environ.get('DEBUG'):
 def der2pem(der):
-  certificate, error = subprocess.Popen(
+  certificate = x509.load_der_x509_certificate(der, default_backend())
-      'openssl x509 -inform der'.split(), stdin=subprocess.PIPE,
+  return certificate.public_bytes(serialization.Encoding.PEM)
-      stdout=subprocess.PIPE, stderr=subprocess.PIPE
-  ).communicate(der)
-  if error:
+def createKey():
-    raise ValueError(error)
+  key = rsa.generate_private_key(
-  return certificate
+    public_exponent=65537, key_size=2048, backend=default_backend())
+  key_pem = key.private_bytes(
+    encoding=serialization.Encoding.PEM,
+    format=serialization.PrivateFormat.TraditionalOpenSSL,
+    encryption_algorithm=serialization.NoEncryption()
+  )
+  return key, key_pem
+def createSelfSignedCertificate(common_name):
+  key, key_pem = createKey()
+  subject = issuer = x509.Name([
+    x509.NameAttribute(NameOID.COUNTRY_NAME, u"XX"),
+    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"YY"),
+    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Xx Yy"),
+    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Xyx Yxy"),
+    x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
+  ])
+  certificate = x509.CertificateBuilder().subject_name(
+    subject
+  ).issuer_name(
+    issuer
+  ).public_key(
+    key.public_key()
+  ).serial_number(
+    x509.random_serial_number()
+  ).not_valid_before(
+    datetime.datetime.utcnow() - datetime.timedelta(days=2)
+  ).not_valid_after(
+    datetime.datetime.utcnow() + datetime.timedelta(days=5)
+  ).sign(key, hashes.SHA256(), default_backend())
+  certificate_pem = certificate.public_bytes(serialization.Encoding.PEM)
+  return key, key_pem, certificate, certificate_pem
+def createCSR(common_name):
+  key, key_pem = createKey()
+  csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
+     x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
+  ])).sign(key, hashes.SHA256(), default_backend())
+  csr_pem = csr.public_bytes(serialization.Encoding.PEM)
+  return key, key_pem, csr, csr_pem
+class CertificateAuthority(object):
+  def __init__(self, common_name):
+    self.key, self.key_pem = createKey()
+    public_key = self.key.public_key()
+    builder = x509.CertificateBuilder()
+    builder = builder.subject_name(x509.Name([
+      x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
+    ]))
+    builder = builder.issuer_name(x509.Name([
+      x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
+    ]))
+    builder = builder.not_valid_before(
+      datetime.datetime.utcnow() - datetime.timedelta(days=2))
+    builder = builder.not_valid_after(
+      datetime.datetime.utcnow() + datetime.timedelta(days=30))
+    builder = builder.serial_number(x509.random_serial_number())
+    builder = builder.public_key(public_key)
+    builder = builder.add_extension(
+      x509.BasicConstraints(ca=True, path_length=None), critical=True,
+    )
+    self.certificate = builder.sign(
+      private_key=self.key, algorithm=hashes.SHA256(),
+      backend=default_backend()
+    )
+    self.certificate_pem = self.certificate.public_bytes(
+      serialization.Encoding.PEM)
+  def signCSR(self, csr):
+    builder = x509.CertificateBuilder(
+      subject_name=csr.subject,
+      issuer_name=self.certificate.subject,
+      not_valid_before=datetime.datetime.utcnow() - datetime.timedelta(days=1),
+      not_valid_after=datetime.datetime.utcnow() + datetime.timedelta(days=30),
+      serial_number=x509.random_serial_number(),
+      public_key=csr.public_key(),
+    )
+    certificate = builder.sign(
+      private_key=self.key,
+      algorithm=hashes.SHA256(),
+      backend=default_backend()
+    )
+    return certificate, certificate.public_bytes(serialization.Encoding.PEM)
 def isHTTP2(domain, ip):
@@ -365,11 +452,22 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
      (LOCAL_IPV4, findFreeTCPPort(LOCAL_IPV4)),
      TestHandler)
+    cls.test_server_ca = CertificateAuthority("Test Server Root CA")
+    key, key_pem, csr, csr_pem = createCSR(
+      "testserver.example.com")
+    _, cls.test_server_certificate_pem = cls.test_server_ca.signCSR(csr)
+    cls.test_server_certificate_file = tempfile.NamedTemporaryFile(
+      delete=False
+    )
+    cls.test_server_certificate_file.write(
+        cls.test_server_certificate_pem + key_pem
+      )
+    cls.test_server_certificate_file.close()
    server_https.socket = ssl.wrap_socket(
      server_https.socket,
-      certfile=os.path.join(
+      certfile=cls.test_server_certificate_file.name,
-        os.path.dirname(os.path.realpath(__file__)),
-        'testserver.example.com.pem'),
      server_side=True)
    cls.backend_url = 'http://%s:%s' % server.server_address
@@ -382,6 +480,8 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
  @classmethod
  def stopServerProcess(cls):
+    if getattr(cls, 'test_server_certificate_file', None) is None:
+      os.unlink(cls.test_server_certificate_file)
    if getattr(cls, 'server_process', None) is None:
      return
    cls.server_process.terminate()
@@ -412,9 +512,15 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
      cls.slave_connection_parameter_dict_dict[slave_reference] = \
          slave_instance.getConnectionParameterDict()
+  @classmethod
+  def createWildcardExampleComCertificate(cls):
+    _, cls.key_pem, _, cls.certificate_pem = createSelfSignedCertificate(
+      '*.example.com')
  @classmethod
  def setUpClass(cls):
    try:
+      cls.createWildcardExampleComCertificate()
      cls.startServerProcess()
      super(SlaveHttpFrontendTestCase, cls).setUpClass()
      cls.setUpSlaves()
@@ -578,8 +684,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'domain': 'example.com',
      'nginx-domain': 'nginx.example.com',
      'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
+      'apache-certificate': cls.certificate_pem,
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-key': cls.key_pem,
      '-frontend-authorized-slave-string':
      '_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
      'port': HTTPS_PORT,
@@ -591,6 +697,16 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'mpm-graceful-shutdown-timeout': 2,
    }
+  @classmethod
+  def setUpSlaves(cls):
+    cls.ca = CertificateAuthority('TestSlave')
+    _, cls.customdomain_ca_key_pem, csr, _ = createCSR(
+      'customdomainsslcrtsslkeysslcacrt.example.com')
+    _, cls.customdomain_ca_certificate_pem = cls.ca.signCSR(csr)
+    _, cls.customdomain_key_pem, _, cls.customdomain_certificate_pem = \
+        createSelfSignedCertificate('customdomainsslcrtsslkey.example.com')
+    super(TestSlave, cls).setUpSlaves()
  @classmethod
  def getSlaveParameterDictDict(cls):
    return {
@@ -623,7 +739,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'ssl-proxy-verify_ssl_proxy_ca_crt': {
        'url': cls.backend_https_url,
        'ssl-proxy-verify': True,
-        'ssl_proxy_ca_crt': open('testserver.root.ca.crt').read(),
+        'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
      },
      'ssl-proxy-verify-unverified': {
        'url': cls.backend_https_url,
@@ -644,31 +760,31 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'custom_domain_ssl_crt_ssl_key': {
        'url': cls.backend_url,
        'custom_domain': 'customdomainsslcrtsslkey.example.com',
-        'ssl_crt': open('customdomainsslcrtsslkey.example.com.crt').read(),
+        'ssl_crt': cls.customdomain_certificate_pem,
-        'ssl_key': open('customdomainsslcrtsslkey.example.com.key').read(),
+        'ssl_key': cls.customdomain_key_pem,
      },
      'custom_domain_ssl_crt_ssl_key_ssl_ca_crt': {
        'url': cls.backend_url,
        'custom_domain': 'customdomainsslcrtsslkeysslcacrt.example.com',
-        'ssl_crt': open('CA.wildcard.example.com.crt').read(),
+        'ssl_crt': cls.customdomain_ca_certificate_pem,
-        'ssl_key': open('CA.wildcard.example.com.key').read(),
+        'ssl_key': cls.customdomain_ca_key_pem,
-        'ssl_ca_crt': open('CA.wildcard.example.com.root.crt').read(),
+        'ssl_ca_crt': cls.ca.certificate_pem,
      },
      'ssl_ca_crt_only': {
        'url': cls.backend_url,
-        'ssl_ca_crt': open('CA.wildcard.example.com.root.crt').read(),
+        'ssl_ca_crt': cls.ca.certificate_pem,
      },
      'ssl_ca_crt_garbage': {
        'url': cls.backend_url,
-        'ssl_crt': open('CA.wildcard.example.com.crt').read(),
+        'ssl_crt': cls.customdomain_ca_certificate_pem,
-        'ssl_key': open('CA.wildcard.example.com.key').read(),
+        'ssl_key': cls.customdomain_ca_key_pem,
        'ssl_ca_crt': 'some garbage',
      },
      'ssl_ca_crt_does_not_match': {
        'url': cls.backend_url,
-        'ssl_crt': open('wildcard.example.com.crt').read(),
+        'ssl_crt': cls.certificate_pem,
-        'ssl_key': open('wildcard.example.com.key').read(),
+        'ssl_key': cls.key_pem,
-        'ssl_ca_crt': open('CA.wildcard.example.com.root.crt').read(),
+        'ssl_ca_crt': cls.ca.certificate_pem,
      },
      'type-zope': {
        'url': cls.backend_url,
@@ -678,7 +794,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
        'url': cls.backend_https_url,
        'type': 'zope',
        'ssl-proxy-verify': True,
-        'ssl_proxy_ca_crt': open('testserver.root.ca.crt').read(),
+        'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
      },
      'type-zope-ssl-proxy-verify-unverified': {
        'url': cls.backend_https_url,
@@ -743,7 +859,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt': {
        'url': cls.backend_https_url,
        'enable_cache': True,
-        'ssl_proxy_ca_crt': open('testserver.root.ca.crt').read(),
+        'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
        'ssl-proxy-verify': True,
      },
      'enable-http2-default': {
@@ -910,7 +1026,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -972,7 +1088,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1039,7 +1155,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result_ipv6.peercert))
    self.assertEqualResultJson(result_ipv6, 'Path', '/test-path')
@@ -1063,7 +1179,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(
@@ -1092,7 +1208,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], '')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1120,7 +1236,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1129,7 +1245,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'alias1.example.com', parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1138,7 +1254,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'alias2.example.com', parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
  def test_server_alias_wildcard(self):
@@ -1160,7 +1276,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1169,7 +1285,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'wild.alias1.example.com', parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1193,7 +1309,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1202,7 +1318,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'alias3.example.com', parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1227,7 +1343,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1258,7 +1374,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('CA.wildcard.example.com.crt').read(),
+      self.customdomain_ca_certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1292,7 +1408,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('CA.wildcard.example.com.crt').read(),
+      self.customdomain_ca_certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1317,7 +1433,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1341,7 +1457,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1373,7 +1489,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1398,7 +1514,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1423,7 +1539,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('customdomainsslcrtsslkey.example.com.crt').read(),
+      self.customdomain_certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1447,7 +1563,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    try:
@@ -1521,7 +1637,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(
@@ -1551,7 +1667,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      NGINX_HTTPS_PORT)
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -1592,7 +1708,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      NGINX_HTTPS_PORT)
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1632,7 +1748,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1661,7 +1777,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1698,7 +1814,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1729,7 +1845,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1767,7 +1883,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1797,7 +1913,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1835,7 +1951,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -1862,7 +1978,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -1904,7 +2020,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -1946,7 +2062,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -1989,7 +2105,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2082,7 +2198,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      headers={'Pragma': 'no-cache', 'Cache-Control': 'something'})
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2134,7 +2250,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2178,7 +2294,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2227,7 +2343,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2278,7 +2394,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      headers={'Accept-Encoding': 'gzip, deflate'})
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2319,7 +2435,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
        ))
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2362,7 +2478,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2460,7 +2576,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2521,7 +2637,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/https/test-path')
@@ -2538,8 +2654,8 @@ class TestReplicateSlave(SlaveHttpFrontendTestCase, TestDataMixin):
      'domain': 'example.com',
      'nginx-domain': 'nginx.example.com',
      'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
+      'apache-certificate': cls.certificate_pem,
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-key': cls.key_pem,
      '-frontend-quantity': 2,
      '-sla-2-computer_guid': 'slapos.test',
      '-frontend-2-state': 'stopped',
@@ -2579,7 +2695,7 @@ class TestReplicateSlave(SlaveHttpFrontendTestCase, TestDataMixin):
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -2609,8 +2725,8 @@ class TestEnableHttp2ByDefaultFalseSlave(SlaveHttpFrontendTestCase,
      'domain': 'example.com',
      'nginx-domain': 'nginx.example.com',
      'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
+      'apache-certificate': cls.certificate_pem,
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-key': cls.key_pem,
      'enable-http2-by-default': 'false',
      'port': HTTPS_PORT,
      'plain_http_port': HTTP_PORT,
@@ -2699,8 +2815,8 @@ class TestEnableHttp2ByDefaultDefaultSlave(SlaveHttpFrontendTestCase,
      'domain': 'example.com',
      'nginx-domain': 'nginx.example.com',
      'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
+      'apache-certificate': cls.certificate_pem,
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-key': cls.key_pem,
      'port': HTTPS_PORT,
      'plain_http_port': HTTP_PORT,
      'nginx_port': NGINX_HTTPS_PORT,
@@ -2885,8 +3001,8 @@ class TestMalformedBackenUrlSlave(SlaveHttpFrontendTestCase,
      'domain': 'example.com',
      'nginx-domain': 'nginx.example.com',
      'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
+      'apache-certificate': cls.certificate_pem,
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-key': cls.key_pem,
      'port': HTTPS_PORT,
      'plain_http_port': HTTP_PORT,
      'nginx_port': NGINX_HTTPS_PORT,
@@ -2949,7 +3065,7 @@ class TestMalformedBackenUrlSlave(SlaveHttpFrontendTestCase,
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3021,8 +3137,8 @@ class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
      'nginx-domain': 'nginx.example.com',
      'public-ipv4': LOCAL_IPV4,
      'enable-quic': 'true',
-      'apache-certificate': open('wildcard.example.com.crt').read(),
+      'apache-certificate': cls.certificate_pem,
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-key': cls.key_pem,
      '-frontend-authorized-slave-string':
      '_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
      'port': HTTPS_PORT,
@@ -3075,7 +3191,7 @@ class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -3127,8 +3243,8 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
      'domain': 'example.com',
      'nginx-domain': 'nginx.example.com',
      'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
+      'apache-certificate': cls.certificate_pem,
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-key': cls.key_pem,
      '-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
      'port': HTTPS_PORT,
      'plain_http_port': HTTP_PORT,
@@ -3247,7 +3363,7 @@ https://www.google.com {}""",
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(result, 'Path', '/test-path')
@@ -3271,7 +3387,7 @@ https://www.google.com {}""",
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3314,7 +3430,7 @@ https://www.google.com {}""",
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3334,8 +3450,8 @@ https://www.google.com {}""",
    self.assertEqual(
      {
        'request-error-list': [
-          "custom_domain \'${section:option} afterspace\\\\nafternewline\' "
+          "custom_domain '${section:option} afterspace\\nafternewline' invalid"
-          "invalid"]
+        ]
      },
      parameter_dict
    )
@@ -3399,7 +3515,7 @@ https://www.google.com {}""",
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqualResultJson(
@@ -3428,7 +3544,7 @@ https://www.google.com {}""",
      parameter_dict['domain'], parameter_dict['public-ipv4'], '')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(
@@ -3456,7 +3572,7 @@ https://www.google.com {}""",
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3498,7 +3614,7 @@ https://www.google.com {}""",
      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
    self.assertEqual(
-      open('wildcard.example.com.crt').read(),
+      self.certificate_pem,
      der2pem(result.peercert))
    self.assertEqual(httplib.NOT_FOUND, result.status_code)
@@ -3548,8 +3664,8 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
      'domain': 'example.com',
      'nginx-domain': 'nginx.example.com',
      'public-ipv4': LOCAL_IPV4,
-      'apache-certificate': open('wildcard.example.com.crt').read(),
+      'apache-certificate': cls.certificate_pem,
-      'apache-key': open('wildcard.example.com.key').read(),
+      'apache-key': cls.key_pem,
      '-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
      'port': HTTPS_PORT,
      'plain_http_port': HTTP_PORT,

--- a/software/caddy-frontend/test/testserver.example.com.pem
+++ b/software/caddy-frontend/test/testserver.example.com.pem
-----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAp0BSMfhzYo62X7FtSivZRpFn3HH5ij/fhQGla3C7gCIjsQCe
-FZwYvK6i+qyGz4vC6fxj04ZHrAn6Xh3AQN/HA9OGEew0opL1tPtLoblbWTQv9gqh
-nBupfPPZnvf7DOzfMKUvcl2RJAUZ9jWLGiUvYhtdCVGR9evq1z6O5ZMfoy29L1fB
-Qc7k8Y6+bgunu85uVXxIxZQkb9wWY6A6B1qKLYkF3qi/6hto/XY+DEL23aBzWLuz
-Zv1LmrzFarAsnc/UzsubrPaTho3EknNcfIxfNioFf0MBykEhTwZh6owh2c70ri2y
-J0mg3bGMDcQyxlZrGPQVAlV9/1zrIKogrufDtQIDAQABAoIBACqXLZc+DpwNfZG2
-y/70VZsr0ggIGiTDiTcEqUxH4+eIShB7+MXF/2KlEinFn3rgu1z8gatO6Zd83v3y
-k4+xrKtjxSNxRCIWTG2vBJ6FZia8LG56XJc1UB7athNOUOcEtv1bQ07bVueWSPsy
-vV6GE5/nGfUSiZnXXvE7JAaARbE2vix85CEZbSqps4plw+IRla5izgk2lfGeXZO4
-tv0ci+5C+U5CbOA+i9I/m0qZBAqzBqCxiN/VRZSG6kxc0XF58NaJNCFqGUCzd+On
-nLhSWxE+0+roj4BSsV8H2AHQzFy/d9eMiSoSGPLb0Sa0zvbcvf6SeknymEiTTAUK
-nj94do0CgYEA0ontvQtCir443/2rkaUeXscJQO07QeGqztgSjEZj5GiT9cgBqlWQ
-DsY6BoOHHMjJcWy4gEiz+whZOw87exy1ECevx5fazQzBwJvMD3qTOilOk49VzKs1
-xrOdm3Me3E3X8AT3kKxrGdT/kHWlCij/Y+SIq2+YVh6t15p9P51eY2MCgYEAy12Q
-K+llzNyL/6ml7CczfjNHkUlIMXlHs+bRk1eG+clUmoIQR7bxuhM6G23auGpq58mu
-KhfThEytxU1vDSsXJKueLD59pWRDvwLDlLxoXXWgkdzWRMzKkJc/vd3GTJBW2ZpX
-e66TEowBJkaftVAkGnded9EoKQKbGF2+/4/chAcCgYA1/8xrJT0u6rUZti1QEMKm
-WnRkI7SEJEY0ATVYpyEtzyjL7D2JG6L0NyFg1FFOL62DGviDZqJK64w/WpvN6sIB
-37v0/FzRJMl5BjyjZ7PlQfz2WdgOw4bqbN0qpq8uoASXeh6pC5/4oyndOl9XKMbA
-LzhiiB/RTtMVrnkbXNh9swKBgDhBZI1RHhECfVO2ySg/W9YwNz7wZ6EP7I7ObfD1
-SGg2kkm/auN7rviLMwq9Y8CZ54LA3oXUW3WAhJ1Mo0igP+Gr+7A/hSBIURk4mYO+
-bpxT2pwe28LiZ7KBtGdAPweU8gF12XdkPljmE7dT2AAe8C3GEYLRf+uARgkCfcBS
-OmznAoGAFXa3/sx8uBrA4rxpE9b/nEQNr8n0NatH7tW3fry88wYBLyFYdHrAmM/p
-7a1/iLFvCl3fzZdiAxPplFw6neCpxD2ghHXZjN5njevs9AECNhf5M3EraNJW3tn5
-b6+wwlbNqFm8NymFoq3Zeq8HUXPQbdUKOwSiwxQ5+5XdSsYOZoQ=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIDRTCCAi0CCQDQ1EVpyJg5UzANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJB
-VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
-cyBQdHkgTHRkMRwwGgYDVQQDDBNUZXN0IFNlcnZlciBSb290IENBMB4XDTE4MDYy
-NzExMjIxMloXDTI4MDYyNDExMjIxMlowZjELMAkGA1UEBhMCQVUxEzARBgNVBAgM
-ClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEf
-MB0GA1UEAwwWdGVzdHNlcnZlci5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAKdAUjH4c2KOtl+xbUor2UaRZ9xx+Yo/34UBpWtwu4Ai
-I7EAnhWcGLyuovqshs+Lwun8Y9OGR6wJ+l4dwEDfxwPThhHsNKKS9bT7S6G5W1k0
-L/YKoZwbqXzz2Z73+wzs3zClL3JdkSQFGfY1ixolL2IbXQlRkfXr6tc+juWTH6Mt
-vS9XwUHO5PGOvm4Lp7vOblV8SMWUJG/cFmOgOgdaii2JBd6ov+obaP12PgxC9t2g
-c1i7s2b9S5q8xWqwLJ3P1M7Lm6z2k4aNxJJzXHyMXzYqBX9DAcpBIU8GYeqMIdnO
-9K4tsidJoN2xjA3EMsZWaxj0FQJVff9c6yCqIK7nw7UCAwEAATANBgkqhkiG9w0B
-AQsFAAOCAQEAtEfuCYN5xQ+xwFF4UwJtQvv+DGlxzSPZUxY4h5BH7BbyC+XVvo7l
-iY0pCHI7PsZRSMK3KaUuLYll/7mNB6GCE2zocWfIZwTgoJEhw35iVj07SYIcnd5h
-R1XBGEn2EQfZEkjH5kuTBUKR1EE5yJimhG89chQkP5eAWsPNUM55XmojNt5uZawb
-C8bJXGtlNGSgmfXCcGBp9VW3ImEKDoyLJuBqIcBfMv/3ENnKbuTt+cLaaLWkqX48
-JSqEL41S6tU8Jmv3HrhSWmZJjCJ+gRXKANhlAOxuddTkaEnToe9G51Ekj0uRHF37
-LHdySTpMHXg1Cm4njhLqVcRoikrSkYcHPA==
-----END CERTIFICATE-----
--- a/software/caddy-frontend/test/testserver.root.ca.crt
+++ b/software/caddy-frontend/test/testserver.root.ca.crt
-----BEGIN CERTIFICATE-----
-MIIDmTCCAoGgAwIBAgIJAOZ30I7+VqTNMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME1Rlc3QgU2VydmVyIFJvb3QgQ0EwHhcN
-MTgwNjI3MTExOTEzWhcNMjgwNjI0MTExOTEzWjBjMQswCQYDVQQGEwJBVTETMBEG
-A1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
-THRkMRwwGgYDVQQDDBNUZXN0IFNlcnZlciBSb290IENBMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEA6arXFNc2fl39wAgvFvB7XQILJ8xT/89n6KwvZHIs
-eqptNgT7k2LCrsWDqvQS+fsAY62OSpt6gWckM2Q9toY6niXzvElj/+C3FxdEounN
-dgHfG1M3imTbAPR/E2bPGUoWtod0DrHkIF3HlqvjTsKvk0t2XglbobZc3JFHzw2R
-Vnh0NjGHxH5tvE0hiM2rdyMUOXJeLqz/iILqOEjBscHKUcb9rTvI08N0/FFpRtbB
-JAgQeZB85ZxGqyg1pRwveG+mDALv9IImqtIpe9D/OwjOyF8MErS/Yfjqyw2eejj/
-dX9GNFnuGxlyZ7GKRncHPR2QmKrIz+1NNqsXITPs5zVo/QIDAQABo1AwTjAdBgNV
-HQ4EFgQUerhRsTxEadhORRVlRtqZryF456kwHwYDVR0jBBgwFoAUerhRsTxEadhO
-RRVlRtqZryF456kwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAs6Oi
-CMhQ6a8bW7u8jcC7Y2/50TlviQo+IQ44wgCJrnZCHDXdMLwwm7VjiUl33Z6YjnT+
-UVzkA7O2aTHop1peR3kpJ/JP6yrGudj7gZJNLlQXEKopT0MFaZWxI80LP8gIHlsx
-nzhe6Kzw8xtGiC0O4j3aJwsJp/ggaNYp37AyEA0KkGbLtA5QrpfZfvPV/zoiXQbn
-HkzaYgf1VcfwjoSi4cBO0IE2iHWjGKCoo3WGCKzoyY/ldpyqFhOvAhL5FoS7hQcl
-5meowzyz7OVGqvbhZgETNqFyl0la9JeMhbDG3+tHX6K5dbcOYRJUv/INO2CNnW/K
-o1vE6iTVxjew2tnoMQ==
-----END CERTIFICATE-----
--- a/software/caddy-frontend/test/testserver.root.ca.key
+++ b/software/caddy-frontend/test/testserver.root.ca.key
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6arXFNc2fl39wAgvFvB7XQILJ8xT/89n6KwvZHIseqptNgT7
-k2LCrsWDqvQS+fsAY62OSpt6gWckM2Q9toY6niXzvElj/+C3FxdEounNdgHfG1M3
-imTbAPR/E2bPGUoWtod0DrHkIF3HlqvjTsKvk0t2XglbobZc3JFHzw2RVnh0NjGH
-xH5tvE0hiM2rdyMUOXJeLqz/iILqOEjBscHKUcb9rTvI08N0/FFpRtbBJAgQeZB8
-5ZxGqyg1pRwveG+mDALv9IImqtIpe9D/OwjOyF8MErS/Yfjqyw2eejj/dX9GNFnu
-GxlyZ7GKRncHPR2QmKrIz+1NNqsXITPs5zVo/QIDAQABAoIBAQDRYTFrTlFZOJXZ
-TjwL3R9dvygJ2HDoh4w/lJK++gPbQv2raxmW/ucePoR2WlDqyTyXFPys49cJP0fT
-+R3HgU3jSnS2IjlGHrFRMpthNAnUlWa7EH1zOF5545w+4V/v9FCX7JZVWJfnXMEs
-xQdhGtjDLtp49v+xzzw0tMXYxfqWtJBuFT2Dft60lH/kcCyD7TWQD30OyP28QuYK
-Zn4uCDBCOYuHTb/eu6MLKGRkuyRbgXoCCjjziQ/u8lcUx7nPa1qTdGHAglNei5CV
-nrDsaEQGd3U7jUgOpbd+a5E5UaFtR8HoBtIDQf72JTWBrKSjkmIHZsJSU8tMKZi4
-nGr7mA4hAoGBAPcGQWdAa6qZIKTwp6EDJMBbSDH70ykBFgE4nmKAlxcfPlR0CU3R
-iahVvvuNyE//rPEhZBGqh8VEfZfkz1H5zLJQS5EV6ePbKYQE2q9JHugMrw8zh5MH
-89NpK+O9p/3MrCPAZgWGVQ3nfLkV0WTGGiSdLFDAvBtRZeMmsi2JedTJAoGBAPIo
-V1bwRzihtvZT/rc86jYvJbMR49lbal8pHsIg5FS0EAgQp4tgMnEfqI3UHvjYIUJa
-CursrHOFX0hypP2DW2BxJ6yMYv/jQivyxziCSd+xrSfR0B3vjJ33ayqs3EnS4MzY
-jbaWm1O2Z585ZlulqGWfhJ3m7dzeGqXmNrMWABCVAoGAYU59hQbDYrhfO5nw7mQm
-nf9XORlR3N0opeJ/wZ2V5u3Px8TNxXG9ICpmyQDY32p/3ZyhprPeN777GlJvuIMG
-N1eZ7NUNBUzX1cFzw4iyPAaDDyHlTe3cBnNvbo7PFhMB3DN1/Mclygxd/SqzCVdg
-BPxE8Kp7budpk0ky9u0oqMECgYEAq6hPKXDQe+Oe6AToxgnnWRuY1NR0uOqlf+mN
-RT29vhGaX602p4U8nJY9jLR2dB35jah4nsnBAW7k+V1TeeY4yyfLYPRvZUc67B6A
-fJ1XMrwnq9d+eQoLmxr9m9XHnolfE7ba1jjyyKe/0s4Esii/M7KddrVxniTPrRSB
-Z/fLefUCgYEAl2Al2BK4ZYK6HSeFxZ1kaVkcefL1QBMzgLY8LPVpReoaULdFzwat
-3elM8C31FDBvIaWzJCQMIIrFEldvU4tvBF7Mbe8lDDQXotoI6zTWMnNUGV3Xd0wc
-hep0oINBctav7pVJ7Mf+X0Wqfc4D40FPbMzHMUxfdKs9eo9qR/fktYI=
-----END RSA PRIVATE KEY-----
--- a/software/caddy-frontend/test/testserver.srl
+++ b/software/caddy-frontend/test/testserver.srl
-D0D44569C8983953
--- a/software/caddy-frontend/test/wildcard.example.com.crt
+++ b/software/caddy-frontend/test/wildcard.example.com.crt
-----BEGIN CERTIFICATE-----
-MIIDjzCCAnegAwIBAgIJAP4QzV9d5d8KMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wIBcNMTgwNDE3
-MTE0MjAxWhgPMjExODAzMjQxMTQyMDFaMF0xCzAJBgNVBAYTAkFVMRMwEQYDVQQI
-DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
-FjAUBgNVBAMMDSouZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQC0MNnojTq6Yp60ecvP5lZGa6owZp64sumaT66JInTFJcSV/ls0AbPN
-KPTcNRgbFLIuv/3Xhgi6YAxIz2PXdCDPj1fp4rVIijhpedaWZaIOeTqSGEg+5/iL
-4UTxm166NgCU1zp0QsmU8MXJFv4YxTZsF9LlGFcP6uUQ9sY98yv+hErCxRXo+dXd
-GGG4LTVLGPeRYNX2JVD5BxoNkL5/3IMylrFvI8aRFTKVn1P8UPJ5K9du3E0wHJY6
-MkstZX3xKcGKSn2w1zIaq/NcrbLXvp6eZauLtMpZ9vW+CtYV3diOm2TiMvQIyCRM
-4mWbaf76bpGiz9/+11w6U9n6zMzKTq+5AgMBAAGjUDBOMB0GA1UdDgQWBBT/Kswu
-BKM3GXaIWvQ8Vs1xhs/1vzAfBgNVHSMEGDAWgBT/KswuBKM3GXaIWvQ8Vs1xhs/1
-vzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAeeV7VIqbNL6Xe0I5y
-fl44ogBY0zoYJH+p7HCebazZKepy7f+EeWv8B3dHODrilSYCnsOqhta8mMSMrgsT
-TFByr/8NN/4UFe9FeKnxD9Sun0EetESkaeMqAGCK921lT0eU4IhA0JLRj16HomuK
-I/JBFwUXFn6vVypw5R41zwnikv+EB0fSC4biSXWXUarGqlRCF7o00CPKqAaTE0yX
-H4Yz3lR/Vuce7uFvkIY+F4vXtq1sy/tb4QBWlDS6t7cmeBGcvaQ8mlndA9T+us0l
-/wb9mzdTcwkrkM2kk++GnS0NCAQfOalF3x8wG6j8DrU2dQ1NXh205c/zo0BljQr8
-P84v
-----END CERTIFICATE-----
--- a/software/caddy-frontend/test/wildcard.example.com.key
+++ b/software/caddy-frontend/test/wildcard.example.com.key
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0MNnojTq6Yp60
-ecvP5lZGa6owZp64sumaT66JInTFJcSV/ls0AbPNKPTcNRgbFLIuv/3Xhgi6YAxI
-z2PXdCDPj1fp4rVIijhpedaWZaIOeTqSGEg+5/iL4UTxm166NgCU1zp0QsmU8MXJ
-Fv4YxTZsF9LlGFcP6uUQ9sY98yv+hErCxRXo+dXdGGG4LTVLGPeRYNX2JVD5BxoN
-kL5/3IMylrFvI8aRFTKVn1P8UPJ5K9du3E0wHJY6MkstZX3xKcGKSn2w1zIaq/Nc
-rbLXvp6eZauLtMpZ9vW+CtYV3diOm2TiMvQIyCRM4mWbaf76bpGiz9/+11w6U9n6
-zMzKTq+5AgMBAAECggEAR9n2+pFearYqnMK4b9Vkb7485gH1pqbJGdxON6bCs16F
-Dl6X1ZwcK2H6idiuHRZamuO5//gVgOQN4fa41FAdSUbagowBR8S+C+kmlWA/h8/1
-eA4wuMzdQkH4sPMIie5Auxk72OJM6ZQ8+huuBQiW0/GICgxzowhCgUo18LwHvfwt
-XWLHplRFczgM4WEu+HVx1W9y/irOhEUEzwNfXdDTVE4bnwzb24qR0CRIdp3gc8Os
-JoUFMgbV3qfJLmzqURLIlVc3Y9FFbWrr5zhzTx2vvoT1j83e56qKHbKanr2R6NQZ
-UOsCgDvzrc9WqKE9/hwvxvPlx/L3UWuhPMpljZ8gBQKBgQDX4Qo27l8KPk9fXA18
-SrRcAAGN+moc+Y0T9WbcbXCJLLU6TO3eJqW9H3Kwb80O/zycUBFK/dIOwZZYgsuQ
-oXFG4ykSXFY/JGTEBIkvQ7LI/7t5mn0xlw3tqB7xuMO5QEyZMQFi0xP5h1B5coiO
-Wv9T1xit4FHX2EN/CJLwlzzl1wKBgQDVrdvGi+j/1pGaEST1yhvrDduHrlMsF4BI
-X8VaNXNXg9+GxsAA6+pRPRoHvmmz/RUr/km+JxWLHEZpFDOhIzJV4JYXv/q7KDH+
-Mjf7uyRshBnR+QU38RqkENIJhEZJSa8ZYmkgU9yCDozkfVzYKdxUy6Z0+o2Omzls
-cpZP1PFE7wKBgQCGXZx0+kMPZh8TFIGURg8iYCKXkzBu3miP7qNaOYfc6YXXRsCb
-D+UC5MsGxF+WoQjBphhNW9RduOJyLt6zI7kUzRjoQ66u2GEbnFMipvlln765fo3D
-yugxbv3rp/uylzHV+6mIMCbzneRZ4w7ZxAu9zFihCMkIFqRUMir7MrcFuwKBgFbK
-88ZF9jJU+XdXF2gu3AAx9MW77VSvhw/ets7ZfyxBCH46JKs7KEYvR291zIGrfvoL
-o/B09681oPP1nLMLFNsFCnJDLJjwzr2tsEez0CuzzLkZKSF78ZJKssXi0JncMB9j
-dcgHyD2bo2b79MZo2nIm9kn1q6INMtn2AVAT8pxJAoGAZfysuUMc0bdKVi41SD0A
-Ej7qX+qbXX+aA4OkTqJP3QxssD6CuZZwUKW7qj8AoOcLKsmwdjetetny46OMEXzN
-5Fk3ahCD1cycFGBawNY10x5Xy+4iApzPiO1Ujd3t7FAIrLPWFwzmLIL8pxUNuHEn
-OC9RrI4tzsvWHhMaLKVCh0g=
-----END PRIVATE KEY-----
--- a/software/erp5testnode/testsuite/caddy-frontend/buildout.hash.cfg
+++ b/software/erp5testnode/testsuite/caddy-frontend/buildout.hash.cfg
@@ -15,4 +15,4 @@
 [template]
 filename = instance.cfg
-md5sum = a345d46655c3e841c2ecf4e3a0446c8f
+md5sum = 059d2bcc2fc4de30afb877a8d4919500
--- a/software/erp5testnode/testsuite/caddy-frontend/instance.cfg
+++ b/software/erp5testnode/testsuite/caddy-frontend/instance.cfg
@@ -37,7 +37,7 @@ command-line =
 # XXX slapos.cookbook:wrapper does not allow extending env, so we add some default $PATH entries ( not sure they are needed )
 environment =
-  PATH=${curl:location}/bin/:${openssl:location}/bin/:/usr/bin/:/bin
+  PATH=${curl:location}/bin/:/usr/bin/:/bin
  LOCAL_IPV4=$${slap-configuration:ipv4-random}
  GLOBAL_IPV6=$${slap-configuration:ipv6-random}
  SLAPOS_TEST_WORKING_DIR=$${create-directory:working-dir}

--- a/software/erp5testnode/testsuite/caddy-frontend/software.cfg
+++ b/software/erp5testnode/testsuite/caddy-frontend/software.cfg
@@ -3,6 +3,7 @@
 extends =
  ../../../../component/git/buildout.cfg
  ../../../../component/curl/buildout.cfg
+  ../../../../component/python-cryptography/buildout.cfg
  ../../../../stack/slapos.cfg
  ./buildout.hash.cfg
@@ -30,6 +31,7 @@ recipe = zc.recipe.egg
 eggs =
  ${slapos.test.caddy-frontend-setup:egg}
  ${erp5.util-setup:egg}
+  ${python-cryptography:egg}
  slapos.core
 entry-points =
  runTestSuite=erp5.util.testsuite:runTestSuite