Support space delimited SANS

getssl

@@ -231,11 +231,14 @@
 # 2020-05-06 Fix missing fullchain.ec.crt when creating dual certificates (2.27)
 # 2020-05-14 Add --notify-valid option (exit 2 if certificate is valid)
 # 2020-05-23 Fix --revoke (didn't work with ACMEv02) (2.28)
+# 2020-06-06 Fix missing URL_revoke definition when no CA directory suffix (#566)
+# 2020-06-18 Fix CHECK_REMOTE for DUAL_RSA_ECDSA (#570)
+# 2020-07-14 Support space separated SANS (#574) (2.29)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
 PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)"
-VERSION="2.28"
+VERSION="2.29"
 
 # defaults
 ACCOUNT_KEY_LENGTH=4096
@@ -497,7 +500,7 @@ check_config() { # check the config files for all obvious errors
 
   # get all domains
   if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then
-    alldomains=${SANS//,/ }
+    alldomains=${SANS//[, ]/ }
   else
     alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g")
   fi
@@ -784,7 +787,7 @@ create_csr() { # create a csr using a given key (if it doesn't already exist)
     if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then
       alldomains=$(echo "$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u)
     else
-      alldomains=$(echo "$DOMAIN,$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u)
+      alldomains=$(echo "$DOMAIN,$SANS" | sed -e 's/,/ /g; s/ $//; y/ /\n/' | sort -u)
     fi
     domains_in_csr=$(openssl req -text -noout -in "$csr_file" \
         | sed -n -e 's/^ *Subject: .* CN=\([A-Za-z0-9.-]*\).*$/\1/p; /^ *DNS:.../ { s/ *DNS://g; y/,/\n/; p; }' \
@@ -2695,9 +2698,9 @@ fi
 if [[ -z "$SANS" ]]; then
   SANLIST="subjectAltName=DNS:${DOMAIN}"
 elif [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then
-  SANLIST="subjectAltName=DNS:${SANS//,/,DNS:}"
+  SANLIST="subjectAltName=DNS:${SANS//[, ]/,DNS:}"
 else
-  SANLIST="subjectAltName=DNS:${DOMAIN},DNS:${SANS//,/,DNS:}"
+  SANLIST="subjectAltName=DNS:${DOMAIN},DNS:${SANS//[, ]/,DNS:}"
 fi
 debug "created SAN list = $SANLIST"
 
@@ -2757,7 +2760,7 @@ info "Verify each domain"
 
 # loop through domains for cert ( from SANS list)
 if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then
-  alldomains=${SANS//,/ }
+  alldomains=${SANS//[, ]/ }
 else
   alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g")
 fi

test/15-test-revoke-no-suffix.bats

@@ -11,7 +11,7 @@ setup() {
 }
 
 
-@test "Create certificate to check revoke" {
+@test "Create certificate to check revoke (no suffix)" {
     if [ -n "$STAGING" ]; then
         CONFIG_FILE="getssl-staging-dns01-no-suffix.cfg"
     else
@@ -26,7 +26,7 @@ setup() {
 }
 
 
-@test "Check we can revoke a certificate" {
+@test "Check we can revoke a certificate (no suffix)" {
     if [ -n "$STAGING" ]; then
         CONFIG_FILE="getssl-staging-dns01.cfg"
     else

test/17-test-spaces-in-sans.bats

@@ -0,0 +1,75 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Test behaviour if SANS line is space separated instead of comma separated" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01-spaces-sans.cfg"
+    setup_environment
+
+    # Add hosts to DNS (also need to be added as aliases in docker-compose.yml)
+    for prefix in a b c; do
+        curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    done
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Test renewal if SANS line is space separated instead of comma separated" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}
+
+
+@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01-spaces-sans-and-ignore-dir-domain.cfg"
+    setup_environment
+
+    # Add hosts to DNS (also need to be added as aliases in docker-compose.yml)
+    for prefix in a b c; do
+        curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    done
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+
+    for prefix in a b c; do
+        curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a
+    done
+}

test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg

@@ -0,0 +1,29 @@
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+
+CA="https://pebble:14000/dir"
+
+# Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list
+IGNORE_DIRECTORY_DOMAIN="true"
+SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"
+
+# Acme Challenge Location.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+# Use a single ACL for all checks
+USE_SINGLE_ACL="true"
+
+# Location for all your certs, these can either be on the server (full path name)
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"

test/test-config/getssl-http01-spaces-sans.cfg

@@ -0,0 +1,28 @@
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+
+CA="https://pebble:14000/dir"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"
+
+# Acme Challenge Location.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+# Use a single ACL for all checks
+USE_SINGLE_ACL="true"
+
+# Location for all your certs, these can either be on the server (full path name)
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed
+SERVER_TYPE="https"
+CHECK_REMOTE="true"