diff --git a/getssl b/getssl index 4a1a43c..a5e72cf 100755 --- a/getssl +++ b/getssl @@ -231,11 +231,14 @@ # 2020-05-06 Fix missing fullchain.ec.crt when creating dual certificates (2.27) # 2020-05-14 Add --notify-valid option (exit 2 if certificate is valid) # 2020-05-23 Fix --revoke (didn't work with ACMEv02) (2.28) +# 2020-06-06 Fix missing URL_revoke definition when no CA directory suffix (#566) +# 2020-06-18 Fix CHECK_REMOTE for DUAL_RSA_ECDSA (#570) +# 2020-07-14 Support space separated SANS (#574) (2.29) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)" -VERSION="2.28" +VERSION="2.29" # defaults ACCOUNT_KEY_LENGTH=4096 @@ -497,7 +500,7 @@ check_config() { # check the config files for all obvious errors # get all domains if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then - alldomains=${SANS//,/ } + alldomains=${SANS//[, ]/ } else alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") fi @@ -784,7 +787,7 @@ create_csr() { # create a csr using a given key (if it doesn't already exist) if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then alldomains=$(echo "$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u) else - alldomains=$(echo "$DOMAIN,$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u) + alldomains=$(echo "$DOMAIN,$SANS" | sed -e 's/,/ /g; s/ $//; y/ /\n/' | sort -u) fi domains_in_csr=$(openssl req -text -noout -in "$csr_file" \ | sed -n -e 's/^ *Subject: .* CN=\([A-Za-z0-9.-]*\).*$/\1/p; /^ *DNS:.../ { s/ *DNS://g; y/,/\n/; p; }' \ @@ -2695,9 +2698,9 @@ fi if [[ -z "$SANS" ]]; then SANLIST="subjectAltName=DNS:${DOMAIN}" elif [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then - SANLIST="subjectAltName=DNS:${SANS//,/,DNS:}" + SANLIST="subjectAltName=DNS:${SANS//[, ]/,DNS:}" else - SANLIST="subjectAltName=DNS:${DOMAIN},DNS:${SANS//,/,DNS:}" + SANLIST="subjectAltName=DNS:${DOMAIN},DNS:${SANS//[, ]/,DNS:}" fi debug "created SAN list = $SANLIST" @@ -2757,7 +2760,7 @@ info "Verify each domain" # loop through domains for cert ( from SANS list) if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then - alldomains=${SANS//,/ } + alldomains=${SANS//[, ]/ } else alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") fi diff --git a/test/15-test-revoke-no-suffix.bats b/test/15-test-revoke-no-suffix.bats index ce97ddd..7b19c5a 100644 --- a/test/15-test-revoke-no-suffix.bats +++ b/test/15-test-revoke-no-suffix.bats @@ -11,7 +11,7 @@ setup() { } -@test "Create certificate to check revoke" { +@test "Create certificate to check revoke (no suffix)" { if [ -n "$STAGING" ]; then CONFIG_FILE="getssl-staging-dns01-no-suffix.cfg" else @@ -26,7 +26,7 @@ setup() { } -@test "Check we can revoke a certificate" { +@test "Check we can revoke a certificate (no suffix)" { if [ -n "$STAGING" ]; then CONFIG_FILE="getssl-staging-dns01.cfg" else diff --git a/test/17-test-spaces-in-sans.bats b/test/17-test-spaces-in-sans.bats new file mode 100644 index 0000000..01e7090 --- /dev/null +++ b/test/17-test-spaces-in-sans.bats @@ -0,0 +1,75 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt +} + + +@test "Test behaviour if SANS line is space separated instead of comma separated" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-http01-spaces-sans.cfg" + setup_environment + + # Add hosts to DNS (also need to be added as aliases in docker-compose.yml) + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + done + + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Test renewal if SANS line is space separated instead of comma separated" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + check_output_for_errors + cleanup_environment +} + + +@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + CONFIG_FILE="getssl-http01-spaces-sans-and-ignore-dir-domain.cfg" + setup_environment + + # Add hosts to DNS (also need to be added as aliases in docker-compose.yml) + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a + done + + init_getssl + create_certificate + assert_success + check_output_for_errors +} + + +@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + run ${CODE_DIR}/getssl -f $GETSSL_HOST + assert_success + check_output_for_errors + cleanup_environment + + for prefix in a b c; do + curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a + done +} diff --git a/test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg b/test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg new file mode 100644 index 0000000..1b3cdca --- /dev/null +++ b/test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg @@ -0,0 +1,29 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs + +CA="https://pebble:14000/dir" + +# Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list +IGNORE_DIRECTORY_DOMAIN="true" +SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +# Use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true" diff --git a/test/test-config/getssl-http01-spaces-sans.cfg b/test/test-config/getssl-http01-spaces-sans.cfg new file mode 100644 index 0000000..c93b4f7 --- /dev/null +++ b/test/test-config/getssl-http01-spaces-sans.cfg @@ -0,0 +1,28 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs + +CA="https://pebble:14000/dir" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +# Use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="true"