RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Support space delimited SANS

pull/575/head
Tim Kimber 5 years ago
parent
31958a27f3
commit
13f3a8b8de
No known key found for this signature in database GPG Key ID: 3E1804964E76BD18
5 changed files with 143 additions and 8 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +9
    -6
      getssl
  2. +2
    -2
      test/15-test-revoke-no-suffix.bats
  3. +75
    -0
      test/17-test-spaces-in-sans.bats
  4. +29
    -0
      test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg
  5. +28
    -0
      test/test-config/getssl-http01-spaces-sans.cfg

+ 9
- 6
getssl View File

@ -231,11 +231,14 @@
# 2020-05-06 Fix missing fullchain.ec.crt when creating dual certificates (2.27) # 2020-05-06 Fix missing fullchain.ec.crt when creating dual certificates (2.27)
# 2020-05-14 Add --notify-valid option (exit 2 if certificate is valid) # 2020-05-14 Add --notify-valid option (exit 2 if certificate is valid)
# 2020-05-23 Fix --revoke (didn't work with ACMEv02) (2.28) # 2020-05-23 Fix --revoke (didn't work with ACMEv02) (2.28)
# 2020-06-06 Fix missing URL_revoke definition when no CA directory suffix (#566)
# 2020-06-18 Fix CHECK_REMOTE for DUAL_RSA_ECDSA (#570)
# 2020-07-14 Support space separated SANS (#574) (2.29)
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
PROGNAME=${0##*/} PROGNAME=${0##*/}
PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)" PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)"
VERSION="2.28"
VERSION="2.29"
# defaults # defaults
ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY_LENGTH=4096
@ -497,7 +500,7 @@ check_config() { # check the config files for all obvious errors
# get all domains # get all domains
if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then
alldomains=${SANS//,/ }
alldomains=${SANS//[, ]/ }
else else
alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g")
fi fi
@ -784,7 +787,7 @@ create_csr() { # create a csr using a given key (if it doesn't already exist)
if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then
alldomains=$(echo "$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u) alldomains=$(echo "$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u)
else else
alldomains=$(echo "$DOMAIN,$SANS" | sed -e 's/ //g; s/,$//; y/,/\n/' | sort -u)
alldomains=$(echo "$DOMAIN,$SANS" | sed -e 's/,/ /g; s/ $//; y/ /\n/' | sort -u)
fi fi
domains_in_csr=$(openssl req -text -noout -in "$csr_file" \ domains_in_csr=$(openssl req -text -noout -in "$csr_file" \
| sed -n -e 's/^ *Subject: .* CN=\([A-Za-z0-9.-]*\).*$/\1/p; /^ *DNS:.../ { s/ *DNS://g; y/,/\n/; p; }' \ | sed -n -e 's/^ *Subject: .* CN=\([A-Za-z0-9.-]*\).*$/\1/p; /^ *DNS:.../ { s/ *DNS://g; y/,/\n/; p; }' \
@ -2695,9 +2698,9 @@ fi
if [[ -z "$SANS" ]]; then if [[ -z "$SANS" ]]; then
SANLIST="subjectAltName=DNS:${DOMAIN}" SANLIST="subjectAltName=DNS:${DOMAIN}"
elif [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then elif [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then
SANLIST="subjectAltName=DNS:${SANS//,/,DNS:}"
SANLIST="subjectAltName=DNS:${SANS//[, ]/,DNS:}"
else else
SANLIST="subjectAltName=DNS:${DOMAIN},DNS:${SANS//,/,DNS:}"
SANLIST="subjectAltName=DNS:${DOMAIN},DNS:${SANS//[, ]/,DNS:}"
fi fi
debug "created SAN list = $SANLIST" debug "created SAN list = $SANLIST"
@ -2757,7 +2760,7 @@ info "Verify each domain"
# loop through domains for cert ( from SANS list) # loop through domains for cert ( from SANS list)
if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then if [[ "$IGNORE_DIRECTORY_DOMAIN" == "true" ]]; then
alldomains=${SANS//,/ }
alldomains=${SANS//[, ]/ }
else else
alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g")
fi fi


+ 2
- 2
test/15-test-revoke-no-suffix.bats View File

@ -11,7 +11,7 @@ setup() {
} }
@test "Create certificate to check revoke" {
@test "Create certificate to check revoke (no suffix)" {
if [ -n "$STAGING" ]; then if [ -n "$STAGING" ]; then
CONFIG_FILE="getssl-staging-dns01-no-suffix.cfg" CONFIG_FILE="getssl-staging-dns01-no-suffix.cfg"
else else
@ -26,7 +26,7 @@ setup() {
} }
@test "Check we can revoke a certificate" {
@test "Check we can revoke a certificate (no suffix)" {
if [ -n "$STAGING" ]; then if [ -n "$STAGING" ]; then
CONFIG_FILE="getssl-staging-dns01.cfg" CONFIG_FILE="getssl-staging-dns01.cfg"
else else


+ 75
- 0
test/17-test-spaces-in-sans.bats View File

@ -0,0 +1,75 @@
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
}
@test "Test behaviour if SANS line is space separated instead of comma separated" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-spaces-sans.cfg"
setup_environment
# Add hosts to DNS (also need to be added as aliases in docker-compose.yml)
for prefix in a b c; do
curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
done
init_getssl
create_certificate
assert_success
check_output_for_errors
}
@test "Test renewal if SANS line is space separated instead of comma separated" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -f $GETSSL_HOST
assert_success
check_output_for_errors
cleanup_environment
}
@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-spaces-sans-and-ignore-dir-domain.cfg"
setup_environment
# Add hosts to DNS (also need to be added as aliases in docker-compose.yml)
for prefix in a b c; do
curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
done
init_getssl
create_certificate
assert_success
check_output_for_errors
}
@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
run ${CODE_DIR}/getssl -f $GETSSL_HOST
assert_success
check_output_for_errors
cleanup_environment
for prefix in a b c; do
curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a
done
}

+ 29
- 0
test/test-config/getssl-http01-spaces-sans-and-ignore-dir-domain.cfg View File

@ -0,0 +1,29 @@
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
CA="https://pebble:14000/dir"
# Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list
IGNORE_DIRECTORY_DOMAIN="true"
SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"
# Acme Challenge Location.
ACL=('/var/www/html/.well-known/acme-challenge')
# Use a single ACL for all checks
USE_SINGLE_ACL="true"
# Location for all your certs, these can either be on the server (full path name)
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="true"

+ 28
- 0
test/test-config/getssl-http01-spaces-sans.cfg View File

@ -0,0 +1,28 @@
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
CA="https://pebble:14000/dir"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"
# Acme Challenge Location.
ACL=('/var/www/html/.well-known/acme-challenge')
# Use a single ACL for all checks
USE_SINGLE_ACL="true"
# Location for all your certs, these can either be on the server (full path name)
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="true"

Write Preview
Loading…
Cancel
Save