RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Add/fix tests for CHECK_REMOTE and DUAL_RSA_ECDSA

pull/572/head
Tim Kimber 6 years ago
parent
89036c126b
commit
19369723ca
No known key found for this signature in database GPG Key ID: 3E1804964E76BD18
9 changed files with 165 additions and 4 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +33
    -2
      test/3-dual-rsa-ecdsa.bats
  2. +8
    -1
      test/6-dual-rsa-ecdsa-copy-2-locations.bats
  3. +3
    -0
      test/Dockerfile-centos6
  4. +39
    -0
      test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg
  5. +32
    -0
      test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg
  6. +1
    -1
      test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations.cfg
  7. +33
    -0
      test/test-config/getssl-http01-dual-rsa-ecdsa-old-nginx.cfg
  8. +2
    -0
      test/test-config/nginx-ubuntu-dual-certs
  9. +14
    -0
      test/test_helper.bash

+ 33
- 2
test/3-dual-rsa-ecdsa.bats View File

@ -15,7 +15,14 @@ setup() {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
check_nginx
if [ "$OLD_NGINX" = "false" ]; then
CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
else
CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-old-nginx.cfg"
fi
setup_environment
init_getssl
create_certificate
@ -28,6 +35,22 @@ setup() {
}
@test "Check renewal test works for dual certificates using HTTP-01" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
check_nginx
run ${CODE_DIR}/getssl -d $GETSSL_HOST
if [ "$OLD_NGINX" = "false" ]; then
assert_line "certificate on server is same as the local cert"
else
assert_line --partial "certificate is valid for more than 30 days"
fi
assert_success
}
@test "Force renewal of dual certificates using HTTP-01" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
@ -37,11 +60,19 @@ setup() {
check_output_for_errors
}
@test "Create dual certificates using DNS-01 verification" {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
check_nginx
if [ "$OLD_NGINX" = "false" ]; then
CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
else
CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg"
fi
setup_environment
init_getssl
create_certificate


+ 8
- 1
test/6-dual-rsa-ecdsa-copy-2-locations.bats View File

@ -25,7 +25,14 @@ teardown() {
if [ -n "$STAGING" ]; then
skip "Using staging server, skipping internal test"
fi
CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
check_nginx
if [ "$OLD_NGINX" = "false" ]; then
CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
else
CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg"
fi
setup_environment
mkdir -p /root/a.${GETSSL_HOST}


+ 3
- 0
test/Dockerfile-centos6 View File

@ -1,6 +1,9 @@
FROM centos:centos6
# Note this image uses gawk
# Note if you are running this using WSL2 you need to put the following lines in %userprofile%\.wslconfig
# [wsl2]
# kernelCommandLine = vsyscall=emulate
# Update and install required software
RUN yum -y update


+ 39
- 0
test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg View File

@ -0,0 +1,39 @@
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
#
CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
DUAL_RSA_ECDSA="true"
ACCOUNT_KEY_TYPE="prime256v1"
PRIVATE_KEY_ALG="prime256v1"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=""
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
ACL=('/var/www/html/.well-known/acme-challenge')
#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
USE_SINGLE_ACL="false"
# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.ec.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.ec.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="false"

+ 32
- 0
test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg View File

@ -0,0 +1,32 @@
# Test that more than one location can be specified for CERT and KEY locations and that the
# files are copied to both locations when both RSA and ECDSA certificates are created
#
CA="https://pebble:14000/dir"
DUAL_RSA_ECDSA="true"
ACCOUNT_KEY_TYPE="prime256v1"
PRIVATE_KEY_ALG="prime256v1"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="a.${GETSSL_HOST}"
# Acme Challenge Location.
ACL=('/var/www/html/.well-known/acme-challenge')
#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
USE_SINGLE_ACL="true"
# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="false"

+ 1
- 1
test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations.cfg View File

@ -25,7 +25,7 @@ DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/do
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"


+ 33
- 0
test/test-config/getssl-http01-dual-rsa-ecdsa-old-nginx.cfg View File

@ -0,0 +1,33 @@
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
#
CA="https://pebble:14000/dir"
DUAL_RSA_ECDSA="true"
ACCOUNT_KEY_TYPE="prime256v1"
PRIVATE_KEY_ALG="prime256v1"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=""
# Acme Challenge Location.
ACL=('/var/www/html/.well-known/acme-challenge')
#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
USE_SINGLE_ACL="false"
# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.ec.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.ec.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="false"

+ 2
- 0
test/test-config/nginx-ubuntu-dual-certs View File

@ -42,6 +42,8 @@ server {
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server_name _;
ssl_certificate /etc/nginx/pki/server.crt;
ssl_certificate_key /etc/nginx/pki/private/server.key;


+ 14
- 0
test/test_helper.bash View File

@ -8,6 +8,20 @@ check_certificates()
assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" ]
}
# Only nginx > 1.11.0 support dual certificates in a single configuration file
# https://unix.stackexchange.com/questions/285924/how-to-compare-a-programs-version-in-a-shell-script
check_nginx() {
requiredver="1.11.0"
currentver="$(nginx -v)"
if [ "$(printf '%s\n' "$requiredver" "$currentver" | sort -V | head -n1)" = "$requiredver" ]; then
export OLD_NGINX="false"
else
echo "INFO: Running nginx version $currentver which doesn't support dual certificates" >&3
echo "INFO: not checking that certificate is installed correctly" >&3
export OLD_NGINX="true"
fi
}
check_output_for_errors() {
refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
# less strict tests if running with debug output


Write Preview
Loading…
Cancel
Save