diff --git a/test/3-dual-rsa-ecdsa.bats b/test/3-dual-rsa-ecdsa.bats index 486fa13..87527c2 100644 --- a/test/3-dual-rsa-ecdsa.bats +++ b/test/3-dual-rsa-ecdsa.bats @@ -15,7 +15,14 @@ setup() { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi - CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg" + + check_nginx + if [ "$OLD_NGINX" = "false" ]; then + CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg" + else + CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-old-nginx.cfg" + fi + setup_environment init_getssl create_certificate @@ -28,6 +35,22 @@ setup() { } +@test "Check renewal test works for dual certificates using HTTP-01" { + if [ -n "$STAGING" ]; then + skip "Using staging server, skipping internal test" + fi + check_nginx + run ${CODE_DIR}/getssl -d $GETSSL_HOST + + if [ "$OLD_NGINX" = "false" ]; then + assert_line "certificate on server is same as the local cert" + else + assert_line --partial "certificate is valid for more than 30 days" + fi + assert_success +} + + @test "Force renewal of dual certificates using HTTP-01" { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" @@ -37,11 +60,19 @@ setup() { check_output_for_errors } + @test "Create dual certificates using DNS-01 verification" { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi - CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg" + + check_nginx + if [ "$OLD_NGINX" = "false" ]; then + CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg" + else + CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg" + fi + setup_environment init_getssl create_certificate diff --git a/test/6-dual-rsa-ecdsa-copy-2-locations.bats b/test/6-dual-rsa-ecdsa-copy-2-locations.bats index 394e8d6..a8e7653 100644 --- a/test/6-dual-rsa-ecdsa-copy-2-locations.bats +++ b/test/6-dual-rsa-ecdsa-copy-2-locations.bats @@ -25,7 +25,14 @@ teardown() { if [ -n "$STAGING" ]; then skip "Using staging server, skipping internal test" fi - CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg" + + check_nginx + if [ "$OLD_NGINX" = "false" ]; then + CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg" + else + CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg" + fi + setup_environment mkdir -p /root/a.${GETSSL_HOST} diff --git a/test/Dockerfile-centos6 b/test/Dockerfile-centos6 index 61c8b6b..5ffc91c 100644 --- a/test/Dockerfile-centos6 +++ b/test/Dockerfile-centos6 @@ -1,6 +1,9 @@ FROM centos:centos6 # Note this image uses gawk +# Note if you are running this using WSL2 you need to put the following lines in %userprofile%\.wslconfig +# [wsl2] +# kernelCommandLine = vsyscall=emulate # Update and install required software RUN yum -y update diff --git a/test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg b/test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg new file mode 100644 index 0000000..062a47c --- /dev/null +++ b/test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg @@ -0,0 +1,39 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs +# +CA="https://pebble:14000/dir" + +VALIDATE_VIA_DNS=true +DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" +DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" +PUBLIC_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT="" + +DUAL_RSA_ECDSA="true" +ACCOUNT_KEY_TYPE="prime256v1" +PRIVATE_KEY_ALG="prime256v1" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="" + +# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. +ACL=('/var/www/html/.well-known/acme-challenge') + +#Set USE_SINGLE_ACL="true" to use a single ACL for all checks +USE_SINGLE_ACL="false" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.ec.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.ec.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="false" diff --git a/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg b/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg new file mode 100644 index 0000000..50c3970 --- /dev/null +++ b/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg @@ -0,0 +1,32 @@ +# Test that more than one location can be specified for CERT and KEY locations and that the +# files are copied to both locations when both RSA and ECDSA certificates are created +# +CA="https://pebble:14000/dir" + +DUAL_RSA_ECDSA="true" +ACCOUNT_KEY_TYPE="prime256v1" +PRIVATE_KEY_ALG="prime256v1" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="a.${GETSSL_HOST}" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +#Set USE_SINGLE_ACL="true" to use a single ACL for all checks +USE_SINGLE_ACL="true" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="false" diff --git a/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations.cfg b/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations.cfg index 80533ce..96e4d4d 100644 --- a/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations.cfg +++ b/test/test-config/getssl-http01-dual-rsa-ecdsa-2-locations.cfg @@ -25,7 +25,7 @@ DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/do DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert # The command needed to reload apache / nginx or whatever you use -RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx" # Define the server type and confirm correct certificate is installed SERVER_TYPE="https" diff --git a/test/test-config/getssl-http01-dual-rsa-ecdsa-old-nginx.cfg b/test/test-config/getssl-http01-dual-rsa-ecdsa-old-nginx.cfg new file mode 100644 index 0000000..41581ae --- /dev/null +++ b/test/test-config/getssl-http01-dual-rsa-ecdsa-old-nginx.cfg @@ -0,0 +1,33 @@ +# Uncomment and modify any variables you need +# see https://github.com/srvrco/getssl/wiki/Config-variables for details +# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs +# +CA="https://pebble:14000/dir" + +DUAL_RSA_ECDSA="true" +ACCOUNT_KEY_TYPE="prime256v1" +PRIVATE_KEY_ALG="prime256v1" + +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS="" + +# Acme Challenge Location. +ACL=('/var/www/html/.well-known/acme-challenge') + +#Set USE_SINGLE_ACL="true" to use a single ACL for all checks +USE_SINGLE_ACL="false" + +# Location for all your certs, these can either be on the server (full path name) +# or using ssh /sftp as for the ACL +DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.ec.crt" +DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.ec.key" +CA_CERT_LOCATION="/etc/nginx/pki/chain.crt" +DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert +DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert + +# The command needed to reload apache / nginx or whatever you use +RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx" + +# Define the server type and confirm correct certificate is installed +SERVER_TYPE="https" +CHECK_REMOTE="false" diff --git a/test/test-config/nginx-ubuntu-dual-certs b/test/test-config/nginx-ubuntu-dual-certs index 6346cde..ce1fbbf 100644 --- a/test/test-config/nginx-ubuntu-dual-certs +++ b/test/test-config/nginx-ubuntu-dual-certs @@ -42,6 +42,8 @@ server { # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + server_name _; ssl_certificate /etc/nginx/pki/server.crt; ssl_certificate_key /etc/nginx/pki/private/server.key; diff --git a/test/test_helper.bash b/test/test_helper.bash index 1e65189..fafad5c 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -8,6 +8,20 @@ check_certificates() assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" ] } +# Only nginx > 1.11.0 support dual certificates in a single configuration file +# https://unix.stackexchange.com/questions/285924/how-to-compare-a-programs-version-in-a-shell-script +check_nginx() { + requiredver="1.11.0" + currentver="$(nginx -v)" + if [ "$(printf '%s\n' "$requiredver" "$currentver" | sort -V | head -n1)" = "$requiredver" ]; then + export OLD_NGINX="false" + else + echo "INFO: Running nginx version $currentver which doesn't support dual certificates" >&3 + echo "INFO: not checking that certificate is installed correctly" >&3 + export OLD_NGINX="true" + fi +} + check_output_for_errors() { refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]' # less strict tests if running with debug output