RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Merge pull request #590 from srvrco/multiple-ns 

Fixes for get_auth_dns
pull/592/head
Tim Kimber 5 years ago
committed by GitHub
parent
f211f581f8 44f0ce1a53
commit
1bcc7d54ef
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 484 additions and 79 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +87
    -45
      getssl
  2. +1
    -1
      test/Dockerfile-alpine
  3. +1
    -1
      test/Dockerfile-centos6
  4. +1
    -3
      test/Dockerfile-centos7
  5. +1
    -1
      test/Dockerfile-centos7-staging
  6. +1
    -1
      test/Dockerfile-debian
  7. +1
    -1
      test/Dockerfile-ubuntu
  8. +1
    -2
      test/Dockerfile-ubuntu-staging
  9. +1
    -4
      test/Dockerfile-ubuntu16
  10. +1
    -1
      test/Dockerfile-ubuntu18
  11. +2
    -2
      test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg
  12. +2
    -2
      test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg
  13. +2
    -2
      test/test-config/getssl-dns01-ignore-directory-domain.cfg
  14. +2
    -2
      test/test-config/getssl-dns01-multiple-domains.cfg
  15. +2
    -2
      test/test-config/getssl-dns01-spaces-and-commas-sans.cfg
  16. +2
    -2
      test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg
  17. +2
    -2
      test/test-config/getssl-dns01-spaces-sans.cfg
  18. +6
    -2
      test/test-config/getssl-dns01.cfg
  19. +1
    -1
      test/test-config/getssl-staging-dns01-fail-dns-add.cfg
  20. +1
    -1
      test/test-config/getssl-staging-dns01-no-suffix.cfg
  21. +1
    -1
      test/test-config/getssl-staging-dns01.cfg
  22. +164
    -0
      test/u1-test-get_auth_dns-dig.bats
  23. +201
    -0
      test/u2-test-get_auth_dns-drill.bats

+ 87
- 45
getssl View File

@ -237,7 +237,8 @@
# 2020-08-06 Use -sigalgs instead of -cipher when checking remote for tls1.3 (#570)
# 2020-08-31 Fix slow fork bomb when directory containing getssl isn't writeable (#440)
# 2020-09-01 Use RSA-PSS when checking remote for DUAL_RSA_ECDSA (#570)
# 2020-09-02 Fix issue when SANS is space and comma separated (#579)
# 2020-09-02 Fix issue when SANS is space and comma separated (#579) (2.30)
# 2020-10-02 Various fixes to get_auth_dns and changes to support unit tests (#308)
# ----------------------------------------------------------------------------------------
PROGNAME=${0##*/}
@ -292,6 +293,9 @@ _NOTIFY_VALID=0
_QUIET=0
_RECREATE_CSR=0
_REVOKE=0
_RUNNING_TEST=0
_TEST_SKIP_CNAME_CALL=0
_TEST_SKIP_SOA_CALL=0
_UPGRADE=0
_UPGRADE_CHECK=1
_USE_DEBUG=0
@ -942,8 +946,19 @@ date_renew() { # calculates the renewal time in epoch
debug() { # write out debug info if the debug flag has been set
if [[ ${_USE_DEBUG} -eq 1 ]]; then
echo " "
echo "$@"
# If running tests then output in TAP format (for debugging tests)
if [[ ${_RUNNING_TEST} -eq 1 ]]; then
echo "#" "$@" >&3
else
echo " "
echo "$@"
fi
fi
}
test_output() { # write out debug output for testing
if [[ ${_RUNNING_TEST} -eq 1 ]]; then
echo "#" "$@"
fi
}
@ -1127,8 +1142,7 @@ for d in $alldomains; do
command="rm -f ${t_loc:(( ${#sshhost} + 5))}/${token:?}"
debug "running following command to remove token"
debug "ssh $SSH_OPTS $sshhost ${command}"
# shellcheck disable=SC2029
# shellcheck disable=SC2086
# shellcheck disable=SC2029 disable=SC2086
ssh $SSH_OPTS "$sshhost" "${command}" 1>/dev/null 2>&1
rm -f "${TEMP_DIR:?}/${token:?}"
elif [[ "${t_loc:0:4}" == "ftp:" ]] ; then
@ -1163,6 +1177,10 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
# shellcheck source=/dev/null
. "$dnsfile"
# Always use lowercase domain name when querying DNS servers
# shellcheck disable=SC2018,SC2019
lower_d=$(echo "$d" | tr A-Z a-z)
# check for token at public dns server, waiting for a valid response.
for ns in $primary_ns; do
debug "checking dns at $ns"
@ -1170,18 +1188,18 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
check_dns="fail"
while [[ "$check_dns" == "fail" ]]; do
if [[ "$os" == "cygwin" ]]; then
check_result=$(nslookup -type=txt "_acme-challenge.${d}" "${ns}" \
check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \
| grep ^_acme -A2\
| grep '"'|awk -F'"' '{ print $2}')
elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
debug "$DNS_CHECK_FUNC" TXT "_acme-challenge.${d}" "@${ns}"
check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${d}" "@${ns}" \
debug "$DNS_CHECK_FUNC" TXT "_acme-challenge.${lower_d}" "@${ns}"
check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${lower_d}" "@${ns}" \
| grep 'IN\WTXT'|awk -F'"' '{ print $2}')
elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then
check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${d}" "${ns}" \
check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${lower_d}" "${ns}" \
| grep 'descriptive text'|awk -F'"' '{ print $2}')
else
check_result=$(nslookup -type=txt "_acme-challenge.${d}" "${ns}" \
check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \
| grep 'text ='|awk -F'"' '{ print $2}')
fi
debug "expecting $auth_key"
@ -1194,26 +1212,22 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
ntries=$(( ntries + 1 ))
if [[ $DNS_WAIT_RETRY_ADD == "true" && $(( ntries % 10 == 0 )) ]]; then
# shellcheck disable=SC2018,SC2019
lower_d=$(echo "$d" | tr A-Z a-z)
debug "Retrying adding dns via command: $DNS_ADD_COMMAND $lower_d $auth_key"
if ! eval "$DNS_ADD_COMMAND" "$lower_d" "$auth_key" ; then
error_exit "DNS_ADD_COMMAND failed for domain $d"
fi
fi
info "checking DNS at ${ns} for ${d}. Attempt $ntries/100 gave wrong result, "\
info "checking DNS at ${ns} for ${lower_d}. Attempt $ntries/${DNS_WAIT_COUNT} gave wrong result, "\
"waiting $DNS_WAIT secs before checking again"
sleep $DNS_WAIT
else
debug "dns check failed - removing existing value"
# shellcheck disable=SC2018,SC2019
lower_d=$(echo "$d" | tr A-Z a-z)
eval "$DNS_DEL_COMMAND" "$lower_d" "$auth_key"
# remove $dnsfile after each loop.
rm -f "$dnsfile"
error_exit "checking _acme-challenge.${d} gave $check_result not $auth_key"
error_exit "checking _acme-challenge.${lower_d} gave $check_result not $auth_key"
fi
fi
done
@ -1222,7 +1236,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
done
if [[ "$DNS_EXTRA_WAIT" -gt 0 && "$PREVIOUSLY_VALIDATED" != "true" ]]; then
info "sleeping $DNS_EXTRA_WAIT seconds before asking the ACME-server to check the dns"
info "sleeping $DNS_EXTRA_WAIT seconds before asking the ACME server to check the dns"
sleep "$DNS_EXTRA_WAIT"
fi
@ -1251,6 +1265,9 @@ fi
get_auth_dns() { # get the authoritative dns server for a domain (sets primary_ns )
orig_gad_d="$1" # domain name
gad_s="$PUBLIC_DNS_SERVER" # start with PUBLIC_DNS_SERVER
if [[ -n "$gad_s" ]]; then
gad_s="@$gad_s"
fi
if [[ "$os" == "cygwin" ]]; then
gad_d="$orig_gad_d"
@ -1267,47 +1284,69 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
if [[ -n "$HAS_DIG_OR_DRILL" ]]; then
gad_d="$orig_gad_d"
debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d @$gad_s" to find primary nameserver
# Use SOA +trace to find the name server
if [[ -z "$gad_s" ]]; then
res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" 2>/dev/null | grep "IN\WNS\W" | tail -1)
else
res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "@$gad_s" 2>/dev/null | grep "IN\WNS\W" | tail -1)
if [[ $_TEST_SKIP_SOA_CALL == 0 ]]; then
if [[ "$HAS_DIG_OR_DRILL" == "dig" ]]; then
debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d $gad_s" to find primary nameserver
test_output "Using $HAS_DIG_OR_DRILL SOA"
res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W")
else
debug Using "$HAS_DIG_OR_DRILL -T $gad_d $gad_s" to find primary nameserver
test_output "Using $HAS_DIG_OR_DRILL SOA"
res=$($HAS_DIG_OR_DRILL -T SOA "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W")
fi
fi
# fallback to existing code
# Check if domain is a CNAME
if [[ -z "$res" ]]; then
debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d @$gad_s"
if [[ -z "$gad_s" ]]; then #checking for CNAMEs (need grep as dig 9.11 sometimes returns everything not just CNAME entries)
res=$($HAS_DIG_OR_DRILL CNAME "$gad_d"| grep "^$gad_d" | grep CNAME)
test_output "Using $HAS_DIG_OR_DRILL CNAME"
# Two options here; either dig CNAME will return the CNAME and the NS or just the CNAME
debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d $gad_s"
res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "$gad_s"| grep "^$gad_d")
cname=$(echo "$res"| awk '$4 ~ "CNAME" {print $5}' |sed 's/\.$//g')
if [[ $_TEST_SKIP_CNAME_CALL == 0 ]]; then
debug Checking if CNAME result contains NS records
res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "$gad_s"| grep -E "IN\W(NS|SOA)\W")
else
res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "@$gad_s"| grep "^$gad_d" | grep CNAME)
res=""
fi
if [[ -n "$res" ]]; then # domain is a CNAME so get main domain
gad_d=$(echo "$res"| awk '{print $5}' |sed 's/\.$//g')
debug Domain is a CNAME, actual domain is "$gad_d"
fi
# If gad_d is an A record then this returns the SOA for the root domain, e.g. without the www
# dig NS ubuntu.getssl.text
# > getssl.test. IN SOA ns1.duckdns.org
# If gad_d is a CNAME record then this returns the NS for the domain pointed to by $gad_d
# dig NS www.getssl.text
# > www.getssl.test. IN CNAME getssl.test
# > getssl.test. IN NS ns1.duckdns.org
debug Using "$HAS_DIG_OR_DRILL NS $gad_d @$gad_s" to find primary nameserver
if [[ -z "$gad_s" ]]; then
res=$($HAS_DIG_OR_DRILL NS "$gad_d"| grep -E "IN\W(NS|SOA)\W" | tail -1)
else
res=$($HAS_DIG_OR_DRILL NS "$gad_d" "@$gad_s"| grep -E "IN\W(NS|SOA)\W" | tail -1)
if [[ -n "$cname" ]]; then # domain is a CNAME so get main domain
debug Domain is a CNAME, actual domain is "$cname"
fi
fi
# Query for NS records
if [[ -z "$res" ]]; then
test_output "Using $HAS_DIG_OR_DRILL NS"
debug Using "$HAS_DIG_OR_DRILL NS $gad_d $gad_s" to find primary nameserver
res=$($HAS_DIG_OR_DRILL NS "$gad_d" $gad_s | grep -E "IN\W(NS|SOA)\W")
fi
if [[ -n "$res" ]]; then
all_auth_dns_servers=$(echo "$res" | awk '$4 ~ "NS" {print $5}' | sed 's/\.$//g'|tr '\n' ' ')
# Convert dig output into an array of nameservers
IFS=$'\n' read -r -d '' -a ns_servers < <(echo "$res" | awk '$4 ~ "(NS|SOA)" {print $5}' | sed 's/\.$//g')
# Nameservers from SOA +trace includes root and all intermediate servers, so just use all the ones with the same domain as the last name server
# i.e. if we have root, google, duckdns1, duckdns2 then return all the duckdns servers
ns_domain=${ns_servers[${#ns_servers[@]} -1 ]#*.}
all_auth_dns_servers=""
for i in "${ns_servers[@]}"; do
if [[ $i =~ $ns_domain ]]; then
all_auth_dns_servers="$all_auth_dns_servers $i"
fi
done
if [[ $CHECK_ALL_AUTH_DNS == "true" ]]; then
primary_ns="$all_auth_dns_servers"
else
primary_ns=$(echo "$all_auth_dns_servers" | awk '{print $1}')
primary_ns=$(echo "$all_auth_dns_servers" | awk '{print " " $1}')
fi
debug set primary_ns = "$primary_ns"
test_output set primary_ns ="$primary_ns"
return
fi
fi
@ -2194,6 +2233,7 @@ write_domain_template() { # write out a template file for a domain.
# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
# You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username,
# password, host, port (explicitly needed even if using default port 443) and path on the server.
# Multiple locations can be defined for a file by separating the locations with a semi-colon.
#ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge'
# 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge'
# 'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge'
@ -2339,6 +2379,8 @@ while [[ -n ${1+defined} ]]; do
_ONLY_CHECK_CONFIG=1 ;;
-w)
shift; WORKING_DIR="$1" ;;
--source)
return ;;
-*)
usage
error_exit "Unknown option $1" ;;


+ 1
- 1
test/Dockerfile-alpine View File

@ -2,7 +2,7 @@ FROM alpine:latest
# Note this image uses busybox awk instead of gawk
RUN apk --no-cache add supervisor openssl git curl bind-tools wget nginx bash
RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash
WORKDIR /root


+ 1
- 1
test/Dockerfile-centos6 View File

@ -8,7 +8,7 @@ FROM centos:centos6
# Update and install required software
RUN yum -y update
RUN yum -y install epel-release
RUN yum -y install git curl dnsutils wget nginx
RUN yum -y install git curl dnsutils ldns wget nginx
WORKDIR /root
RUN mkdir /etc/nginx/pki


+ 1
- 3
test/Dockerfile-centos7 View File

@ -1,11 +1,9 @@
FROM centos:centos7
# Note this image uses drill, does not have dig or nslookup installed
# Update and install required software
RUN yum -y update
RUN yum -y install epel-release
RUN yum -y install git curl ldns wget which nginx
RUN yum -y install git curl ldns bind-utils wget which nginx
WORKDIR /root
RUN mkdir /etc/nginx/pki


+ 1
- 1
test/Dockerfile-centos7-staging View File

@ -5,7 +5,7 @@ FROM centos:centos7
# Update and install required software
RUN yum -y update
RUN yum -y install epel-release
RUN yum -y install git curl bind-utils wget which nginx
RUN yum -y install git curl bind-utils ldns wget which nginx
ENV staging "true"
ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb


+ 1
- 1
test/Dockerfile-debian View File

@ -4,7 +4,7 @@ FROM debian:latest
# Update and install required software
RUN apt-get update --fix-missing
RUN apt-get install -y git curl dnsutils wget nginx-light
RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light
WORKDIR /root
RUN mkdir /etc/nginx/pki


+ 1
- 1
test/Dockerfile-ubuntu View File

@ -7,7 +7,7 @@ ENV DEBIAN_FRONTEND noninteractive
# Update and install required software
RUN apt-get update --fix-missing
RUN apt-get install -y git curl dnsutils wget nginx-light
RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light
RUN apt-get install -y vim dos2unix # for debugging
# TODO test with drill, dig, host


+ 1
- 2
test/Dockerfile-ubuntu-staging View File

@ -11,9 +11,8 @@ ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb
# Update and install required software
RUN apt-get update --fix-missing
RUN apt-get install -y git curl dnsutils wget nginx-light
RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light
RUN apt-get install -y vim dos2unix # for debugging
# TODO test with drill, dig, host
WORKDIR /root


+ 1
- 4
test/Dockerfile-ubuntu16 View File

@ -5,16 +5,13 @@ FROM ubuntu:xenial
# Update and install required software
RUN apt-get update --fix-missing
RUN apt-get install -y git curl dnsutils wget nginx-light
RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light
WORKDIR /root
RUN mkdir /etc/nginx/pki
RUN mkdir /etc/nginx/pki/private
COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
# Prevent "Can't load /root/.rnd into RNG" error from openssl
# RUN touch /root/.rnd
# BATS (Bash Automated Testings)
RUN git clone https://github.com/bats-core/bats-core.git /bats-core
RUN git clone https://github.com/bats-core/bats-support /bats-support


+ 1
- 1
test/Dockerfile-ubuntu18 View File

@ -5,7 +5,7 @@ FROM ubuntu:bionic
# Update and install required software
RUN apt-get update --fix-missing
RUN apt-get install -y git curl dnsutils wget gawk nginx-light
RUN apt-get install -y git curl dnsutils ldnsutils wget gawk nginx-light
WORKDIR /root
RUN mkdir /etc/nginx/pki


+ 2
- 2
test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg View File

@ -7,8 +7,8 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
AUTH_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=0
DUAL_RSA_ECDSA="true"
ACCOUNT_KEY_TYPE="prime256v1"


+ 2
- 2
test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg View File

@ -7,8 +7,8 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
AUTH_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=0
DUAL_RSA_ECDSA="true"
ACCOUNT_KEY_TYPE="prime256v1"


+ 2
- 2
test/test-config/getssl-dns01-ignore-directory-domain.cfg View File

@ -7,8 +7,8 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
AUTH_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=0
# Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list
IGNORE_DIRECTORY_DOMAIN="true"


+ 2
- 2
test/test-config/getssl-dns01-multiple-domains.cfg View File

@ -7,8 +7,8 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
AUTH_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=0
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="getssl.test"


+ 2
- 2
test/test-config/getssl-dns01-spaces-and-commas-sans.cfg View File

@ -7,8 +7,8 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
AUTH_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=0
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="a.${GETSSL_HOST}, b.${GETSSL_HOST}, c.${GETSSL_HOST}"


+ 2
- 2
test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg View File

@ -7,8 +7,8 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
AUTH_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=0
# Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list
IGNORE_DIRECTORY_DOMAIN="true"


+ 2
- 2
test/test-config/getssl-dns01-spaces-sans.cfg View File

@ -7,8 +7,8 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
AUTH_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=0
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}"


+ 6
- 2
test/test-config/getssl-dns01.cfg View File

@ -7,8 +7,12 @@ CA="https://pebble:14000/dir"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
PUBLIC_DNS_SERVER=10.30.50.3
DNS_EXTRA_WAIT=""
AUTH_DNS_SERVER=10.30.50.3
# Speed up the test by reducing the number or retries and the wait between retries.
DNS_WAIT=2
DNS_WAIT_COUNT=11
DNS_EXTRA_WAIT=0
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=""


+ 1
- 1
test/test-config/getssl-staging-dns01-fail-dns-add.cfg View File

@ -5,7 +5,7 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory"
# Generic staging config
VALIDATE_VIA_DNS=true
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns"
PUBLIC_DNS_SERVER=ns2.duckdns.org
AUTH_DNS_SERVER=ns2.duckdns.org
CHECK_ALL_AUTH_DNS=true
# Test that the retry works (dns_add_command will always fail)


+ 1
- 1
test/test-config/getssl-staging-dns01-no-suffix.cfg View File

@ -5,7 +5,7 @@ CA="https://acme-staging-v02.api.letsencrypt.org"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns"
PUBLIC_DNS_SERVER=ns2.duckdns.org
AUTH_DNS_SERVER=ns2.duckdns.org
CHECK_ALL_AUTH_DNS=true
DNS_EXTRA_WAIT=120


+ 1
- 1
test/test-config/getssl-staging-dns01.cfg View File

@ -5,7 +5,7 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory"
VALIDATE_VIA_DNS=true
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns"
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns"
PUBLIC_DNS_SERVER=ns2.duckdns.org
AUTH_DNS_SERVER=ns2.duckdns.org
CHECK_ALL_AUTH_DNS=true
DNS_EXTRA_WAIT=120


+ 164
- 0
test/u1-test-get_auth_dns-dig.bats View File

@ -0,0 +1,164 @@
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
for app in drill host nslookup
do
if [ -f /usr/bin/${app} ]; then
mv /usr/bin/${app} /usr/bin/${app}.getssl.bak
fi
done
. /getssl/getssl --source
find_dns_utils
_RUNNING_TEST=1
_USE_DEBUG=0
}
teardown() {
for app in drill host nslookup
do
if [ -f /usr/bin/${app}.getssl.bak ]; then
mv /usr/bin/${app}.getssl.bak /usr/bin/${app}
fi
done
}
@test "Check get_auth_dns using dig NS" {
# Test that get_auth_dns() handles scenario where NS query returns Authority section
#
# ************** EXAMPLE DIG OUTPUT **************
#
# ;; ANSWER SECTION:
# ubuntu-getssl.duckdns.org. 60 IN A 54.89.252.137
#
# ;; AUTHORITY SECTION:
# duckdns.org. 600 IN NS ns2.duckdns.org.
# duckdns.org. 600 IN NS ns3.duckdns.org.
# duckdns.org. 600 IN NS ns1.duckdns.org.
#
# ;; ADDITIONAL SECTION:
# ns2.duckdns.org. 600 IN A 54.191.117.119
# ns3.duckdns.org. 600 IN A 52.26.169.94
# ns1.duckdns.org. 600 IN A 54.187.92.222
# Disable CNAME check
_TEST_SKIP_CNAME_CALL=1
PUBLIC_DNS_SERVER=ns1.duckdns.org
CHECK_ALL_AUTH_DNS=false
run get_auth_dns ubuntu-getssl.duckdns.org
# Assert that we've found the primary_ns server
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org'
# Assert that we had to use dig NS
assert_line --partial 'Using dig NS'
# Check all Authoritive DNS servers are returned if requested
CHECK_ALL_AUTH_DNS=true
run get_auth_dns ubuntu-getssl.duckdns.org
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org'
}
@test "Check get_auth_dns using dig SOA" {
# Test that get_auth_dns() handles scenario where SOA query returns Authority section
#
# ************** EXAMPLE DIG OUTPUT **************
#
# ;; AUTHORITY SECTION:
# duckdns.org. 600 IN SOA ns3.duckdns.org. hostmaster.duckdns.org. 2019170803 6000 120 2419200 600
# DuckDNS server returns nothing for SOA, so use public dns instead
PUBLIC_DNS_SERVER=1.0.0.1
CHECK_ALL_AUTH_DNS=false
run get_auth_dns ubuntu-getssl.duckdns.org
# Assert that we've found the primary_ns server
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org'
# Assert that we had to use dig NS
assert_line --partial 'Using dig SOA'
refute_line --partial 'Using dig NS'
# Check all Authoritive DNS servers are returned if requested
CHECK_ALL_AUTH_DNS=true
run get_auth_dns ubuntu-getssl.duckdns.org
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org'
}
@test "Check get_auth_dns using dig CNAME (public dns)" {
# Test that get_auth_dns() handles scenario where CNAME query returns just a CNAME record
#
# ************** EXAMPLE DIG OUTPUT **************
#
# ;; ANSWER SECTION:
# www.duckdns.org. 600 IN CNAME DuckDNSAppELB-570522007.us-west-2.elb.amazonaws.com.
# Disable SOA check
_TEST_SKIP_SOA_CALL=1
PUBLIC_DNS_SERVER=1.0.0.1
CHECK_ALL_AUTH_DNS=false
run get_auth_dns www.duckdns.org
# Assert that we've found the primary_ns server
assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com'
# Assert that we found a CNAME and use dig NS
assert_line --partial 'Using dig CNAME'
assert_line --partial 'Using dig NS'
# Check all Authoritive DNS servers are returned if requested
CHECK_ALL_AUTH_DNS=false
run get_auth_dns www.duckdns.org
assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com'
}
@test "Check get_auth_dns using dig CNAME (duckdns)" {
# Test that get_auth_dns() handles scenario where CNAME query returns authority section containing NS records
#
# ************** EXAMPLE DIG OUTPUT **************
#
# ;; ANSWER SECTION:
# www.duckdns.org. 600 IN CNAME DuckDNSAppELB-570522007.us-west-2.elb.amazonaws.com.
#
# ;; AUTHORITY SECTION:
# duckdns.org. 600 IN NS ns1.duckdns.org.
# duckdns.org. 600 IN NS ns2.duckdns.org.
# duckdns.org. 600 IN NS ns3.duckdns.org.
#
# ;; ADDITIONAL SECTION:
# ns1.duckdns.org. 600 IN A 54.187.92.222
# ns2.duckdns.org. 600 IN A 54.191.117.119
# ns3.duckdns.org. 600 IN A 52.26.169.94
PUBLIC_DNS_SERVER=ns1.duckdns.org
CHECK_ALL_AUTH_DNS=false
run get_auth_dns www.duckdns.org
# Assert that we've found the primary_ns server
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org'
# Assert that we found a CNAME but didn't use dig NS
assert_line --partial 'Using dig CNAME'
refute_line --partial 'Using dig NS'
# Check all Authoritive DNS servers are returned if requested
CHECK_ALL_AUTH_DNS=true
run get_auth_dns www.duckdns.org
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org'
}

+ 201
- 0
test/u2-test-get_auth_dns-drill.bats View File

@ -0,0 +1,201 @@
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
for app in dig host nslookup
do
if [ -f /usr/bin/${app} ]; then
mv /usr/bin/${app} /usr/bin/${app}.getssl.bak
fi
done
. /getssl/getssl --source
find_dns_utils
_RUNNING_TEST=1
_USE_DEBUG=0
}
teardown() {
for app in dig host nslookup
do
if [ -f /usr/bin/${app}.getssl.bak ]; then
mv /usr/bin/${app}.getssl.bak /usr/bin/${app}
fi
done
}
teardown() {
if [ -f /usr/bin/host.getssl.bak ]; then
mv /usr/bin/host.getssl.bak /usr/bin/host
fi
if [ -f /usr/bin/nslookup.getssl.bak ]; then
mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup
fi
if [ -f /usr/bin/dig.getssl.bak ]; then
mv /usr/bin/dig.getssl.bak /usr/bin/dig
fi
}
@test "Check get_auth_dns using drill NS" {
if [ ! -f /usr/bin/drill ]; then
# Can't find drill package for centos8
skip "Drill not installed on this system"
fi
# Test that get_auth_dns() handles scenario where NS query returns Authority section
#
# ************** EXAMPLE DRILL OUTPUT **************
#
# ;; ANSWER SECTION:
# ubuntu-getssl.duckdns.org. 60 IN A 54.89.252.137
#
# ;; AUTHORITY SECTION:
# duckdns.org. 600 IN NS ns2.duckdns.org.
# duckdns.org. 600 IN NS ns3.duckdns.org.
# duckdns.org. 600 IN NS ns1.duckdns.org.
#
# ;; ADDITIONAL SECTION:
# ns2.duckdns.org. 600 IN A 54.191.117.119
# ns3.duckdns.org. 600 IN A 52.26.169.94
# ns1.duckdns.org. 600 IN A 54.187.92.222
# Disable SOA and CNAME check
_TEST_SKIP_CNAME_CALL=1
_TEST_SKIP_SOA_CALL=1
PUBLIC_DNS_SERVER=ns1.duckdns.org
CHECK_ALL_AUTH_DNS=false
run get_auth_dns ubuntu-getssl.duckdns.org
# Assert that we've found the primary_ns server
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org'
# Assert that we had to use drill NS
assert_line --partial 'Using drill NS'
# Check all Authoritive DNS servers are returned if requested
CHECK_ALL_AUTH_DNS=true
run get_auth_dns ubuntu-getssl.duckdns.org
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org'
}
@test "Check get_auth_dns using drill SOA" {
if [ ! -f /usr/bin/drill ]; then
# Can't find drill package for centos8
skip "Drill not installed on this system"
fi
# Test that get_auth_dns() handles scenario where SOA query returns Authority section
#
# ************** EXAMPLE DRILL OUTPUT **************
#
# ;; AUTHORITY SECTION:
# duckdns.org. 600 IN SOA ns3.duckdns.org. hostmaster.duckdns.org. 2019170803 6000 120 2419200 600
# DuckDNS server returns nothing for SOA, so use public dns instead
PUBLIC_DNS_SERVER=1.0.0.1
CHECK_ALL_AUTH_DNS=false
run get_auth_dns ubuntu-getssl.duckdns.org
# Assert that we've found the primary_ns server
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org'
# Assert that we had to use drill NS
assert_line --partial 'Using drill SOA'
refute_line --partial 'Using drill NS'
# Check all Authoritive DNS servers are returned if requested
CHECK_ALL_AUTH_DNS=true
run get_auth_dns ubuntu-getssl.duckdns.org
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org'
}
@test "Check get_auth_dns using drill CNAME (public dns)" {
if [ ! -f /usr/bin/drill ]; then
# Can't find drill package for centos8
skip "Drill not installed on this system"
fi
# Test that get_auth_dns() handles scenario where CNAME query returns just a CNAME record
#
# ************** EXAMPLE drill OUTPUT **************
#
# ;; ANSWER SECTION:
# www.duckdns.org. 600 IN CNAME DuckDNSAppELB-570522007.us-west-2.elb.amazonaws.com.
# Disable SOA check
_TEST_SKIP_SOA_CALL=1
PUBLIC_DNS_SERVER=1.0.0.1
CHECK_ALL_AUTH_DNS=false
run get_auth_dns www.duckdns.org
# Assert that we've found the primary_ns server
assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com'
# Assert that we found a CNAME and use drill NS
assert_line --partial 'Using drill CNAME'
assert_line --partial 'Using drill NS'
# Check all Authoritive DNS servers are returned if requested
CHECK_ALL_AUTH_DNS=false
run get_auth_dns www.duckdns.org
assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com'
}
@test "Check get_auth_dns using drill CNAME (duckdns)" {
if [ ! -f /usr/bin/drill ]; then
# Can't find drill package for centos8
skip "Drill not installed on this system"
fi
# Test that get_auth_dns() handles scenario where CNAME query returns authority section containing NS records
#
# ************** EXAMPLE drill OUTPUT **************
#
# ;; ANSWER SECTION:
# www.duckdns.org. 600 IN CNAME DuckDNSAppELB-570522007.us-west-2.elb.amazonaws.com.
#
# ;; AUTHORITY SECTION:
# duckdns.org. 600 IN NS ns1.duckdns.org.
# duckdns.org. 600 IN NS ns2.duckdns.org.
# duckdns.org. 600 IN NS ns3.duckdns.org.
#
# ;; ADDITIONAL SECTION:
# ns1.duckdns.org. 600 IN A 54.187.92.222
# ns2.duckdns.org. 600 IN A 54.191.117.119
# ns3.duckdns.org. 600 IN A 52.26.169.94
# Disable SOA check
_TEST_SKIP_SOA_CALL=1
PUBLIC_DNS_SERVER=ns1.duckdns.org
CHECK_ALL_AUTH_DNS=false
run get_auth_dns www.duckdns.org
# Assert that we've found the primary_ns server
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org'
# Assert that we found a CNAME but didn't use drill NS
assert_line --partial 'Using drill CNAME'
refute_line --partial 'Using drill NS'
# Check all Authoritive DNS servers are returned if requested
CHECK_ALL_AUTH_DNS=true
run get_auth_dns www.duckdns.org
assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org'
}

Write Preview
Loading…
Cancel
Save