From 75d06beb5adca32c2172e14763c3494b337b24c4 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 17 Sep 2020 13:50:50 +0100 Subject: [PATCH 1/8] Fix get_auth_dns to return multiple nameservers (broken in v2.21) --- getssl | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/getssl b/getssl index 7ae6ae5..c92733f 100755 --- a/getssl +++ b/getssl @@ -1222,7 +1222,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then done if [[ "$DNS_EXTRA_WAIT" -gt 0 && "$PREVIOUSLY_VALIDATED" != "true" ]]; then - info "sleeping $DNS_EXTRA_WAIT seconds before asking the ACME-server to check the dns" + info "sleeping $DNS_EXTRA_WAIT seconds before asking the ACME server to check the dns" sleep "$DNS_EXTRA_WAIT" fi @@ -1267,20 +1267,22 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n if [[ -n "$HAS_DIG_OR_DRILL" ]]; then gad_d="$orig_gad_d" - debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d @$gad_s" to find primary nameserver # Use SOA +trace to find the name server if [[ -z "$gad_s" ]]; then - res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" 2>/dev/null | grep "IN\WNS\W" | tail -1) + debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d" to find primary nameserver + res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" 2>/dev/null | grep "IN\WNS\W") else - res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "@$gad_s" 2>/dev/null | grep "IN\WNS\W" | tail -1) + debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d @$gad_s" to find primary nameserver + res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "@$gad_s" 2>/dev/null | grep "IN\WNS\W") fi # fallback to existing code if [[ -z "$res" ]]; then - debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d @$gad_s" if [[ -z "$gad_s" ]]; then #checking for CNAMEs (need grep as dig 9.11 sometimes returns everything not just CNAME entries) + debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d" res=$($HAS_DIG_OR_DRILL CNAME "$gad_d"| grep "^$gad_d" | grep CNAME) else + debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d @$gad_s" res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "@$gad_s"| grep "^$gad_d" | grep CNAME) fi if [[ -n "$res" ]]; then # domain is a CNAME so get main domain @@ -1294,11 +1296,12 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n # dig NS www.getssl.text # > www.getssl.test. IN CNAME getssl.test # > getssl.test. IN NS ns1.duckdns.org - debug Using "$HAS_DIG_OR_DRILL NS $gad_d @$gad_s" to find primary nameserver if [[ -z "$gad_s" ]]; then - res=$($HAS_DIG_OR_DRILL NS "$gad_d"| grep -E "IN\W(NS|SOA)\W" | tail -1) + debug Using "$HAS_DIG_OR_DRILL NS $gad_d" to find primary nameserver + res=$($HAS_DIG_OR_DRILL NS "$gad_d"| grep -E "IN\W(NS|SOA)\W") else - res=$($HAS_DIG_OR_DRILL NS "$gad_d" "@$gad_s"| grep -E "IN\W(NS|SOA)\W" | tail -1) + debug Using "$HAS_DIG_OR_DRILL NS $gad_d @$gad_s" to find primary nameserver + res=$($HAS_DIG_OR_DRILL NS "$gad_d" "@$gad_s"| grep -E "IN\W(NS|SOA)\W") fi fi if [[ -n "$res" ]]; then @@ -2194,6 +2197,7 @@ write_domain_template() { # write out a template file for a domain. # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. # You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username, # password, host, port (explicitly needed even if using default port 443) and path on the server. + # Multiple locations can be defined for a file by separating the locations with a semi-colon. #ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge' # 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' # 'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge' From 36c92d150e954390fd4f8603cce1997a98bcbdf8 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 23 Sep 2020 22:34:40 +0100 Subject: [PATCH 2/8] Fixes and changes to test get_auth_dns --- getssl | 98 +++++++++++------ test/19-test-get_auth_dns-dig.bats | 166 +++++++++++++++++++++++++++++ 2 files changed, 231 insertions(+), 33 deletions(-) create mode 100644 test/19-test-get_auth_dns-dig.bats diff --git a/getssl b/getssl index c92733f..05b2f2f 100755 --- a/getssl +++ b/getssl @@ -292,6 +292,9 @@ _NOTIFY_VALID=0 _QUIET=0 _RECREATE_CSR=0 _REVOKE=0 +_RUNNING_TEST=0 +_TEST_SKIP_CNAME_CALL=0 +_TEST_SKIP_SOA_CALL=0 _UPGRADE=0 _UPGRADE_CHECK=1 _USE_DEBUG=0 @@ -942,8 +945,19 @@ date_renew() { # calculates the renewal time in epoch debug() { # write out debug info if the debug flag has been set if [[ ${_USE_DEBUG} -eq 1 ]]; then - echo " " - echo "$@" + # If running tests then output in TAP format (for debugging tests) + if [[ -n "$_RUNNING_TEST" ]]; then + echo "#" "$@" >&3 + else + echo " " + echo "$@" + fi + fi +} + +test_output() { # write out debug output for testing + if [[ ${_RUNNING_TEST} -eq 1 ]]; then + echo "#" "$@" fi } @@ -1251,6 +1265,9 @@ fi get_auth_dns() { # get the authoritative dns server for a domain (sets primary_ns ) orig_gad_d="$1" # domain name gad_s="$PUBLIC_DNS_SERVER" # start with PUBLIC_DNS_SERVER + if [[ -n "$gad_s" ]]; then + gad_s="@$gad_s" + fi if [[ "$os" == "cygwin" ]]; then gad_d="$orig_gad_d" @@ -1268,49 +1285,62 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n if [[ -n "$HAS_DIG_OR_DRILL" ]]; then gad_d="$orig_gad_d" # Use SOA +trace to find the name server - if [[ -z "$gad_s" ]]; then - debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d" to find primary nameserver - res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" 2>/dev/null | grep "IN\WNS\W") - else - debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d @$gad_s" to find primary nameserver - res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "@$gad_s" 2>/dev/null | grep "IN\WNS\W") + if [[ $_TEST_SKIP_SOA_CALL == 0 ]]; then + debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d $gad_s" to find primary nameserver + test_output "Using $HAS_DIG_OR_DRILL SOA" + res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W") fi - # fallback to existing code + # Check if domain is a CNAME if [[ -z "$res" ]]; then - if [[ -z "$gad_s" ]]; then #checking for CNAMEs (need grep as dig 9.11 sometimes returns everything not just CNAME entries) - debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d" - res=$($HAS_DIG_OR_DRILL CNAME "$gad_d"| grep "^$gad_d" | grep CNAME) + test_output "Using $HAS_DIG_OR_DRILL CNAME" + + # Two options here; either dig CNAME will return the CNAME and the NS or just the CNAME + debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d $gad_s" + res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "$gad_s"| grep "^$gad_d") + cname=$(echo "$res"| awk '$4 ~ "CNAME" {print $5}' |sed 's/\.$//g') + + if [[ $_TEST_SKIP_CNAME_CALL == 0 ]]; then + debug Checking if CNAME result contains NS records + res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "$gad_s"| grep -E "IN\W(NS|SOA)\W") else - debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d @$gad_s" - res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "@$gad_s"| grep "^$gad_d" | grep CNAME) - fi - if [[ -n "$res" ]]; then # domain is a CNAME so get main domain - gad_d=$(echo "$res"| awk '{print $5}' |sed 's/\.$//g') - debug Domain is a CNAME, actual domain is "$gad_d" + res="" fi - # If gad_d is an A record then this returns the SOA for the root domain, e.g. without the www - # dig NS ubuntu.getssl.text - # > getssl.test. IN SOA ns1.duckdns.org - # If gad_d is a CNAME record then this returns the NS for the domain pointed to by $gad_d - # dig NS www.getssl.text - # > www.getssl.test. IN CNAME getssl.test - # > getssl.test. IN NS ns1.duckdns.org - if [[ -z "$gad_s" ]]; then - debug Using "$HAS_DIG_OR_DRILL NS $gad_d" to find primary nameserver - res=$($HAS_DIG_OR_DRILL NS "$gad_d"| grep -E "IN\W(NS|SOA)\W") - else - debug Using "$HAS_DIG_OR_DRILL NS $gad_d @$gad_s" to find primary nameserver - res=$($HAS_DIG_OR_DRILL NS "$gad_d" "@$gad_s"| grep -E "IN\W(NS|SOA)\W") + + if [[ -n "$cname" ]]; then # domain is a CNAME so get main domain + debug Domain is a CNAME, actual domain is "$cname" fi fi + + # Query for NS records + if [[ -z "$res" ]]; then + test_output "Using $HAS_DIG_OR_DRILL NS" + debug Using "$HAS_DIG_OR_DRILL NS $gad_d $gad_s" to find primary nameserver + res=$($HAS_DIG_OR_DRILL NS "$gad_d" $gad_s | grep -E "IN\W(NS|SOA)\W") + fi + if [[ -n "$res" ]]; then - all_auth_dns_servers=$(echo "$res" | awk '$4 ~ "NS" {print $5}' | sed 's/\.$//g'|tr '\n' ' ') + # Convert dig output into an array of nameservers + IFS=$'\n' read -r -d '' -a ns_servers < <(echo "$res" | awk '$4 ~ "(NS|SOA)" {print $5}' | sed 's/\.$//g') + + # Nameservers from SOA +trace includes root and all intermediate servers, so just use all the ones with the same domain as the last name server + # i.e. if we have root, google, duckdns1, duckdns2 then return all the duckdns servers + ns_domain=${ns_servers[${#ns_servers[@]} -1 ]#*.} + all_auth_dns_servers="" + for i in "${ns_servers[@]}"; do + if [[ $i =~ $ns_domain ]]; then + all_auth_dns_servers="$all_auth_dns_servers $i" + fi + done + if [[ $CHECK_ALL_AUTH_DNS == "true" ]]; then primary_ns="$all_auth_dns_servers" else - primary_ns=$(echo "$all_auth_dns_servers" | awk '{print $1}') + primary_ns=$(echo "$all_auth_dns_servers" | awk '{print " " $1}') fi + + debug set primary_ns = "$primary_ns" + test_output set primary_ns ="$primary_ns" return fi fi @@ -2343,6 +2373,8 @@ while [[ -n ${1+defined} ]]; do _ONLY_CHECK_CONFIG=1 ;; -w) shift; WORKING_DIR="$1" ;; + --source) + return ;; -*) usage error_exit "Unknown option $1" ;; diff --git a/test/19-test-get_auth_dns-dig.bats b/test/19-test-get_auth_dns-dig.bats new file mode 100644 index 0000000..a726442 --- /dev/null +++ b/test/19-test-get_auth_dns-dig.bats @@ -0,0 +1,166 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + . /getssl/getssl --source + find_dns_utils + _RUNNING_TEST=1 + _USE_DEBUG=0 + echo " " >&3 + echo " " >&3 + + if [ -f /usr/bin/host ]; then + mv /usr/bin/host /usr/bin/host.getssl.bak + fi + if [ -f /usr/bin/nslookup ]; then + mv /usr/bin/nslookup /usr/bin/nslookup.getssl.bak + fi +} + + +teardown() { + if [ -f /usr/bin/host.getssl.bak ]; then + mv /usr/bin/host.getssl.bak /usr/bin/host + fi + if [ -f /usr/bin/nslookup.getssl.bak ]; then + mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup + fi +} + + + @test "Check get_auth_dns using dig NS" { + # Test that get_auth_dns() handles scenario where NS query returns Authority section + # + # ************** EXAMPLE DIG OUTPUT ************** + # + # ;; ANSWER SECTION: + # ubuntu-getssl.duckdns.org. 60 IN A 54.89.252.137 + # + # ;; AUTHORITY SECTION: + # duckdns.org. 600 IN NS ns2.duckdns.org. + # duckdns.org. 600 IN NS ns3.duckdns.org. + # duckdns.org. 600 IN NS ns1.duckdns.org. + # + # ;; ADDITIONAL SECTION: + # ns2.duckdns.org. 600 IN A 54.191.117.119 + # ns3.duckdns.org. 600 IN A 52.26.169.94 + # ns1.duckdns.org. 600 IN A 54.187.92.222 + + # Disable CNAME check + _TEST_SKIP_CNAME_CALL=1 + + PUBLIC_DNS_SERVER=ns1.duckdns.org + CHECK_ALL_AUTH_DNS=false + + run get_auth_dns ubuntu-getssl.duckdns.org + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + # Assert that we had to use dig NS + assert_line --partial 'Using dig NS' + + # Check all Authoritive DNS servers are returned if requested + CHECK_ALL_AUTH_DNS=true + run get_auth_dns ubuntu-getssl.duckdns.org + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' +} + + +@test "Check get_auth_dns using dig SOA" { + # Test that get_auth_dns() handles scenario where SOA query returns Authority section + # + # ************** EXAMPLE DIG OUTPUT ************** + # + # ;; AUTHORITY SECTION: + # duckdns.org. 600 IN SOA ns3.duckdns.org. hostmaster.duckdns.org. 2019170803 6000 120 2419200 600 + + # DuckDNS server returns nothing for SOA, so use public dns instead + PUBLIC_DNS_SERVER=1.0.0.1 + CHECK_ALL_AUTH_DNS=false + + run get_auth_dns ubuntu-getssl.duckdns.org + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + + # Assert that we had to use dig NS + assert_line --partial 'Using dig SOA' + refute_line --partial 'Using dig NS' + + # Check all Authoritive DNS servers are returned if requested + CHECK_ALL_AUTH_DNS=true + run get_auth_dns ubuntu-getssl.duckdns.org + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' +} + + +@test "Check get_auth_dns using dig CNAME (public dns)" { + # Test that get_auth_dns() handles scenario where CNAME query returns just a CNAME record + # + # ************** EXAMPLE DIG OUTPUT ************** + # + # ;; ANSWER SECTION: + # www.duckdns.org. 600 IN CNAME DuckDNSAppELB-570522007.us-west-2.elb.amazonaws.com. + + # Disable SOA check + _TEST_SKIP_SOA_CALL=1 + + PUBLIC_DNS_SERVER=1.0.0.1 + CHECK_ALL_AUTH_DNS=false + + run get_auth_dns www.duckdns.org + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com' + + # Assert that we found a CNAME and use dig NS + assert_line --partial 'Using dig CNAME' + assert_line --partial 'Using dig NS' + + # Check all Authoritive DNS servers are returned if requested + CHECK_ALL_AUTH_DNS=false + run get_auth_dns www.duckdns.org + assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com' +} + + +@test "Check get_auth_dns using dig CNAME (duckdns)" { + # Test that get_auth_dns() handles scenario where CNAME query returns authority section containing NS records + # + # ************** EXAMPLE DIG OUTPUT ************** + # + # ;; ANSWER SECTION: + # www.duckdns.org. 600 IN CNAME DuckDNSAppELB-570522007.us-west-2.elb.amazonaws.com. + # + # ;; AUTHORITY SECTION: + # duckdns.org. 600 IN NS ns1.duckdns.org. + # duckdns.org. 600 IN NS ns2.duckdns.org. + # duckdns.org. 600 IN NS ns3.duckdns.org. + # + # ;; ADDITIONAL SECTION: + # ns1.duckdns.org. 600 IN A 54.187.92.222 + # ns2.duckdns.org. 600 IN A 54.191.117.119 + # ns3.duckdns.org. 600 IN A 52.26.169.94 + + PUBLIC_DNS_SERVER=ns1.duckdns.org + CHECK_ALL_AUTH_DNS=false + + run get_auth_dns www.duckdns.org + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + + # Assert that we found a CNAME but didn't use dig NS + assert_line --partial 'Using dig CNAME' + refute_line --partial 'Using dig NS' + + # Check all Authoritive DNS servers are returned if requested + CHECK_ALL_AUTH_DNS=true + run get_auth_dns www.duckdns.org + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' +} From 6e25567397a77f6101adfd6093015f97b6f76e71 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 30 Sep 2020 10:15:08 +0100 Subject: [PATCH 3/8] Fix dns check for upper case domain names --- getssl | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/getssl b/getssl index 05b2f2f..5fbabca 100755 --- a/getssl +++ b/getssl @@ -946,7 +946,7 @@ date_renew() { # calculates the renewal time in epoch debug() { # write out debug info if the debug flag has been set if [[ ${_USE_DEBUG} -eq 1 ]]; then # If running tests then output in TAP format (for debugging tests) - if [[ -n "$_RUNNING_TEST" ]]; then + if [[ ${_RUNNING_TEST} -eq 1 ]]; then echo "#" "$@" >&3 else echo " " @@ -1141,8 +1141,7 @@ for d in $alldomains; do command="rm -f ${t_loc:(( ${#sshhost} + 5))}/${token:?}" debug "running following command to remove token" debug "ssh $SSH_OPTS $sshhost ${command}" - # shellcheck disable=SC2029 - # shellcheck disable=SC2086 + # shellcheck disable=SC2029 disable=SC2086 ssh $SSH_OPTS "$sshhost" "${command}" 1>/dev/null 2>&1 rm -f "${TEMP_DIR:?}/${token:?}" elif [[ "${t_loc:0:4}" == "ftp:" ]] ; then @@ -1177,6 +1176,10 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then # shellcheck source=/dev/null . "$dnsfile" + # Always use lowercase domain name when querying DNS servers + # shellcheck disable=SC2018,SC2019 + lower_d=$(echo "$d" | tr A-Z a-z) + # check for token at public dns server, waiting for a valid response. for ns in $primary_ns; do debug "checking dns at $ns" @@ -1184,18 +1187,18 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then check_dns="fail" while [[ "$check_dns" == "fail" ]]; do if [[ "$os" == "cygwin" ]]; then - check_result=$(nslookup -type=txt "_acme-challenge.${d}" "${ns}" \ + check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \ | grep ^_acme -A2\ | grep '"'|awk -F'"' '{ print $2}') elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then - debug "$DNS_CHECK_FUNC" TXT "_acme-challenge.${d}" "@${ns}" - check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${d}" "@${ns}" \ + debug "$DNS_CHECK_FUNC" TXT "_acme-challenge.${lower_d}" "@${ns}" + check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${lower_d}" "@${ns}" \ | grep 'IN\WTXT'|awk -F'"' '{ print $2}') elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then - check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${d}" "${ns}" \ + check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${lower_d}" "${ns}" \ | grep 'descriptive text'|awk -F'"' '{ print $2}') else - check_result=$(nslookup -type=txt "_acme-challenge.${d}" "${ns}" \ + check_result=$(nslookup -type=txt "_acme-challenge.${lower_d}" "${ns}" \ | grep 'text ='|awk -F'"' '{ print $2}') fi debug "expecting $auth_key" @@ -1208,26 +1211,22 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then ntries=$(( ntries + 1 )) if [[ $DNS_WAIT_RETRY_ADD == "true" && $(( ntries % 10 == 0 )) ]]; then - # shellcheck disable=SC2018,SC2019 - lower_d=$(echo "$d" | tr A-Z a-z) debug "Retrying adding dns via command: $DNS_ADD_COMMAND $lower_d $auth_key" if ! eval "$DNS_ADD_COMMAND" "$lower_d" "$auth_key" ; then error_exit "DNS_ADD_COMMAND failed for domain $d" fi fi - info "checking DNS at ${ns} for ${d}. Attempt $ntries/100 gave wrong result, "\ + info "checking DNS at ${ns} for ${lower_d}. Attempt $ntries/${DNS_WAIT_COUNT} gave wrong result, "\ "waiting $DNS_WAIT secs before checking again" sleep $DNS_WAIT else debug "dns check failed - removing existing value" - # shellcheck disable=SC2018,SC2019 - lower_d=$(echo "$d" | tr A-Z a-z) eval "$DNS_DEL_COMMAND" "$lower_d" "$auth_key" # remove $dnsfile after each loop. rm -f "$dnsfile" - error_exit "checking _acme-challenge.${d} gave $check_result not $auth_key" + error_exit "checking _acme-challenge.${lower_d} gave $check_result not $auth_key" fi fi done From cfd6562e9b9df4e341da7f61ca94620d0c918306 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Wed, 30 Sep 2020 10:18:49 +0100 Subject: [PATCH 4/8] Fix the dns test config files --- .../test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg | 4 ++-- test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg | 4 ++-- test/test-config/getssl-dns01-ignore-directory-domain.cfg | 4 ++-- test/test-config/getssl-dns01-multiple-domains.cfg | 4 ++-- test/test-config/getssl-dns01-spaces-and-commas-sans.cfg | 4 ++-- .../getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg | 4 ++-- test/test-config/getssl-dns01-spaces-sans.cfg | 4 ++-- test/test-config/getssl-dns01.cfg | 8 ++++++-- test/test-config/getssl-staging-dns01-fail-dns-add.cfg | 2 +- test/test-config/getssl-staging-dns01-no-suffix.cfg | 2 +- test/test-config/getssl-staging-dns01.cfg | 2 +- 11 files changed, 23 insertions(+), 19 deletions(-) diff --git a/test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg b/test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg index 235e1da..15b4108 100644 --- a/test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg +++ b/test/test-config/getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg @@ -7,8 +7,8 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" -PUBLIC_DNS_SERVER=10.30.50.3 -DNS_EXTRA_WAIT="" +AUTH_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT=0 DUAL_RSA_ECDSA="true" ACCOUNT_KEY_TYPE="prime256v1" diff --git a/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg b/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg index 6bbcc44..4059dd4 100644 --- a/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg +++ b/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg @@ -7,8 +7,8 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" -PUBLIC_DNS_SERVER=10.30.50.3 -DNS_EXTRA_WAIT="" +AUTH_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT=0 DUAL_RSA_ECDSA="true" ACCOUNT_KEY_TYPE="prime256v1" diff --git a/test/test-config/getssl-dns01-ignore-directory-domain.cfg b/test/test-config/getssl-dns01-ignore-directory-domain.cfg index 4bbd766..e55fbe0 100644 --- a/test/test-config/getssl-dns01-ignore-directory-domain.cfg +++ b/test/test-config/getssl-dns01-ignore-directory-domain.cfg @@ -7,8 +7,8 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" -PUBLIC_DNS_SERVER=10.30.50.3 -DNS_EXTRA_WAIT="" +AUTH_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT=0 # Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list IGNORE_DIRECTORY_DOMAIN="true" diff --git a/test/test-config/getssl-dns01-multiple-domains.cfg b/test/test-config/getssl-dns01-multiple-domains.cfg index f0fae04..82497ad 100644 --- a/test/test-config/getssl-dns01-multiple-domains.cfg +++ b/test/test-config/getssl-dns01-multiple-domains.cfg @@ -7,8 +7,8 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" -PUBLIC_DNS_SERVER=10.30.50.3 -DNS_EXTRA_WAIT="" +AUTH_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT=0 # Additional domains - this could be multiple domains / subdomains in a comma separated list SANS="getssl.test" diff --git a/test/test-config/getssl-dns01-spaces-and-commas-sans.cfg b/test/test-config/getssl-dns01-spaces-and-commas-sans.cfg index 2660a9d..204d0bf 100644 --- a/test/test-config/getssl-dns01-spaces-and-commas-sans.cfg +++ b/test/test-config/getssl-dns01-spaces-and-commas-sans.cfg @@ -7,8 +7,8 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" -PUBLIC_DNS_SERVER=10.30.50.3 -DNS_EXTRA_WAIT="" +AUTH_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT=0 # Additional domains - this could be multiple domains / subdomains in a comma separated list SANS="a.${GETSSL_HOST}, b.${GETSSL_HOST}, c.${GETSSL_HOST}" diff --git a/test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg b/test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg index 6b87010..75e7304 100644 --- a/test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg +++ b/test/test-config/getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg @@ -7,8 +7,8 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" -PUBLIC_DNS_SERVER=10.30.50.3 -DNS_EXTRA_WAIT="" +AUTH_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT=0 # Ignore directory domain (i.e. the domain passed on the command line), and just use the domains in the SANS list IGNORE_DIRECTORY_DOMAIN="true" diff --git a/test/test-config/getssl-dns01-spaces-sans.cfg b/test/test-config/getssl-dns01-spaces-sans.cfg index 8438228..e954fa0 100644 --- a/test/test-config/getssl-dns01-spaces-sans.cfg +++ b/test/test-config/getssl-dns01-spaces-sans.cfg @@ -7,8 +7,8 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" -PUBLIC_DNS_SERVER=10.30.50.3 -DNS_EXTRA_WAIT="" +AUTH_DNS_SERVER=10.30.50.3 +DNS_EXTRA_WAIT=0 # Additional domains - this could be multiple domains / subdomains in a comma separated list SANS="a.${GETSSL_HOST} b.${GETSSL_HOST} c.${GETSSL_HOST}" diff --git a/test/test-config/getssl-dns01.cfg b/test/test-config/getssl-dns01.cfg index 883f29e..e995c80 100644 --- a/test/test-config/getssl-dns01.cfg +++ b/test/test-config/getssl-dns01.cfg @@ -7,8 +7,12 @@ CA="https://pebble:14000/dir" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv" -PUBLIC_DNS_SERVER=10.30.50.3 -DNS_EXTRA_WAIT="" +AUTH_DNS_SERVER=10.30.50.3 + +# Speed up the test by reducing the number or retries and the wait between retries. +DNS_WAIT=2 +DNS_WAIT_COUNT=11 +DNS_EXTRA_WAIT=0 # Additional domains - this could be multiple domains / subdomains in a comma separated list SANS="" diff --git a/test/test-config/getssl-staging-dns01-fail-dns-add.cfg b/test/test-config/getssl-staging-dns01-fail-dns-add.cfg index 2985d32..125cfef 100644 --- a/test/test-config/getssl-staging-dns01-fail-dns-add.cfg +++ b/test/test-config/getssl-staging-dns01-fail-dns-add.cfg @@ -5,7 +5,7 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory" # Generic staging config VALIDATE_VIA_DNS=true DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=ns2.duckdns.org +AUTH_DNS_SERVER=ns2.duckdns.org CHECK_ALL_AUTH_DNS=true # Test that the retry works (dns_add_command will always fail) diff --git a/test/test-config/getssl-staging-dns01-no-suffix.cfg b/test/test-config/getssl-staging-dns01-no-suffix.cfg index 47d2cec..6b764f3 100644 --- a/test/test-config/getssl-staging-dns01-no-suffix.cfg +++ b/test/test-config/getssl-staging-dns01-no-suffix.cfg @@ -5,7 +5,7 @@ CA="https://acme-staging-v02.api.letsencrypt.org" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=ns2.duckdns.org +AUTH_DNS_SERVER=ns2.duckdns.org CHECK_ALL_AUTH_DNS=true DNS_EXTRA_WAIT=120 diff --git a/test/test-config/getssl-staging-dns01.cfg b/test/test-config/getssl-staging-dns01.cfg index 348cabf..655f1c6 100644 --- a/test/test-config/getssl-staging-dns01.cfg +++ b/test/test-config/getssl-staging-dns01.cfg @@ -5,7 +5,7 @@ CA="https://acme-staging-v02.api.letsencrypt.org/directory" VALIDATE_VIA_DNS=true DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns" DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns" -PUBLIC_DNS_SERVER=ns2.duckdns.org +AUTH_DNS_SERVER=ns2.duckdns.org CHECK_ALL_AUTH_DNS=true DNS_EXTRA_WAIT=120 From b0debe01b0e8c7518ef1d11d3c9d36e4de39e86b Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Thu, 1 Oct 2020 08:58:58 +0100 Subject: [PATCH 5/8] Use different args for drill in SOA check --- getssl | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/getssl b/getssl index 5fbabca..92c01a3 100755 --- a/getssl +++ b/getssl @@ -1285,9 +1285,15 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n gad_d="$orig_gad_d" # Use SOA +trace to find the name server if [[ $_TEST_SKIP_SOA_CALL == 0 ]]; then - debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d $gad_s" to find primary nameserver - test_output "Using $HAS_DIG_OR_DRILL SOA" - res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W") + if [[ "$HAS_DIG_OR_DRILL" == "dig" ]]; then + debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d $gad_s" to find primary nameserver + test_output "Using $HAS_DIG_OR_DRILL SOA" + res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W") + else + debug Using "$HAS_DIG_OR_DRILL -T $gad_d $gad_s" to find primary nameserver + test_output "Using $HAS_DIG_OR_DRILL SOA" + res=$($HAS_DIG_OR_DRILL -T SOA "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W") + fi fi # Check if domain is a CNAME From 55ea0642c7bca86365b687e5d585379d79ec0d84 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 2 Oct 2020 15:09:23 +0100 Subject: [PATCH 6/8] Add unit test for get_auth_dns using drill --- ...dig.bats => u1-test-get_auth_dns-dig.bats} | 28 ++- test/u2-test-get_auth_dns-drill.bats | 201 ++++++++++++++++++ 2 files changed, 214 insertions(+), 15 deletions(-) rename test/{19-test-get_auth_dns-dig.bats => u1-test-get_auth_dns-dig.bats} (91%) create mode 100644 test/u2-test-get_auth_dns-drill.bats diff --git a/test/19-test-get_auth_dns-dig.bats b/test/u1-test-get_auth_dns-dig.bats similarity index 91% rename from test/19-test-get_auth_dns-dig.bats rename to test/u1-test-get_auth_dns-dig.bats index a726442..356c5c5 100644 --- a/test/19-test-get_auth_dns-dig.bats +++ b/test/u1-test-get_auth_dns-dig.bats @@ -7,29 +7,27 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { + for app in drill host nslookup + do + if [ -f /usr/bin/${app} ]; then + mv /usr/bin/${app} /usr/bin/${app}.getssl.bak + fi + done + . /getssl/getssl --source find_dns_utils _RUNNING_TEST=1 _USE_DEBUG=0 - echo " " >&3 - echo " " >&3 - - if [ -f /usr/bin/host ]; then - mv /usr/bin/host /usr/bin/host.getssl.bak - fi - if [ -f /usr/bin/nslookup ]; then - mv /usr/bin/nslookup /usr/bin/nslookup.getssl.bak - fi } teardown() { - if [ -f /usr/bin/host.getssl.bak ]; then - mv /usr/bin/host.getssl.bak /usr/bin/host - fi - if [ -f /usr/bin/nslookup.getssl.bak ]; then - mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup - fi + for app in drill host nslookup + do + if [ -f /usr/bin/${app}.getssl.bak ]; then + mv /usr/bin/${app}.getssl.bak /usr/bin/${app} + fi + done } diff --git a/test/u2-test-get_auth_dns-drill.bats b/test/u2-test-get_auth_dns-drill.bats new file mode 100644 index 0000000..a0d977c --- /dev/null +++ b/test/u2-test-get_auth_dns-drill.bats @@ -0,0 +1,201 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + for app in dig host nslookup + do + if [ -f /usr/bin/${app} ]; then + mv /usr/bin/${app} /usr/bin/${app}.getssl.bak + fi + done + + . /getssl/getssl --source + find_dns_utils + _RUNNING_TEST=1 + _USE_DEBUG=0 +} + + +teardown() { + for app in dig host nslookup + do + if [ -f /usr/bin/${app}.getssl.bak ]; then + mv /usr/bin/${app}.getssl.bak /usr/bin/${app} + fi + done +} + + +teardown() { + if [ -f /usr/bin/host.getssl.bak ]; then + mv /usr/bin/host.getssl.bak /usr/bin/host + fi + if [ -f /usr/bin/nslookup.getssl.bak ]; then + mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup + fi + if [ -f /usr/bin/dig.getssl.bak ]; then + mv /usr/bin/dig.getssl.bak /usr/bin/dig + fi +} + + +@test "Check get_auth_dns using drill NS" { + if [ ! -f /usr/bin/drill ]; then + # Can't find drill package for centos8 + skip "Drill not installed on this system" + fi + + # Test that get_auth_dns() handles scenario where NS query returns Authority section + # + # ************** EXAMPLE DRILL OUTPUT ************** + # + # ;; ANSWER SECTION: + # ubuntu-getssl.duckdns.org. 60 IN A 54.89.252.137 + # + # ;; AUTHORITY SECTION: + # duckdns.org. 600 IN NS ns2.duckdns.org. + # duckdns.org. 600 IN NS ns3.duckdns.org. + # duckdns.org. 600 IN NS ns1.duckdns.org. + # + # ;; ADDITIONAL SECTION: + # ns2.duckdns.org. 600 IN A 54.191.117.119 + # ns3.duckdns.org. 600 IN A 52.26.169.94 + # ns1.duckdns.org. 600 IN A 54.187.92.222 + + # Disable SOA and CNAME check + _TEST_SKIP_CNAME_CALL=1 + _TEST_SKIP_SOA_CALL=1 + + PUBLIC_DNS_SERVER=ns1.duckdns.org + CHECK_ALL_AUTH_DNS=false + + run get_auth_dns ubuntu-getssl.duckdns.org + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + # Assert that we had to use drill NS + assert_line --partial 'Using drill NS' + + # Check all Authoritive DNS servers are returned if requested + CHECK_ALL_AUTH_DNS=true + run get_auth_dns ubuntu-getssl.duckdns.org + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' +} + + +@test "Check get_auth_dns using drill SOA" { + if [ ! -f /usr/bin/drill ]; then + # Can't find drill package for centos8 + skip "Drill not installed on this system" + fi + + # Test that get_auth_dns() handles scenario where SOA query returns Authority section + # + # ************** EXAMPLE DRILL OUTPUT ************** + # + # ;; AUTHORITY SECTION: + # duckdns.org. 600 IN SOA ns3.duckdns.org. hostmaster.duckdns.org. 2019170803 6000 120 2419200 600 + + # DuckDNS server returns nothing for SOA, so use public dns instead + PUBLIC_DNS_SERVER=1.0.0.1 + CHECK_ALL_AUTH_DNS=false + + run get_auth_dns ubuntu-getssl.duckdns.org + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + + # Assert that we had to use drill NS + assert_line --partial 'Using drill SOA' + refute_line --partial 'Using drill NS' + + # Check all Authoritive DNS servers are returned if requested + CHECK_ALL_AUTH_DNS=true + run get_auth_dns ubuntu-getssl.duckdns.org + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' +} + + +@test "Check get_auth_dns using drill CNAME (public dns)" { + if [ ! -f /usr/bin/drill ]; then + # Can't find drill package for centos8 + skip "Drill not installed on this system" + fi + + # Test that get_auth_dns() handles scenario where CNAME query returns just a CNAME record + # + # ************** EXAMPLE drill OUTPUT ************** + # + # ;; ANSWER SECTION: + # www.duckdns.org. 600 IN CNAME DuckDNSAppELB-570522007.us-west-2.elb.amazonaws.com. + + # Disable SOA check + _TEST_SKIP_SOA_CALL=1 + + PUBLIC_DNS_SERVER=1.0.0.1 + CHECK_ALL_AUTH_DNS=false + + run get_auth_dns www.duckdns.org + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com' + + # Assert that we found a CNAME and use drill NS + assert_line --partial 'Using drill CNAME' + assert_line --partial 'Using drill NS' + + # Check all Authoritive DNS servers are returned if requested + CHECK_ALL_AUTH_DNS=false + run get_auth_dns www.duckdns.org + assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com' +} + + +@test "Check get_auth_dns using drill CNAME (duckdns)" { + if [ ! -f /usr/bin/drill ]; then + # Can't find drill package for centos8 + skip "Drill not installed on this system" + fi + + # Test that get_auth_dns() handles scenario where CNAME query returns authority section containing NS records + # + # ************** EXAMPLE drill OUTPUT ************** + # + # ;; ANSWER SECTION: + # www.duckdns.org. 600 IN CNAME DuckDNSAppELB-570522007.us-west-2.elb.amazonaws.com. + # + # ;; AUTHORITY SECTION: + # duckdns.org. 600 IN NS ns1.duckdns.org. + # duckdns.org. 600 IN NS ns2.duckdns.org. + # duckdns.org. 600 IN NS ns3.duckdns.org. + # + # ;; ADDITIONAL SECTION: + # ns1.duckdns.org. 600 IN A 54.187.92.222 + # ns2.duckdns.org. 600 IN A 54.191.117.119 + # ns3.duckdns.org. 600 IN A 52.26.169.94 + + # Disable SOA check + _TEST_SKIP_SOA_CALL=1 + + PUBLIC_DNS_SERVER=ns1.duckdns.org + CHECK_ALL_AUTH_DNS=false + + run get_auth_dns www.duckdns.org + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org' + + # Assert that we found a CNAME but didn't use drill NS + assert_line --partial 'Using drill CNAME' + refute_line --partial 'Using drill NS' + + # Check all Authoritive DNS servers are returned if requested + CHECK_ALL_AUTH_DNS=true + run get_auth_dns www.duckdns.org + assert_output --regexp 'set primary_ns = ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org ns[1-3]+\.duckdns\.org' +} From 0f422225f47bdcc194266548b06cfc92815e1bbd Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 2 Oct 2020 15:09:50 +0100 Subject: [PATCH 7/8] Update all docker images to include drill (for unit tests) --- test/Dockerfile-alpine | 2 +- test/Dockerfile-centos6 | 2 +- test/Dockerfile-centos7 | 4 +--- test/Dockerfile-centos7-staging | 2 +- test/Dockerfile-debian | 2 +- test/Dockerfile-ubuntu | 2 +- test/Dockerfile-ubuntu-staging | 3 +-- test/Dockerfile-ubuntu16 | 5 +---- test/Dockerfile-ubuntu18 | 2 +- 9 files changed, 9 insertions(+), 15 deletions(-) diff --git a/test/Dockerfile-alpine b/test/Dockerfile-alpine index caad22a..e0f3a6c 100644 --- a/test/Dockerfile-alpine +++ b/test/Dockerfile-alpine @@ -2,7 +2,7 @@ FROM alpine:latest # Note this image uses busybox awk instead of gawk -RUN apk --no-cache add supervisor openssl git curl bind-tools wget nginx bash +RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash WORKDIR /root diff --git a/test/Dockerfile-centos6 b/test/Dockerfile-centos6 index 5ffc91c..862e680 100644 --- a/test/Dockerfile-centos6 +++ b/test/Dockerfile-centos6 @@ -8,7 +8,7 @@ FROM centos:centos6 # Update and install required software RUN yum -y update RUN yum -y install epel-release -RUN yum -y install git curl dnsutils wget nginx +RUN yum -y install git curl dnsutils ldns wget nginx WORKDIR /root RUN mkdir /etc/nginx/pki diff --git a/test/Dockerfile-centos7 b/test/Dockerfile-centos7 index 02fbcb7..afbcf23 100644 --- a/test/Dockerfile-centos7 +++ b/test/Dockerfile-centos7 @@ -1,11 +1,9 @@ FROM centos:centos7 -# Note this image uses drill, does not have dig or nslookup installed - # Update and install required software RUN yum -y update RUN yum -y install epel-release -RUN yum -y install git curl ldns wget which nginx +RUN yum -y install git curl ldns bind-utils wget which nginx WORKDIR /root RUN mkdir /etc/nginx/pki diff --git a/test/Dockerfile-centos7-staging b/test/Dockerfile-centos7-staging index 899bf9b..a539cac 100644 --- a/test/Dockerfile-centos7-staging +++ b/test/Dockerfile-centos7-staging @@ -5,7 +5,7 @@ FROM centos:centos7 # Update and install required software RUN yum -y update RUN yum -y install epel-release -RUN yum -y install git curl bind-utils wget which nginx +RUN yum -y install git curl bind-utils ldns wget which nginx ENV staging "true" ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb diff --git a/test/Dockerfile-debian b/test/Dockerfile-debian index b5da5dd..d066813 100644 --- a/test/Dockerfile-debian +++ b/test/Dockerfile-debian @@ -4,7 +4,7 @@ FROM debian:latest # Update and install required software RUN apt-get update --fix-missing -RUN apt-get install -y git curl dnsutils wget nginx-light +RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light WORKDIR /root RUN mkdir /etc/nginx/pki diff --git a/test/Dockerfile-ubuntu b/test/Dockerfile-ubuntu index 66d7a35..2ef9e25 100644 --- a/test/Dockerfile-ubuntu +++ b/test/Dockerfile-ubuntu @@ -7,7 +7,7 @@ ENV DEBIAN_FRONTEND noninteractive # Update and install required software RUN apt-get update --fix-missing -RUN apt-get install -y git curl dnsutils wget nginx-light +RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light RUN apt-get install -y vim dos2unix # for debugging # TODO test with drill, dig, host diff --git a/test/Dockerfile-ubuntu-staging b/test/Dockerfile-ubuntu-staging index 58762d0..05f0471 100644 --- a/test/Dockerfile-ubuntu-staging +++ b/test/Dockerfile-ubuntu-staging @@ -11,9 +11,8 @@ ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb # Update and install required software RUN apt-get update --fix-missing -RUN apt-get install -y git curl dnsutils wget nginx-light +RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light RUN apt-get install -y vim dos2unix # for debugging -# TODO test with drill, dig, host WORKDIR /root diff --git a/test/Dockerfile-ubuntu16 b/test/Dockerfile-ubuntu16 index 030d03a..ba6164c 100644 --- a/test/Dockerfile-ubuntu16 +++ b/test/Dockerfile-ubuntu16 @@ -5,16 +5,13 @@ FROM ubuntu:xenial # Update and install required software RUN apt-get update --fix-missing -RUN apt-get install -y git curl dnsutils wget nginx-light +RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light WORKDIR /root RUN mkdir /etc/nginx/pki RUN mkdir /etc/nginx/pki/private COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default -# Prevent "Can't load /root/.rnd into RNG" error from openssl -# RUN touch /root/.rnd - # BATS (Bash Automated Testings) RUN git clone https://github.com/bats-core/bats-core.git /bats-core RUN git clone https://github.com/bats-core/bats-support /bats-support diff --git a/test/Dockerfile-ubuntu18 b/test/Dockerfile-ubuntu18 index 1d68cd3..1735646 100644 --- a/test/Dockerfile-ubuntu18 +++ b/test/Dockerfile-ubuntu18 @@ -5,7 +5,7 @@ FROM ubuntu:bionic # Update and install required software RUN apt-get update --fix-missing -RUN apt-get install -y git curl dnsutils wget gawk nginx-light +RUN apt-get install -y git curl dnsutils ldnsutils wget gawk nginx-light WORKDIR /root RUN mkdir /etc/nginx/pki From 44f0ce1a536243c32253bf2cd697beae1544b5e0 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 2 Oct 2020 15:16:23 +0100 Subject: [PATCH 8/8] Update revision history --- getssl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index 92c01a3..e6500e8 100755 --- a/getssl +++ b/getssl @@ -237,7 +237,8 @@ # 2020-08-06 Use -sigalgs instead of -cipher when checking remote for tls1.3 (#570) # 2020-08-31 Fix slow fork bomb when directory containing getssl isn't writeable (#440) # 2020-09-01 Use RSA-PSS when checking remote for DUAL_RSA_ECDSA (#570) -# 2020-09-02 Fix issue when SANS is space and comma separated (#579) +# 2020-09-02 Fix issue when SANS is space and comma separated (#579) (2.30) +# 2020-10-02 Various fixes to get_auth_dns and changes to support unit tests (#308) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/}